Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240215-en
  • resource tags

    arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
  • submitted
    14-04-2024 19:40

General

  • Target

    ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118.exe

  • Size

    796KB

  • MD5

    ef5a47cb377760f4f1161fcaf1f6cd6f

  • SHA1

    4676cc9edb7f8a17f3929afc35df66cfd7ec5856

  • SHA256

    7cc814edd8c3dde2c4544e3834900723c97c8b5c78e9ef02c8836c5b63a8b2cc

  • SHA512

    84dadf4d80b41d3c1e2af276af3ec13762c4073c7ed2a41e4b7240c2334e064d3b715b61e06a13dc76ed738f13d775769783ad22061050bc26d08c5acf646daf

  • SSDEEP

    12288:3VmPcyDQDmkLhCBzpRrTZM6YaNPrLAtLUnhXhVWZbPWB/Su1sclKn:i0hExpRfZM6YurE+X+ZpwsclKn

Malware Config

Signatures

  • Darkcomet

    DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.

  • Modifies WinLogon for persistence 2 TTPs 64 IoCs
  • Checks BIOS information in registry 2 TTPs 64 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 64 IoCs
  • Adds Run key to start application 2 TTPs 64 IoCs
  • Drops file in System32 directory 64 IoCs
  • Suspicious use of SetThreadContext 64 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 64 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118.exe
    "C:\Users\Admin\AppData\Local\Temp\ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118.exe"
    1⤵
    • Drops file in System32 directory
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1888
    • C:\Users\Admin\AppData\Local\Temp\ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118.exe
      "C:\Users\Admin\AppData\Local\Temp\ef5a47cb377760f4f1161fcaf1f6cd6f_JaffaCakes118.exe"
      2⤵
      • Checks BIOS information in registry
      • Loads dropped DLL
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2988
      • C:\Windows\SysWOW64\Adobe_Reader.exe
        "C:\Windows\system32\Adobe_Reader.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2588
        • C:\Windows\SysWOW64\Adobe_Reader.exe
          "C:\Windows\SysWOW64\Adobe_Reader.exe"
          4⤵
          • Checks BIOS information in registry
          • Executes dropped EXE
          • Loads dropped DLL
          • Adds Run key to start application
          • Drops file in System32 directory
          • Checks processor information in registry
          • Enumerates system info in registry
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:2404
          • C:\Windows\SysWOW64\Adobe_Reader.exe
            "C:\Windows\system32\Adobe_Reader.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious use of SetThreadContext
            • Suspicious use of WriteProcessMemory
            PID:2564
            • C:\Windows\SysWOW64\Adobe_Reader.exe
              "C:\Windows\SysWOW64\Adobe_Reader.exe"
              6⤵
              • Checks BIOS information in registry
              • Executes dropped EXE
              • Loads dropped DLL
              • Enumerates system info in registry
              • Suspicious use of AdjustPrivilegeToken
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\SysWOW64\Adobe_Reader.exe
                "C:\Windows\system32\Adobe_Reader.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetThreadContext
                • Suspicious use of WriteProcessMemory
                PID:2484
                • C:\Windows\SysWOW64\Adobe_Reader.exe
                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                  8⤵
                  • Checks BIOS information in registry
                  • Executes dropped EXE
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:760
                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                    "C:\Windows\system32\Adobe_Reader.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetThreadContext
                    • Suspicious use of WriteProcessMemory
                    PID:2288
                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                      10⤵
                      • Executes dropped EXE
                      • Loads dropped DLL
                      • Suspicious use of WriteProcessMemory
                      PID:2304
                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                        "C:\Windows\system32\Adobe_Reader.exe"
                        11⤵
                        • Executes dropped EXE
                        • Suspicious use of SetThreadContext
                        • Suspicious use of WriteProcessMemory
                        PID:2748
                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                          12⤵
                          • Modifies WinLogon for persistence
                          • Checks BIOS information in registry
                          • Executes dropped EXE
                          • Loads dropped DLL
                          • Adds Run key to start application
                          • Suspicious use of WriteProcessMemory
                          PID:2492
                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                            "C:\Windows\system32\Adobe_Reader.exe"
                            13⤵
                            • Executes dropped EXE
                            • Drops file in System32 directory
                            • Suspicious use of SetThreadContext
                            • Suspicious use of WriteProcessMemory
                            PID:744
                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                              14⤵
                              • Modifies WinLogon for persistence
                              • Checks BIOS information in registry
                              • Executes dropped EXE
                              • Loads dropped DLL
                              PID:896
                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                "C:\Windows\system32\Adobe_Reader.exe"
                                15⤵
                                • Executes dropped EXE
                                • Suspicious use of SetThreadContext
                                PID:2136
                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                  16⤵
                                  • Executes dropped EXE
                                  • Loads dropped DLL
                                  • Adds Run key to start application
                                  PID:2088
                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                    "C:\Windows\system32\Adobe_Reader.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetThreadContext
                                    PID:2252
                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                      18⤵
                                      • Checks BIOS information in registry
                                      • Executes dropped EXE
                                      • Loads dropped DLL
                                      • Adds Run key to start application
                                      PID:2360
                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                        "C:\Windows\system32\Adobe_Reader.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • Suspicious use of SetThreadContext
                                        PID:2864
                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                          20⤵
                                          • Modifies WinLogon for persistence
                                          • Checks BIOS information in registry
                                          • Executes dropped EXE
                                          • Loads dropped DLL
                                          • Adds Run key to start application
                                          • Drops file in System32 directory
                                          • Enumerates system info in registry
                                          PID:884
                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                            "C:\Windows\system32\Adobe_Reader.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetThreadContext
                                            PID:1524
                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                              22⤵
                                              • Modifies WinLogon for persistence
                                              • Executes dropped EXE
                                              • Loads dropped DLL
                                              • Adds Run key to start application
                                              • Drops file in System32 directory
                                              PID:3048
                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • Suspicious use of SetThreadContext
                                                PID:2504
                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                  24⤵
                                                  • Modifies WinLogon for persistence
                                                  • Executes dropped EXE
                                                  • Loads dropped DLL
                                                  PID:1980
                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • Suspicious use of SetThreadContext
                                                    PID:2580
                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                      26⤵
                                                      • Modifies WinLogon for persistence
                                                      • Checks BIOS information in registry
                                                      • Executes dropped EXE
                                                      • Loads dropped DLL
                                                      PID:1600
                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • Suspicious use of SetThreadContext
                                                        PID:1836
                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                          28⤵
                                                          • Executes dropped EXE
                                                          • Loads dropped DLL
                                                          • Adds Run key to start application
                                                          • Checks processor information in registry
                                                          PID:1580
                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • Suspicious use of SetThreadContext
                                                            PID:2148
                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                              30⤵
                                                              • Executes dropped EXE
                                                              • Loads dropped DLL
                                                              • Checks processor information in registry
                                                              PID:1544
                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • Suspicious use of SetThreadContext
                                                                PID:1444
                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                  32⤵
                                                                  • Executes dropped EXE
                                                                  • Loads dropped DLL
                                                                  • Enumerates system info in registry
                                                                  PID:2744
                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • Suspicious use of SetThreadContext
                                                                    PID:1984
                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                      34⤵
                                                                      • Modifies WinLogon for persistence
                                                                      • Executes dropped EXE
                                                                      • Loads dropped DLL
                                                                      PID:584
                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • Suspicious use of SetThreadContext
                                                                        PID:1096
                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                          36⤵
                                                                          • Modifies WinLogon for persistence
                                                                          • Executes dropped EXE
                                                                          • Loads dropped DLL
                                                                          • Checks processor information in registry
                                                                          PID:1032
                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • Suspicious use of SetThreadContext
                                                                            PID:1152
                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                              38⤵
                                                                              • Modifies WinLogon for persistence
                                                                              • Checks BIOS information in registry
                                                                              • Executes dropped EXE
                                                                              • Loads dropped DLL
                                                                              • Adds Run key to start application
                                                                              • Drops file in System32 directory
                                                                              • Enumerates system info in registry
                                                                              PID:1280
                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • Suspicious use of SetThreadContext
                                                                                PID:976
                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                  40⤵
                                                                                  • Executes dropped EXE
                                                                                  • Loads dropped DLL
                                                                                  PID:2476
                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • Suspicious use of SetThreadContext
                                                                                    PID:2836
                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                      42⤵
                                                                                      • Modifies WinLogon for persistence
                                                                                      • Executes dropped EXE
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in System32 directory
                                                                                      • Checks processor information in registry
                                                                                      • Enumerates system info in registry
                                                                                      PID:1704
                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • Suspicious use of SetThreadContext
                                                                                        PID:1252
                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                          44⤵
                                                                                          • Checks BIOS information in registry
                                                                                          • Executes dropped EXE
                                                                                          • Loads dropped DLL
                                                                                          • Enumerates system info in registry
                                                                                          PID:2204
                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • Suspicious use of SetThreadContext
                                                                                            PID:2712
                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                              46⤵
                                                                                              • Executes dropped EXE
                                                                                              • Loads dropped DLL
                                                                                              • Drops file in System32 directory
                                                                                              • Enumerates system info in registry
                                                                                              PID:2500
                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • Drops file in System32 directory
                                                                                                • Suspicious use of SetThreadContext
                                                                                                PID:2508
                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                  48⤵
                                                                                                  • Modifies WinLogon for persistence
                                                                                                  • Checks BIOS information in registry
                                                                                                  • Executes dropped EXE
                                                                                                  • Loads dropped DLL
                                                                                                  • Adds Run key to start application
                                                                                                  PID:2412
                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                    49⤵
                                                                                                    • Executes dropped EXE
                                                                                                    • Suspicious use of SetThreadContext
                                                                                                    PID:1872
                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                      50⤵
                                                                                                      • Modifies WinLogon for persistence
                                                                                                      • Executes dropped EXE
                                                                                                      • Loads dropped DLL
                                                                                                      • Enumerates system info in registry
                                                                                                      PID:352
                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                        51⤵
                                                                                                        • Executes dropped EXE
                                                                                                        • Suspicious use of SetThreadContext
                                                                                                        PID:2156
                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                          52⤵
                                                                                                          • Executes dropped EXE
                                                                                                          • Loads dropped DLL
                                                                                                          • Adds Run key to start application
                                                                                                          • Checks processor information in registry
                                                                                                          PID:2312
                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                            53⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Suspicious use of SetThreadContext
                                                                                                            PID:2632
                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                              54⤵
                                                                                                              • Executes dropped EXE
                                                                                                              • Loads dropped DLL
                                                                                                              • Enumerates system info in registry
                                                                                                              PID:2316
                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                55⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                PID:2656
                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                  56⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Adds Run key to start application
                                                                                                                  • Checks processor information in registry
                                                                                                                  • Enumerates system info in registry
                                                                                                                  PID:1400
                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                    57⤵
                                                                                                                    • Executes dropped EXE
                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                    PID:744
                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                      58⤵
                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                      • Checks BIOS information in registry
                                                                                                                      • Executes dropped EXE
                                                                                                                      • Loads dropped DLL
                                                                                                                      PID:1992
                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                        59⤵
                                                                                                                        • Executes dropped EXE
                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                        PID:2136
                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                          60⤵
                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                          • Executes dropped EXE
                                                                                                                          • Loads dropped DLL
                                                                                                                          • Adds Run key to start application
                                                                                                                          • Enumerates system info in registry
                                                                                                                          PID:1736
                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                            61⤵
                                                                                                                            • Executes dropped EXE
                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                            PID:2900
                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                              62⤵
                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                              • Executes dropped EXE
                                                                                                                              • Loads dropped DLL
                                                                                                                              • Drops file in System32 directory
                                                                                                                              PID:1912
                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                63⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                PID:2376
                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                  64⤵
                                                                                                                                  • Executes dropped EXE
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  • Adds Run key to start application
                                                                                                                                  • Drops file in System32 directory
                                                                                                                                  PID:2164
                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                    65⤵
                                                                                                                                    • Executes dropped EXE
                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                    PID:2952
                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                      66⤵
                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                      • Executes dropped EXE
                                                                                                                                      • Drops file in System32 directory
                                                                                                                                      • Checks processor information in registry
                                                                                                                                      PID:1524
                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                        67⤵
                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                        PID:2576
                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                          68⤵
                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                          • Checks processor information in registry
                                                                                                                                          • Enumerates system info in registry
                                                                                                                                          PID:2528
                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                            69⤵
                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                            PID:2532
                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                              70⤵
                                                                                                                                              • Checks processor information in registry
                                                                                                                                              PID:2396
                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                71⤵
                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                PID:1352
                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                  72⤵
                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                  PID:2620
                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                    73⤵
                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                    PID:1932
                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                      74⤵
                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                      PID:1892
                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                        75⤵
                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                        PID:996
                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                          76⤵
                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                          PID:2632
                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                            77⤵
                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                            PID:2924
                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                              78⤵
                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                              PID:2656
                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                79⤵
                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                PID:1692
                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                  80⤵
                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                  PID:344
                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                    81⤵
                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                    PID:448
                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                      82⤵
                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                      PID:468
                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                        83⤵
                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                        PID:3052
                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                          84⤵
                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                          PID:2248
                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                            85⤵
                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                            PID:868
                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                              86⤵
                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                              PID:2800
                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                87⤵
                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                PID:2972
                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                  88⤵
                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                  PID:2524
                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                    89⤵
                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                    PID:1592
                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                      90⤵
                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                      PID:2392
                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                        91⤵
                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                        PID:2456
                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                          92⤵
                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                          PID:1828
                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                            93⤵
                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                            PID:2276
                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                              94⤵
                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                              PID:2296
                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                95⤵
                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                PID:1448
                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                  96⤵
                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                  PID:2732
                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                    97⤵
                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                    PID:2760
                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                      98⤵
                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                      PID:532
                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                        99⤵
                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                        PID:2856
                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                          100⤵
                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                          PID:1772
                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                            101⤵
                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                            PID:2128
                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                              102⤵
                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                              PID:1780
                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                103⤵
                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                PID:1312
                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                  104⤵
                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                  PID:568
                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                    105⤵
                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                    PID:304
                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                      106⤵
                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                      PID:3020
                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                        107⤵
                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                        PID:2548
                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                          108⤵
                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                          PID:2512
                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                            109⤵
                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                            PID:2680
                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                              110⤵
                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                              PID:1712
                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                111⤵
                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                PID:2508
                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                  112⤵
                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                  PID:764
                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                    113⤵
                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                    PID:1352
                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                      114⤵
                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                      PID:2384
                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                        115⤵
                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                        PID:2008
                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                          116⤵
                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                          PID:1260
                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                            117⤵
                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                            PID:2924
                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                              118⤵
                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                              PID:576
                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                119⤵
                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                PID:2168
                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                  120⤵
                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                  PID:876
                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                    121⤵
                                                                                                                                                                                                                                                    • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                    PID:900
                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                      122⤵
                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                      PID:1728
                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                        123⤵
                                                                                                                                                                                                                                                        • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                        PID:1312
                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                          124⤵
                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                          PID:1888
                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                            125⤵
                                                                                                                                                                                                                                                            • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                            PID:304
                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                              126⤵
                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                              PID:2588
                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                127⤵
                                                                                                                                                                                                                                                                • Suspicious use of SetThreadContext
                                                                                                                                                                                                                                                                PID:2712
                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                  128⤵
                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                  PID:2704
                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                    129⤵
                                                                                                                                                                                                                                                                      PID:2348
                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                        130⤵
                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                        PID:1540
                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                          131⤵
                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                          PID:1840
                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                            132⤵
                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                            PID:992
                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                              133⤵
                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                              PID:1244
                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                134⤵
                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                PID:1676
                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                  135⤵
                                                                                                                                                                                                                                                                                    PID:1824
                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                      136⤵
                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                      PID:1444
                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                        137⤵
                                                                                                                                                                                                                                                                                          PID:2780
                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                            138⤵
                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                            PID:1036
                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                              139⤵
                                                                                                                                                                                                                                                                                                PID:956
                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                  140⤵
                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                  PID:2000
                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                    141⤵
                                                                                                                                                                                                                                                                                                      PID:1516
                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                        142⤵
                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                        PID:900
                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                          143⤵
                                                                                                                                                                                                                                                                                                            PID:1968
                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                              144⤵
                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                              PID:2176
                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                145⤵
                                                                                                                                                                                                                                                                                                                  PID:2488
                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                    146⤵
                                                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                    PID:2964
                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                      147⤵
                                                                                                                                                                                                                                                                                                                        PID:2892
                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                          148⤵
                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                          PID:2864
                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                            149⤵
                                                                                                                                                                                                                                                                                                                              PID:1860
                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                150⤵
                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                PID:2572
                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                  151⤵
                                                                                                                                                                                                                                                                                                                                    PID:2132
                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                      152⤵
                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                      PID:2784
                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                        153⤵
                                                                                                                                                                                                                                                                                                                                          PID:1720
                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                            154⤵
                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                            PID:1932
                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                              155⤵
                                                                                                                                                                                                                                                                                                                                                PID:1660
                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                  156⤵
                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                  PID:1356
                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                    157⤵
                                                                                                                                                                                                                                                                                                                                                      PID:2100
                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                        158⤵
                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                        PID:2924
                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                          159⤵
                                                                                                                                                                                                                                                                                                                                                            PID:2208
                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                              160⤵
                                                                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                              PID:2816
                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                161⤵
                                                                                                                                                                                                                                                                                                                                                                  PID:2840
                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                    162⤵
                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                    PID:2344
                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                      163⤵
                                                                                                                                                                                                                                                                                                                                                                        PID:2836
                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                          164⤵
                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                          • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                          PID:2540
                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                            165⤵
                                                                                                                                                                                                                                                                                                                                                                              PID:2728
                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                166⤵
                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                PID:2468
                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                  167⤵
                                                                                                                                                                                                                                                                                                                                                                                    PID:2472
                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                      168⤵
                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                      PID:864
                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                        169⤵
                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                        PID:2548
                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                          170⤵
                                                                                                                                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                          PID:1856
                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                            171⤵
                                                                                                                                                                                                                                                                                                                                                                                              PID:1896
                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                172⤵
                                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                PID:2272
                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                  173⤵
                                                                                                                                                                                                                                                                                                                                                                                                    PID:2140
                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                      174⤵
                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                      PID:1720
                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                        175⤵
                                                                                                                                                                                                                                                                                                                                                                                                          PID:596
                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                            176⤵
                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                            PID:1460
                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                              177⤵
                                                                                                                                                                                                                                                                                                                                                                                                                PID:1452
                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                  178⤵
                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2100
                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                    179⤵
                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2852
                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                        180⤵
                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                        • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1520
                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                          181⤵
                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2900
                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                              182⤵
                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2840
                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                183⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1288
                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                    184⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                    • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1424
                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                      185⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2228
                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                          186⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2056
                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                            187⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                188⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2124
                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                  189⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2160
                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                      190⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2260
                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                        191⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1840
                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                            192⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1556
                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                              193⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2740
                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                194⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:844
                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  195⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    196⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:828
                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      197⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        198⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1464
                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          199⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2724
                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            200⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                              201⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:976
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  202⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1428
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    203⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1288
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        204⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1640
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          205⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1112
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            206⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2880
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              207⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                208⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1216
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  209⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:308
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      210⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2120
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        211⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            212⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2132
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              213⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1868
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  214⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1244
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    215⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2368
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        216⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2072
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          217⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              218⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:1740
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                219⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2720
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    220⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1684
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      221⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2996
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          222⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:3044
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            223⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2240
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              224⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:940
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                225⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    226⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2712
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      227⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        228⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2664
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          229⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              230⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2748
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                231⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    232⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:628
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      233⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2496
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          234⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1264
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            235⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                236⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:784
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  237⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      238⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2252
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        239⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2668
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            240⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:304
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              241⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2948
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  242⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:920
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    243⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1572
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        244⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:3016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          245⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2936
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              246⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2456
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                247⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1364
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    248⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:1160
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      249⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:2276
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          250⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:1208
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            251⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                252⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1696
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  253⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:448
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      254⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2212
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        255⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        PID:1516
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          256⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2900
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            257⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:2600
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                258⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2716
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  259⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2692
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      260⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:2116
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        261⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2772
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            262⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:1616
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              263⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              PID:808
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                264⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:1352
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  265⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2012
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      266⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1180
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        267⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:872
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            268⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2256
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              269⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:2760
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  270⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  PID:1152
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                  • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    271⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • Drops file in System32 directory
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    PID:2200
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                    • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      272⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Adds Run key to start application
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Checks processor information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • Enumerates system info in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      PID:1016
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                      • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                        273⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          PID:2556
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            "C:\Windows\SysWOW64\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            274⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Modifies WinLogon for persistence
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • Checks BIOS information in registry
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            PID:2952
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                            • C:\Windows\SysWOW64\Adobe_Reader.exe
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              "C:\Windows\system32\Adobe_Reader.exe"
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              275⤵
                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                PID:3004

                                                                                                                          Network

                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                          Replay Monitor

                                                                                                                          Loading Replay Monitor...

                                                                                                                          Downloads

                                                                                                                          • C:\Windows\SysWOW64\Adobe_Reader.exe

                                                                                                                            Filesize

                                                                                                                            796KB

                                                                                                                            MD5

                                                                                                                            ef5a47cb377760f4f1161fcaf1f6cd6f

                                                                                                                            SHA1

                                                                                                                            4676cc9edb7f8a17f3929afc35df66cfd7ec5856

                                                                                                                            SHA256

                                                                                                                            7cc814edd8c3dde2c4544e3834900723c97c8b5c78e9ef02c8836c5b63a8b2cc

                                                                                                                            SHA512

                                                                                                                            84dadf4d80b41d3c1e2af276af3ec13762c4073c7ed2a41e4b7240c2334e064d3b715b61e06a13dc76ed738f13d775769783ad22061050bc26d08c5acf646daf

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            192KB

                                                                                                                            MD5

                                                                                                                            94cfde741a3bd55706065e8a290e0273

                                                                                                                            SHA1

                                                                                                                            c61f1b0bc487aea1db80e0c1f34d34168d8a8e94

                                                                                                                            SHA256

                                                                                                                            846d152b8ce2a2626d428df54d9af1925790bf6061f86e7b39e34addaff6a4ff

                                                                                                                            SHA512

                                                                                                                            ca10b3371610b581c42fe3240ba3f6746ccf609dd140610b8ef6e752a2853854640f5a528f5e797964d56478ea77d6dc142db10aa2f14bd86f4554a4fb53181d

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            a873babf5dd7f0c77f9076aa8da6ac44

                                                                                                                            SHA1

                                                                                                                            64117c55a47b553c8e7e8239c6d9bb747d389288

                                                                                                                            SHA256

                                                                                                                            f744e4c20adb5a62b8134fd71910871a013561dd46ceff4e08ed296d8a7522ef

                                                                                                                            SHA512

                                                                                                                            eb4b7f39104bb16b21d25c0690f064b0158700ae9496c6c7ae64cde4ea66489afc80885e7544aa674a7d6adb9d3820e92871a846b1665e8b711562bffc656cb7

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            ec6b7a5367650bf99bbe8e0021840759

                                                                                                                            SHA1

                                                                                                                            dc1e253ecb20d96cba5147c2784945f1031bc076

                                                                                                                            SHA256

                                                                                                                            f091194715c1eb150604b5e0fbca949d599d5a420d4cb88fbbaebf31e8279462

                                                                                                                            SHA512

                                                                                                                            efca5fa346caec538c3f497fd5230de9847fce0bea8528be46bd62978ce50701b6627dd283c715f0ebd3eecdf291b71950e546444d5e5e7759017efec845b40e

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            5eb5899be7defdbbd9d4b71da1a046ba

                                                                                                                            SHA1

                                                                                                                            31540e5083e1d6d0e63ddaf1afaf324e062edf34

                                                                                                                            SHA256

                                                                                                                            d27aa8cb5867850be26b332735413997609710d55d3cd5197a9091cad876061c

                                                                                                                            SHA512

                                                                                                                            56a4316877aa7162a2a0abf900363ea1872a59b575d5bc09eb3cff964b932b80e3496bccf0ecd563efa4cba635a6beb52b9fe7c667df2201486d5b9333f6a12a

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            0b6524f2b6d9bca61823424c48ac0a67

                                                                                                                            SHA1

                                                                                                                            deaffaa212b491da4f34bf3adb4cbcc68a440cda

                                                                                                                            SHA256

                                                                                                                            b66080b6c3e90033e86f73e22324002d9e621d46f3800dd016133bb9ad098abd

                                                                                                                            SHA512

                                                                                                                            806e75d5ff05396a80436585c2297bc4e48d62ea5316afc1b8273acf819a6f631981e24a775c803cf8e3f292a4e05d044c9196ded2e109bb06a08c5ba4915e78

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            5ab5b9385e71b988aea114b7c1ec6069

                                                                                                                            SHA1

                                                                                                                            2e56029984d3739d1563539774c2f3fd6a2c6d22

                                                                                                                            SHA256

                                                                                                                            1dde75438c6f5bd301eb0d0e87379752b110575893ba08f84d520a167e669517

                                                                                                                            SHA512

                                                                                                                            01bd422e87cb702078674b5bb3c599baaa6e7b78da792b4ea90e01fb051cd3bf43304531e2bdc2575487d70d0ee13fd08f106b4993e136dfa25d03cbc9e9be37

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            193KB

                                                                                                                            MD5

                                                                                                                            44fc86cd8cc1e5d78ec0dab4b6ecad56

                                                                                                                            SHA1

                                                                                                                            2dd071c025faaaa67bc861ddf00a8e2779202e2b

                                                                                                                            SHA256

                                                                                                                            8eb0c0e3f461871578611dbcc294ddb310931ac6a8039e8b1ef5c14647b2f5a9

                                                                                                                            SHA512

                                                                                                                            3786d0376e189230c678320a89ba8d90fd5a1adb8555ba725bb790eeb24bcaaeaa365dce7b1f50d62b28d8a9d25d3988dac7e31a1cf4266d6679ef2aa8221c36

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            192KB

                                                                                                                            MD5

                                                                                                                            f22c7803113049de30ffdf9d716d52f8

                                                                                                                            SHA1

                                                                                                                            21a0bebbe37d2594051e7d8a0c4025f707a611fe

                                                                                                                            SHA256

                                                                                                                            44e459d5dd5c9a5471596ec36b6b25ab4442c99631eb11e6fa7f58462471b179

                                                                                                                            SHA512

                                                                                                                            37c16875c52bf04f763057b0046ea73bf89afb595b914d11070be1ae17bec70c98b1aa1c838efad21c423210baccc1bfa4163d659a22e3a38c5013915fbf59bc

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            192KB

                                                                                                                            MD5

                                                                                                                            47f79edc77a65017785391b3e33fd527

                                                                                                                            SHA1

                                                                                                                            581e4222fbfc12c9c20f4a83379af6bc8ca1c785

                                                                                                                            SHA256

                                                                                                                            1bb3c3d93323d8fe7834a2e2b0898119bb37af2146e8d5f963e96623f3cc06a8

                                                                                                                            SHA512

                                                                                                                            9a9af58b5bdeb91a8d5c91bcab31021e8d299cafefa204c142ffe5d515ae93db013b56653e71bb6cfcd209f5524019a67bc89cf50e121cdb2b5d9d61a6f54d0e

                                                                                                                          • C:\Windows\System32\CatRoot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            192KB

                                                                                                                            MD5

                                                                                                                            239d16a17c21ac2bf8b42c7ed6473ab5

                                                                                                                            SHA1

                                                                                                                            ab1562a6538f892c9e8a2be245ac48d32af4b52c

                                                                                                                            SHA256

                                                                                                                            034f6fec4f9335b098d031709673a73be595e6cd3f3d2bbee9fa905166f2b96c

                                                                                                                            SHA512

                                                                                                                            4633393dea625466cfe12d6dd2e0e6c5d6d5dd21291e3e8e01c524747d2c8c71ac1b4d69c4c4e80f71f62c7dc124e5a78beff0266b53893d3191642239aaa7f1

                                                                                                                          • C:\Windows\System32\catroot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                            MD5

                                                                                                                            944efc4afd1721864db755996add156d

                                                                                                                            SHA1

                                                                                                                            3430f6daa6fa20e34adaada69f62144b259e7baf

                                                                                                                            SHA256

                                                                                                                            1a5c0b714cc4a4ae2347493100088f43f48d4c577453bb3808738f2391b5eaad

                                                                                                                            SHA512

                                                                                                                            929dd28342c38d2d9d289872240ba67664c11924cf0e1822ebdaecf53698c25065931cca004f81b58c7f47108c526348b8e1c80470177090a8b791b93c21f500

                                                                                                                          • C:\Windows\System32\catroot2\dberr.txt

                                                                                                                            Filesize

                                                                                                                            192KB

                                                                                                                            MD5

                                                                                                                            90181f7563dc5cde4344f48618bb267a

                                                                                                                            SHA1

                                                                                                                            2b09834dda068a8fa388d6eeacee408de38e2456

                                                                                                                            SHA256

                                                                                                                            a6d92a4c6f598c1ab7fb46efabca4070190b9309827eb6f779db6264a746737a

                                                                                                                            SHA512

                                                                                                                            5f5aed67f58b51d36c9fae4062d85a58112d29d4147cdd4026815309384efc711b7ce2e19fe0a099f76b0cecdbd27d8bf55075fdfa28c1b5fd3067cb85fbe627

                                                                                                                          • \??\PIPE\srvsvc

                                                                                                                            MD5

                                                                                                                            d41d8cd98f00b204e9800998ecf8427e

                                                                                                                            SHA1

                                                                                                                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                                                                                            SHA256

                                                                                                                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                                                                                            SHA512

                                                                                                                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                                                                                          • memory/584-331-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/584-325-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/584-326-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/760-84-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/760-79-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/760-78-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/760-81-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/760-80-0x0000000000660000-0x0000000000661000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/884-205-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/884-204-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/884-215-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/896-142-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/896-141-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/896-149-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1032-342-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1032-341-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1032-347-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1280-362-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1280-357-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1280-358-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1544-299-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1544-293-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1544-294-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1580-277-0x0000000000300000-0x0000000000301000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1580-283-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1580-276-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1600-266-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1600-261-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1704-389-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1704-390-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1704-394-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1888-8-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            100KB

                                                                                                                          • memory/1980-252-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/1980-247-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/1980-246-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2088-163-0x00000000002F0000-0x00000000002F1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2088-170-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2088-162-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2204-404-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2204-406-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2204-411-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2284-58-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2284-59-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2284-60-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2284-61-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2284-65-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2288-96-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            100KB

                                                                                                                          • memory/2304-105-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2304-101-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2304-100-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2304-99-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2304-98-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2360-191-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2360-184-0x0000000001BE0000-0x0000000001BE1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2360-183-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2404-40-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2404-38-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2404-39-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2404-44-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2404-41-0x0000000000270000-0x0000000000271000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2412-437-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2476-372-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2476-379-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2476-374-0x0000000000340000-0x0000000000341000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2484-76-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            100KB

                                                                                                                          • memory/2492-128-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2492-121-0x0000000000280000-0x0000000000281000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2492-120-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2500-421-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2500-427-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2500-422-0x0000000000290000-0x0000000000291000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2564-56-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            100KB

                                                                                                                          • memory/2588-36-0x0000000000400000-0x0000000000419000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            100KB

                                                                                                                          • memory/2744-309-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2744-315-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2744-310-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2988-23-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-9-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-7-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-6-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-10-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-11-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-12-0x0000000000330000-0x0000000000331000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/2988-2-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/2988-4-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/3048-236-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB

                                                                                                                          • memory/3048-227-0x00000000002B0000-0x00000000002B1000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            4KB

                                                                                                                          • memory/3048-226-0x0000000000400000-0x00000000004C0000-memory.dmp

                                                                                                                            Filesize

                                                                                                                            768KB