redline | 3eadfa021e89e69ffe4dbf5c3d3eec4843ceb7ad5033498477b914ba6316657b

Resubmissions

05/08/2024, 19:21

240805-x258cswblp 10

05/08/2024, 18:50

240805-xgxeqaydqh 10

Analysis

max time kernel
28s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TextUtils.exe
Size

398KB
MD5

1c09825dd1fa0637c1d5089a65702ede
SHA1

a1da9a5c8d8b79689c9153adf459960fbccde80b
SHA256

3eadfa021e89e69ffe4dbf5c3d3eec4843ceb7ad5033498477b914ba6316657b
SHA512

948252d25c6a481432c52c762637c66d764f7fd90b0fa65d7c44b21af048b87950f918831b7d716fe65f6d10da42c337cb8b5860f2a223d7dc4c8f9d38d9fc00
SSDEEP

12288:kdJoSpPkFtttttttCttttttttttttttpst8ZcxruaZ4A3G31111111111111111/:kdlPgrua13Q11111111111111111D11x

Score

10^/10

redline sectoprat ultimatecrackpack discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

51.83.170.23:16128

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/8604-135-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/8604-135-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	TextUtils.exe

Executes dropped EXE 64 IoCs

pid	Process
2580	Ultimate-Crack-Pack.exe
2832	Ultimate-Crack-Pack.exe
512	Ultimate-Crack-Pack.exe
4240	Ultimate-Crack-Pack.exe
224	Ultimate-Crack-Pack.exe
5088	Ultimate-Crack-Pack.exe
4748	Ultimate-Crack-Pack.exe
5016	Ultimate-Crack-Pack.exe
4004	Ultimate-Crack-Pack.exe
752	Ultimate-Crack-Pack.exe
4016	Ultimate-Crack-Pack.exe
4824	Ultimate-Crack-Pack.exe
3496	Ultimate-Crack-Pack.exe
1568	Ultimate-Crack-Pack.exe
1152	Ultimate-Crack-Pack.exe
944	Ultimate-Crack-Pack.exe
3316	Ultimate-Crack-Pack.exe
1116	Ultimate-Crack-Pack.exe
1484	Ultimate-Crack-Pack.exe
2872	Ultimate-Crack-Pack.exe
4900	Ultimate-Crack-Pack.exe
1808	Ultimate-Crack-Pack.exe
2656	Ultimate-Crack-Pack.exe
3484	Ultimate-Crack-Pack.exe
3840	Ultimate-Crack-Pack.exe
2304	Ultimate-Crack-Pack.exe
1984	Ultimate-Crack-Pack.exe
2216	Ultimate-Crack-Pack.exe
4660	Ultimate-Crack-Pack.exe
1364	Ultimate-Crack-Pack.exe
4184	Ultimate-Crack-Pack.exe
940	Ultimate-Crack-Pack.exe
4068	Ultimate-Crack-Pack.exe
2864	Ultimate-Crack-Pack.exe
5072	Ultimate-Crack-Pack.exe
876	Ultimate-Crack-Pack.exe
2808	Ultimate-Crack-Pack.exe
1280	Ultimate-Crack-Pack.exe
4756	Ultimate-Crack-Pack.exe
5292	Ultimate-Crack-Pack.exe
5372	Ultimate-Crack-Pack.exe
5472	Ultimate-Crack-Pack.exe
5624	Ultimate-Crack-Pack.exe
5704	Ultimate-Crack-Pack.exe
5784	Ultimate-Crack-Pack.exe
5868	Ultimate-Crack-Pack.exe
6000	Ultimate-Crack-Pack.exe
6100	Ultimate-Crack-Pack.exe
4768	Ultimate-Crack-Pack.exe
5348	Ultimate-Crack-Pack.exe
5432	Ultimate-Crack-Pack.exe
5564	Ultimate-Crack-Pack.exe
5712	Ultimate-Crack-Pack.exe
5836	Ultimate-Crack-Pack.exe
5916	Ultimate-Crack-Pack.exe
6080	Ultimate-Crack-Pack.exe
5268	Ultimate-Crack-Pack.exe
5480	Ultimate-Crack-Pack.exe
5732	Ultimate-Crack-Pack.exe
5948	Ultimate-Crack-Pack.exe
5892	Ultimate-Crack-Pack.exe
5544	Ultimate-Crack-Pack.exe
5680	Ultimate-Crack-Pack.exe
5956	Ultimate-Crack-Pack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
12216	powershell.exe
11840	powershell.exe
13116	powershell.exe
10136	powershell.exe
12252	powershell.exe
12368	powershell.exe
5944	powershell.exe
13152	powershell.exe
7096	powershell.exe
12484	powershell.exe
6396	powershell.exe
7004	powershell.exe
4228	powershell.exe
11520	powershell.exe
13296	powershell.exe
10236	powershell.exe
9512	powershell.exe
10568	powershell.exe
10480	powershell.exe
7856	powershell.exe
11848	powershell.exe
11700	powershell.exe
6324	powershell.exe
6480	powershell.exe
8540	powershell.exe
10588	powershell.exe
9756	powershell.exe
12208	powershell.exe
2632	powershell.exe
3596	powershell.exe
12308	powershell.exe
6812	powershell.exe
7488	powershell.exe
8380	powershell.exe
9372	powershell.exe
6952	powershell.exe
10880	powershell.exe
13220	powershell.exe
12760	powershell.exe
5336	powershell.exe
9188	powershell.exe
1020	powershell.exe
10796	powershell.exe
5564	powershell.exe
12508	powershell.exe
944	powershell.exe
11200	powershell.exe
12260	powershell.exe
7100	powershell.exe
8408	powershell.exe
8536	powershell.exe
5412	powershell.exe
12688	powershell.exe
12268	powershell.exe
11288	powershell.exe
10304	powershell.exe
11036	powershell.exe
2304	powershell.exe
12276	powershell.exe
236	powershell.exe
9540	powershell.exe
9504	powershell.exe
13080	powershell.exe
7020	powershell.exe

Suspicious use of SetThreadContext 8 IoCs

description	pid	Process	procid_target
PID 512 set thread context of 8604	512	Ultimate-Crack-Pack.exe	457
PID 2832 set thread context of 8524	2832	Ultimate-Crack-Pack.exe	458
PID 4240 set thread context of 8640	4240	Ultimate-Crack-Pack.exe	463
PID 2580 set thread context of 8800	2580	Ultimate-Crack-Pack.exe	465
PID 224 set thread context of 8988	224	Ultimate-Crack-Pack.exe	471
PID 5088 set thread context of 8636	5088	Ultimate-Crack-Pack.exe	476
PID 4748 set thread context of 8752	4748	Ultimate-Crack-Pack.exe	477
PID 5016 set thread context of 8648	5016	Ultimate-Crack-Pack.exe	483

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 37 IoCs

pid	pid_target	Process	procid_target
13064	7380	WerFault.exe	321
12424	12508	WerFault.exe	748
9760	7204	WerFault.exe	317
7768	7456	WerFault.exe	323
5780	7476	WerFault.exe	379
1756	1768	WerFault.exe	578
7692	7996	WerFault.exe	385
7568	7620	WerFault.exe	395
9952	9160	WerFault.exe	427
10056	8356	WerFault.exe	433
6436	8124	WerFault.exe	391
13272	7928	WerFault.exe	373
7940	7728	WerFault.exe	381
6464	7744	WerFault.exe	371
7712	7860	WerFault.exe	357
11832	7988	WerFault.exe	383
10820	8932	WerFault.exe	421
11496	9064	WerFault.exe	445
6404	10960	WerFault.exe	585
8656	7280	WerFault.exe	393
13140	9008	WerFault.exe	423
8652	7500	WerFault.exe	429
11336	8696	WerFault.exe	439
8432	8456	WerFault.exe	435
5752	1388	WerFault.exe	431
8084	7196	WerFault.exe	449
13048	8596	WerFault.exe	437
12284	9176	WerFault.exe	447
8188	8548	WerFault.exe	411
11188	8700	WerFault.exe	415
8284	8392	WerFault.exe	407
7580	9064	WerFault.exe	445
6176	10960	WerFault.exe	585
12100	6280	WerFault.exe	893
7432	7196	WerFault.exe	449
12140	7456	WerFault.exe	323
10232	10960	WerFault.exe	585

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133673593349485448"	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe
2580	Ultimate-Crack-Pack.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious use of AdjustPrivilegeToken 45 IoCs

description	pid	Process
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeDebugPrivilege	2580	Ultimate-Crack-Pack.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe
Token: SeShutdownPrivilege	452	chrome.exe
Token: SeCreatePagefilePrivilege	452	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe
452	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2580	2132	TextUtils.exe	83
PID 2132 wrote to memory of 2580	2132	TextUtils.exe	83
PID 2132 wrote to memory of 2580	2132	TextUtils.exe	83
PID 2132 wrote to memory of 2656	2132	TextUtils.exe	128
PID 2132 wrote to memory of 2656	2132	TextUtils.exe	128
PID 2656 wrote to memory of 2832	2656	TextUtils.exe	85
PID 2656 wrote to memory of 2832	2656	TextUtils.exe	85
PID 2656 wrote to memory of 2832	2656	TextUtils.exe	85
PID 2656 wrote to memory of 2764	2656	TextUtils.exe	86
PID 2656 wrote to memory of 2764	2656	TextUtils.exe	86
PID 2764 wrote to memory of 512	2764	TextUtils.exe	87
PID 2764 wrote to memory of 512	2764	TextUtils.exe	87
PID 2764 wrote to memory of 512	2764	TextUtils.exe	87
PID 2764 wrote to memory of 1540	2764	TextUtils.exe	88
PID 2764 wrote to memory of 1540	2764	TextUtils.exe	88
PID 1540 wrote to memory of 4240	1540	TextUtils.exe	89
PID 1540 wrote to memory of 4240	1540	TextUtils.exe	89
PID 1540 wrote to memory of 4240	1540	TextUtils.exe	89
PID 1540 wrote to memory of 5060	1540	TextUtils.exe	90
PID 1540 wrote to memory of 5060	1540	TextUtils.exe	90
PID 5060 wrote to memory of 224	5060	TextUtils.exe	91
PID 5060 wrote to memory of 224	5060	TextUtils.exe	91
PID 5060 wrote to memory of 224	5060	TextUtils.exe	91
PID 5060 wrote to memory of 3920	5060	TextUtils.exe	92
PID 5060 wrote to memory of 3920	5060	TextUtils.exe	92
PID 3920 wrote to memory of 5088	3920	TextUtils.exe	93
PID 3920 wrote to memory of 5088	3920	TextUtils.exe	93
PID 3920 wrote to memory of 5088	3920	TextUtils.exe	93
PID 3920 wrote to memory of 3184	3920	TextUtils.exe	94
PID 3920 wrote to memory of 3184	3920	TextUtils.exe	94
PID 3184 wrote to memory of 4748	3184	TextUtils.exe	95
PID 3184 wrote to memory of 4748	3184	TextUtils.exe	95
PID 3184 wrote to memory of 4748	3184	TextUtils.exe	95
PID 3184 wrote to memory of 2172	3184	TextUtils.exe	96
PID 3184 wrote to memory of 2172	3184	TextUtils.exe	96
PID 2172 wrote to memory of 5016	2172	TextUtils.exe	97
PID 2172 wrote to memory of 5016	2172	TextUtils.exe	97
PID 2172 wrote to memory of 5016	2172	TextUtils.exe	97
PID 2172 wrote to memory of 4508	2172	TextUtils.exe	98
PID 2172 wrote to memory of 4508	2172	TextUtils.exe	98
PID 4508 wrote to memory of 4004	4508	TextUtils.exe	99
PID 4508 wrote to memory of 4004	4508	TextUtils.exe	99
PID 4508 wrote to memory of 4004	4508	TextUtils.exe	99
PID 4508 wrote to memory of 3848	4508	TextUtils.exe	100
PID 4508 wrote to memory of 3848	4508	TextUtils.exe	100
PID 3848 wrote to memory of 752	3848	TextUtils.exe	102
PID 3848 wrote to memory of 752	3848	TextUtils.exe	102
PID 3848 wrote to memory of 752	3848	TextUtils.exe	102
PID 3848 wrote to memory of 1688	3848	TextUtils.exe	103
PID 3848 wrote to memory of 1688	3848	TextUtils.exe	103
PID 1688 wrote to memory of 4016	1688	TextUtils.exe	104
PID 1688 wrote to memory of 4016	1688	TextUtils.exe	104
PID 1688 wrote to memory of 4016	1688	TextUtils.exe	104
PID 1688 wrote to memory of 1376	1688	TextUtils.exe	105
PID 1688 wrote to memory of 1376	1688	TextUtils.exe	105
PID 1376 wrote to memory of 4824	1376	TextUtils.exe	106
PID 1376 wrote to memory of 4824	1376	TextUtils.exe	106
PID 1376 wrote to memory of 4824	1376	TextUtils.exe	106
PID 1376 wrote to memory of 3664	1376	TextUtils.exe	144
PID 1376 wrote to memory of 3664	1376	TextUtils.exe	144
PID 3664 wrote to memory of 3496	3664	TextUtils.exe	108
PID 3664 wrote to memory of 3496	3664	TextUtils.exe	108
PID 3664 wrote to memory of 3496	3664	TextUtils.exe	108
PID 3664 wrote to memory of 3992	3664	TextUtils.exe	109

C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
"C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2580
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    PID:8380
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    PID:8800
- C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
  "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
  2⤵
  - Checks computer location settings
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
    "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:2832
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      PID:8540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      PID:8524
- - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
    "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:512
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        5⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8408
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:8860
      - C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8408" "1916" "1864" "1920" "0" "0" "1924" "0" "0" "0" "0" "0"
        6⤵
        
        PID:12552
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        
        PID:8604
  - - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
      "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
      4⤵
      Checks computer location settings
      Suspicious use of WriteProcessMemory
      PID:1540
    - - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4240
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        6⤵
        
        PID:8688
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:8716
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:8640
    - - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5060
      - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:8968
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        8⤵
        
        PID:8096
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "8968" "1928" "1880" "1932" "0" "0" "1936" "0" "0" "0" "0" "0"
        8⤵
        
        PID:13288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        
        PID:8988
      - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3920
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        8⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8536
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        
        PID:8636
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        
        PID:8752
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:5016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        10⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2632
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4508
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        10⤵
        Executes dropped EXE
        
        PID:4004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        11⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9504
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        
        PID:9616
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3848
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        11⤵
        Executes dropped EXE
        
        PID:752
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1688
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        12⤵
        Executes dropped EXE
        
        PID:4016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:9464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        
        PID:9520
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:1376
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        13⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:10116
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        13⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        14⤵
        Executes dropped EXE
        
        PID:3496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9540
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        
        PID:9548
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        14⤵
        Checks computer location settings
        
        PID:3992
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1568
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        16⤵
        
        PID:9824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:9832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:9944
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        15⤵
        Checks computer location settings
        
        PID:4372
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        16⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:10152
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        16⤵
        Checks computer location settings
        
        PID:3648
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        17⤵
        Executes dropped EXE
        
        PID:944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:3988
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        17⤵
        
        PID:940
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        18⤵
        Executes dropped EXE
        
        PID:3316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:9816
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        18⤵
        Checks computer location settings
        
        PID:2540
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        19⤵
        Executes dropped EXE
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:9804
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        19⤵
        Checks computer location settings
        
        PID:4608
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        20⤵
        Executes dropped EXE
        
        PID:1484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:10144
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        20⤵
        
        PID:2864
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        21⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2872
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        21⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        22⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:9896
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:10336
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        22⤵
        Checks computer location settings
        
        PID:2596
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        23⤵
        Executes dropped EXE
        
        PID:1808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:9788
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        23⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        24⤵
        Executes dropped EXE
        
        PID:2656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:8764
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        24⤵
        Checks computer location settings
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        25⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:9812
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        25⤵
        
        PID:3888
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        26⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:3496
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        26⤵
        
        PID:2636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        27⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        28⤵
        
        PID:9932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:3224
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:9992
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        27⤵
        Checks computer location settings
        
        PID:1968
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        28⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1984
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        29⤵
        
        PID:10312
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:10320
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        28⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        29⤵
        Executes dropped EXE
        
        PID:2216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:9748
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        29⤵
        Checks computer location settings
        
        PID:3444
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        30⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:9904
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        30⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        31⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:10460
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        31⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        32⤵
        Executes dropped EXE
        
        PID:4184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10304
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10304" "1916" "1840" "1920" "0" "0" "1924" "0" "0" "0" "0" "0"
        34⤵
        
        PID:12920
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:10328
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        32⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        33⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:10468
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        33⤵
        Checks computer location settings
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        34⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:10488
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        34⤵
        Checks computer location settings
        
        PID:1056
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        35⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        35⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        36⤵
        Executes dropped EXE
        
        PID:5072
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:10496
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        36⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        37⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:876
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        37⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        38⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:10444
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        38⤵
        
        PID:1964
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        39⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11036
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        39⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        40⤵
        Executes dropped EXE
        
        PID:4756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:10504
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        40⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        41⤵
        Executes dropped EXE
        
        PID:5292
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        41⤵
        
        PID:5312
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        42⤵
        Executes dropped EXE
        
        PID:5372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:1712
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        42⤵
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        43⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5472
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1768 -s 916
        45⤵
        Program crash
        
        PID:1756
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        43⤵
        Checks computer location settings
        
        PID:5500
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        44⤵
        Executes dropped EXE
        
        PID:5624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:944
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        44⤵
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        45⤵
        Executes dropped EXE
        
        PID:5704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        46⤵
        
        PID:11064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        45⤵
        Checks computer location settings
        
        PID:5724
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        46⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5784
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:10940
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        48⤵
        
        PID:1808
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        46⤵
        Checks computer location settings
        
        PID:5796
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        47⤵
        Executes dropped EXE
        
        PID:5868
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:11220
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        47⤵
        Checks computer location settings
        
        PID:5888
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        48⤵
        Executes dropped EXE
        
        PID:6000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:1288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3376
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:3264
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        48⤵
        Checks computer location settings
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        49⤵
        Executes dropped EXE
        
        PID:6100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:10960
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10960 -s 768
        51⤵
        Program crash
        
        PID:6404
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10960 -s 768
        51⤵
        Program crash
        
        PID:6176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 10960 -s 792
        51⤵
        Program crash
        
        PID:10232
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        49⤵
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        50⤵
        Executes dropped EXE
        
        PID:4768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9372
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:10712
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        50⤵
        Checks computer location settings
        
        PID:5204
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        51⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5348
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10796
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        51⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        52⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:9460
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        52⤵
        Checks computer location settings
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        53⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        54⤵
        
        PID:5016
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:912
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        53⤵
        Checks computer location settings
        
        PID:5632
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        54⤵
        Executes dropped EXE
        
        PID:5712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        55⤵
        
        PID:4844
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:10428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:11412
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        54⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        55⤵
        Executes dropped EXE
        
        PID:5836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11200
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:10800
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        55⤵
        Checks computer location settings
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        56⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5916
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11848
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:11864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:10976
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        58⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        56⤵
        Checks computer location settings
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        57⤵
        Executes dropped EXE
        
        PID:6080
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        58⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:11536
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        57⤵
        
        PID:684
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        58⤵
        Executes dropped EXE
        
        PID:5268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:11820
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        58⤵
        Checks computer location settings
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        59⤵
        Executes dropped EXE
        
        PID:5480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:11680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:11876
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        59⤵
        Checks computer location settings
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        60⤵
        Executes dropped EXE
        
        PID:5732
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        61⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12216
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:12232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        62⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        60⤵
        
        PID:5668
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        61⤵
        Executes dropped EXE
        
        PID:5948
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        62⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:11856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:12044
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        61⤵
        Checks computer location settings
        
        PID:5972
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        62⤵
        Executes dropped EXE
        
        PID:5892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12276
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        62⤵
        Checks computer location settings
        
        PID:6120
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        63⤵
        Executes dropped EXE
        
        PID:5544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12252
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        65⤵
        
        PID:2808
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        63⤵
        
        PID:2504
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        64⤵
        Executes dropped EXE
        
        PID:5680
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:11828
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:12048
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        64⤵
        
        PID:5764
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        65⤵
        Executes dropped EXE
        
        PID:5956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:12284
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        65⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        66⤵
        System Location Discovery: System Language Discovery
        
        PID:5580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:10524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:12392
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:12636
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        66⤵
        
        PID:5844
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        67⤵
        
        PID:6076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12208
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:12224
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        67⤵
        
        PID:5380
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        68⤵
        
        PID:684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12368
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:12400
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        68⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        69⤵
        
        PID:5420
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:11776
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:5784
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        69⤵
        
        PID:5200
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        70⤵
        System Location Discovery: System Language Discovery
        
        PID:6184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:11272
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        70⤵
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        71⤵
        System Location Discovery: System Language Discovery
        
        PID:6260
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:12128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        72⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        71⤵
        
        PID:6308
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:6380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:10508
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        72⤵
        
        PID:6396
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        73⤵
        
        PID:6460
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        74⤵
        
        PID:12336
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        74⤵
        
        PID:12352
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        73⤵
        Checks computer location settings
        
        PID:6468
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        74⤵
        
        PID:6544
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:3184
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        74⤵
        
        PID:6552
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        75⤵
        
        PID:6624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        76⤵
        
        PID:12344
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:12360
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        75⤵
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        76⤵
        
        PID:6704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        77⤵
        
        PID:5404
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        76⤵
        Checks computer location settings
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        77⤵
        
        PID:6792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        78⤵
        
        PID:5968
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        77⤵
        
        PID:6804
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        78⤵
        
        PID:6868
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        79⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        78⤵
        
        PID:6876
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        79⤵
        System Location Discovery: System Language Discovery
        
        PID:6944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        80⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        80⤵
        
        PID:12696
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        79⤵
        Checks computer location settings
        
        PID:6960
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        80⤵
        System Location Discovery: System Language Discovery
        
        PID:7020
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        81⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        81⤵
        
        PID:12768
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        80⤵
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        81⤵
        System Location Discovery: System Language Discovery
        
        PID:7096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        82⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13220
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        82⤵
        
        PID:13228
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        81⤵
        
        PID:7112
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        82⤵
        
        PID:6012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        83⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13152
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        84⤵
        
        PID:4900
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        83⤵
        
        PID:13160
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        82⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        83⤵
        
        PID:6172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        84⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        84⤵
        
        PID:13088
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        83⤵
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        84⤵
        
        PID:6200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        85⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5944
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        84⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        85⤵
        System Location Discovery: System Language Discovery
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        85⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        86⤵
        
        PID:6528
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        87⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5412
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        87⤵
        
        PID:628
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        86⤵
        
        PID:6524
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        87⤵
        
        PID:6568
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        87⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        88⤵
        System Location Discovery: System Language Discovery
        
        PID:6636
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        88⤵
        Checks computer location settings
        
        PID:5848
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        89⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        89⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        90⤵
        
        PID:6828
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        90⤵
        Checks computer location settings
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        91⤵
        
        PID:6984
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        91⤵
        Checks computer location settings
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        92⤵
        
        PID:7092
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        92⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        93⤵
        
        PID:6132
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        93⤵
        Checks computer location settings
        
        PID:6208
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:6316
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        94⤵
        Checks computer location settings
        
        PID:6168
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        95⤵
        
        PID:6452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        96⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        95⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        96⤵
        
        PID:5772
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        96⤵
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        97⤵
        
        PID:6780
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        98⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12308
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        98⤵
        
        PID:12376
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        97⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:7088
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        98⤵
        Checks computer location settings
        
        PID:7032
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        99⤵
        
        PID:6164
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        99⤵
        
        PID:6228
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        100⤵
        
        PID:6308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        101⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12508 -s 72
        102⤵
        Program crash
        
        PID:12424
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:12316
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        100⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        101⤵
        
        PID:6760
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        101⤵
        Checks computer location settings
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        102⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        102⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        103⤵
        
        PID:6300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        104⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5336
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        103⤵
        
        PID:5792
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        104⤵
        
        PID:5320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        105⤵
        
        PID:4612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        105⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        104⤵
        Checks computer location settings
        
        PID:4788
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        105⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        105⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        106⤵
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        106⤵
        
        PID:6968
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        107⤵
        
        PID:6840
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        107⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        108⤵
        System Location Discovery: System Language Discovery
        
        PID:6328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        109⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        109⤵
        
        PID:12488
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        108⤵
        
        PID:6772
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        109⤵
        System Location Discovery: System Language Discovery
        
        PID:6768
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        109⤵
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        110⤵
        System Location Discovery: System Language Discovery
        
        PID:7204
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7204 -s 1008
        111⤵
        Program crash
        
        PID:9760
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        110⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        111⤵
        System Location Discovery: System Language Discovery
        
        PID:7304
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        111⤵
        
        PID:7320
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        112⤵
        
        PID:7380
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7380 -s 1008
        113⤵
        Program crash
        
        PID:13064
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        112⤵
        
        PID:7396
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:7456
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1016
        114⤵
        Program crash
        
        PID:7768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7456 -s 1016
        114⤵
        Program crash
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        113⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        114⤵
        
        PID:7532
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        114⤵
        
        PID:7548
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        115⤵
        
        PID:7608
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        116⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6952
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        116⤵
        
        PID:12212
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:5748
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        115⤵
        
        PID:7616
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        116⤵
        
        PID:7684
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        116⤵
        
        PID:7700
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        117⤵
        
        PID:7768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        118⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        118⤵
        
        PID:12984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        119⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        117⤵
        
        PID:7776
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        118⤵
        
        PID:7844
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        118⤵
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        119⤵
        System Location Discovery: System Language Discovery
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        119⤵
        
        PID:7928
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        120⤵
        System Location Discovery: System Language Discovery
        
        PID:8000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        121⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        121⤵
        
        PID:4536
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        120⤵
        Checks computer location settings
        
        PID:8024
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:8076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        122⤵
        
        PID:6384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:13252
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        122⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        121⤵
        Checks computer location settings
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        122⤵
        System Location Discovery: System Language Discovery
        
        PID:8156
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        123⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10880
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        123⤵
        
        PID:5664
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        122⤵
        Checks computer location settings
        
        PID:8172
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        123⤵
        System Location Discovery: System Language Discovery
        
        PID:6068
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        123⤵
        
        PID:7176
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        124⤵
        
        PID:7292
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        124⤵
        
        PID:7256
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        125⤵
        
        PID:7344
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        125⤵
        Checks computer location settings
        
        PID:7324
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        126⤵
        
        PID:7480
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        126⤵
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        127⤵
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        127⤵
        
        PID:7624
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:7672
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        128⤵
        Checks computer location settings
        
        PID:7748
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:7836
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        129⤵
        Checks computer location settings
        
        PID:7832
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        130⤵
        
        PID:7860
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        131⤵
        
        PID:9244
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        131⤵
        
        PID:5360
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7860 -s 1100
        131⤵
        Program crash
        
        PID:7712
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        130⤵
        
        PID:7972
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        131⤵
        System Location Discovery: System Language Discovery
        
        PID:8040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        132⤵
        
        PID:9384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:9596
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        132⤵
        
        PID:13032
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        131⤵
        Checks computer location settings
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        132⤵
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        132⤵
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:7200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        134⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        134⤵
        
        PID:6416
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        133⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        134⤵
        System Location Discovery: System Language Discovery
        
        PID:7364
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        135⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9188
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:12840
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        135⤵
        
        PID:12900
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        134⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:7488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        136⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        137⤵
        
        PID:6080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        136⤵
        
        PID:10388
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        135⤵
        Checks computer location settings
        
        PID:7584
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        136⤵
        System Location Discovery: System Language Discovery
        
        PID:7760
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        136⤵
        
        PID:7676
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        137⤵
        
        PID:7744
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7744 -s 992
        138⤵
        Program crash
        
        PID:6464
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        137⤵
        
        PID:4316
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        138⤵
        
        PID:7928
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        139⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7928 -s 1096
        139⤵
        Program crash
        
        PID:13272
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        138⤵
        
        PID:7996
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        139⤵
        
        PID:8100
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        139⤵
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        140⤵
        System Location Discovery: System Language Discovery
        
        PID:7224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        141⤵
        
        PID:13060
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        141⤵
        
        PID:12712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        142⤵
        
        PID:7608
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        140⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        141⤵
        
        PID:7476
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7476 -s 1016
        142⤵
        Program crash
        
        PID:5780
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        141⤵
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        142⤵
        
        PID:7728
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7728 -s 1008
        143⤵
        Program crash
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        142⤵
        Checks computer location settings
        
        PID:7620
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        143⤵
        
        PID:7988
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7988 -s 1008
        144⤵
        Program crash
        
        PID:11832
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        143⤵
        
        PID:8152
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        144⤵
        
        PID:7996
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7996 -s 1016
        145⤵
        Program crash
        
        PID:7692
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        144⤵
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        145⤵
        
        PID:7640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        146⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11288
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:5464
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        145⤵
        Checks computer location settings
        
        PID:7704
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        146⤵
        System Location Discovery: System Language Discovery
        
        PID:7664
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        146⤵
        
        PID:3796
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        147⤵
        
        PID:8124
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8124 -s 1036
        148⤵
        Program crash
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        147⤵
        
        PID:8096
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        148⤵
        System Location Discovery: System Language Discovery
        
        PID:7280
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        149⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6396
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:7128
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:3924
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7280 -s 1116
        149⤵
        Program crash
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        148⤵
        
        PID:7636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        149⤵
        
        PID:7620
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        150⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6324
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:11792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:10484
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7620 -s 1012
        150⤵
        Program crash
        
        PID:7568
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        149⤵
        
        PID:8056
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        150⤵
        
        PID:7740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:5760
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:12592
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        150⤵
        Checks computer location settings
        
        PID:6440
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        151⤵
        
        PID:7636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:11504
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        151⤵
        
        PID:7448
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        152⤵
        System Location Discovery: System Language Discovery
        
        PID:7528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:6036
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        152⤵
        Checks computer location settings
        
        PID:1388
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        153⤵
        System Location Discovery: System Language Discovery
        
        PID:8236
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        154⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12484
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:11064
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        153⤵
        Checks computer location settings
        
        PID:8252
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        154⤵
        
        PID:8312
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        155⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7100
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:10452
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        154⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        155⤵
        
        PID:8392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        156⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7004
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8392 -s 1044
        156⤵
        Program crash
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        155⤵
        
        PID:8408
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        156⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        157⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:10580
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        156⤵
        
        PID:8480
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:8548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        158⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8548 -s 1044
        158⤵
        Program crash
        
        PID:8188
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        157⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        158⤵
        
        PID:8624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        159⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:10212
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        158⤵
        
        PID:8632
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:8700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        160⤵
        
        PID:12572
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:7420
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8700 -s 1104
        160⤵
        Program crash
        
        PID:11188
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        159⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        160⤵
        
        PID:8776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        161⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6480
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        160⤵
        Checks computer location settings
        
        PID:8784
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        161⤵
        System Location Discovery: System Language Discovery
        
        PID:8852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        162⤵
        
        PID:6824
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        161⤵
        Checks computer location settings
        
        PID:8860
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        162⤵
        
        PID:8932
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8932 -s 1056
        163⤵
        Program crash
        
        PID:10820
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        162⤵
        
        PID:8948
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:9008
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9008 -s 1056
        164⤵
        Program crash
        
        PID:13140
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        163⤵
        
        PID:9032
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        164⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        164⤵
        Checks computer location settings
        
        PID:9100
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:9160
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9160 -s 980
        166⤵
        Program crash
        
        PID:9952
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        165⤵
        
        PID:9168
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        166⤵
        
        PID:7500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7500 -s 1056
        167⤵
        Program crash
        
        PID:8652
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        166⤵
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        167⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1388 -s 1016
        168⤵
        Program crash
        
        PID:5752
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        167⤵
        
        PID:8284
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        168⤵
        
        PID:8356
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8356 -s 1016
        169⤵
        Program crash
        
        PID:10056
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        168⤵
        
        PID:8380
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        169⤵
        System Location Discovery: System Language Discovery
        
        PID:8456
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        170⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7488
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:10716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        170⤵
        
        PID:10776
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8456 -s 1096
        170⤵
        Program crash
        
        PID:8432
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        169⤵
        
        PID:8428
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        170⤵
        
        PID:8596
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8596 -s 1016
        171⤵
        Program crash
        
        PID:13048
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        170⤵
        Checks computer location settings
        
        PID:8640
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        171⤵
        System Location Discovery: System Language Discovery
        
        PID:8696
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8696 -s 1000
        172⤵
        Program crash
        
        PID:11336
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        171⤵
        
        PID:8648
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        172⤵
        System Location Discovery: System Language Discovery
        
        PID:8824
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        173⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:13116
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        172⤵
        
        PID:8840
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        173⤵
        System Location Discovery: System Language Discovery
        
        PID:8864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        174⤵
        
        PID:2316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        174⤵
        
        PID:13308
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        173⤵
        Checks computer location settings
        
        PID:8924
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        174⤵
        
        PID:9064
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9064 -s 1008
        175⤵
        Program crash
        
        PID:11496
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9064 -s 1008
        175⤵
        Program crash
        
        PID:7580
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        174⤵
        Checks computer location settings
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        175⤵
        
        PID:9176
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9176 -s 1056
        176⤵
        Program crash
        
        PID:12284
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        175⤵
        Checks computer location settings
        
        PID:9140
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        176⤵
        
        PID:7196
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 1016
        177⤵
        Program crash
        
        PID:8084
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7196 -s 1016
        177⤵
        Program crash
        
        PID:7432
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        176⤵
        
        PID:8208
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        177⤵
        
        PID:8364
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        177⤵
        Checks computer location settings
        
        PID:8468
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        178⤵
        
        PID:8684
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        179⤵
        
        PID:6208
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        179⤵
        
        PID:6224
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        178⤵
        
        PID:2520
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        179⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        180⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        180⤵
        
        PID:7880
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        179⤵
        
        PID:10948
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        180⤵
        
        PID:12520
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        180⤵
        
        PID:12796

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffddc6fcc40,0x7ffddc6fcc4c,0x7ffddc6fcc58
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1816,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1796 /prefetch:2
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1968,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1988 /prefetch:3
  2⤵
  PID:3444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2296,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2452 /prefetch:8
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3144,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4540,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4556 /prefetch:1
  2⤵
  PID:5208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4844,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4856 /prefetch:8
  2⤵
  PID:5848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4988,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5024 /prefetch:8
  2⤵
  PID:6068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5368,i,4358365034253456761,2589677046887319254,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4924 /prefetch:8
  2⤵
  PID:6688

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5140

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:6268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 6172 -ip 6172
1⤵
PID:5520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 7204 -ip 7204
1⤵
PID:11800

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 832 -p 12852 -ip 12852
1⤵
PID:6624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 864 -p 6704 -ip 6704
1⤵
PID:13052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 904 -p 6868 -ip 6868
1⤵
PID:12572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 9504 -ip 9504
1⤵
PID:6260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 6928 -ip 6928
1⤵
PID:10840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 928 -p 10452 -ip 10452
1⤵
PID:6596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 836 -p 6200 -ip 6200
1⤵
PID:11336

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 524 -p 7096 -ip 7096
1⤵
PID:6972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 6132 -ip 6132
1⤵
PID:12624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 920 -p 6636 -ip 6636
1⤵
PID:3772

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 944 -p 6316 -ip 6316
1⤵
PID:12572

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 784 -p 6760 -ip 6760
1⤵
PID:9496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 7088 -ip 7088
1⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 6828 -ip 6828
1⤵
PID:6744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 6756 -ip 6756
1⤵
PID:3068

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 7092 -ip 7092
1⤵
PID:11428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 5772 -ip 5772
1⤵
PID:6480

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 960 -p 6164 -ip 6164
1⤵
PID:9504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 6984 -ip 6984
1⤵
PID:6280

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 12520 -ip 12520
1⤵
PID:6820

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 6436 -ip 6436
1⤵
PID:5732

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 908 -p 6568 -ip 6568
1⤵
PID:6736

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6308 -ip 6308
1⤵
PID:4320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 10328 -ip 10328
1⤵
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 7000 -ip 7000
1⤵
PID:6112

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 888 -p 6300 -ip 6300
1⤵
PID:6844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 552 -p 7456 -ip 7456
1⤵
PID:6280
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 6280 -s 72
  2⤵
  - Program crash
  PID:12100

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 6768 -ip 6768
1⤵
PID:10828

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 600 -p 6328 -ip 6328
1⤵
PID:12748

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 8380 -ip 8380
1⤵
PID:7636

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 7532 -ip 7532
1⤵
PID:11268

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 816 -p 7684 -ip 7684
1⤵
PID:11832

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 7920 -ip 7920
1⤵
PID:6040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 6068 -ip 6068
1⤵
PID:6436

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1000 -p 7304 -ip 7304
1⤵
PID:1596

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 680 -p 7844 -ip 7844
1⤵
PID:2960

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7344 -ip 7344
1⤵
PID:6448

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1056 -p 9540 -ip 9540
1⤵
PID:2868

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1008 -p 7292 -ip 7292
1⤵
PID:12740

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 640 -p 7480 -ip 7480
1⤵
PID:1064

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 948 -p 7580 -ip 7580
1⤵
PID:7108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 7836 -ip 7836
1⤵
PID:6364

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 7672 -ip 7672
1⤵
PID:8812

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4332

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 10496 -ip 10496
1⤵
PID:11496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 968 -p 8148 -ip 8148
1⤵
PID:5488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 12284 -ip 12284
1⤵
PID:10352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 9704 -ip 9704
1⤵
PID:5752

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1096 -p 5784 -ip 5784
1⤵
PID:8352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1120 -p 7664 -ip 7664
1⤵
PID:7540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1144 -p 8100 -ip 8100
1⤵
PID:10728

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 900 -p 3264 -ip 3264
1⤵
PID:9368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 1768 -ip 1768
1⤵
PID:10232

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1092 -p 7476 -ip 7476
1⤵
PID:6844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 7760 -ip 7760
1⤵
PID:9516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 7988 -ip 7988
1⤵
PID:10568

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1012 -p 7860 -ip 7860
1⤵
PID:8056

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1016 -p 7744 -ip 7744
1⤵
PID:11644

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1076 -p 7996 -ip 7996
1⤵
PID:7844

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 7200 -ip 7200
1⤵
PID:11848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 828 -p 7728 -ip 7728
1⤵
PID:11680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1148 -p 7928 -ip 7928
1⤵
PID:2852

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1088 -p 8124 -ip 8124
1⤵
PID:11352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1068 -p 7620 -ip 7620
1⤵
PID:7220

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 976 -p 10800 -ip 10800
1⤵
PID:6668

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 7760 -ip 7760
1⤵
PID:6516

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 7200 -ip 7200
1⤵
PID:7836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 7528 -ip 7528
1⤵
PID:7616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 896 -p 7640 -ip 7640
1⤵
PID:8684

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 8356 -ip 8356
1⤵
PID:11708

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 9160 -ip 9160
1⤵
PID:6928

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 8392 -ip 8392
1⤵
PID:6792

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 592 -p 8696 -ip 8696
1⤵
PID:7884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 628 -p 7500 -ip 7500
1⤵
PID:12956

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 9008 -ip 9008
1⤵
PID:12616

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 7280 -ip 7280
1⤵
PID:9872

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 10960 -ip 10960
1⤵
PID:1880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 936 -p 9064 -ip 9064
1⤵
PID:6932

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 992 -p 8932 -ip 8932
1⤵
PID:13260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 540 -p 9084 -ip 9084
1⤵
PID:10548

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 492 -p 8700 -ip 8700
1⤵
PID:11744

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 776 -p 8548 -ip 8548
1⤵
PID:11320

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 648 -p 8456 -ip 8456
1⤵
PID:11840

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 876 -p 1388 -ip 1388
1⤵
PID:12896

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 932 -p 9176 -ip 9176
1⤵
PID:5504

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 6280 -ip 6280
1⤵
PID:11584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 984 -p 7196 -ip 7196
1⤵
PID:12584

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 8596 -ip 8596
1⤵
PID:7244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 2520 -ip 2520
1⤵
PID:7356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 10960 -ip 10960
1⤵
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dd8244b096715ed18b22d83da14073c8

SHA1
18f8e7770676dd04c74298386c5d296dc400cee0

SHA256
b883502ff1b6a6c14253e2b6fac04c52175e461467d0f3103338dd81c0373883

SHA512
1553e29eb3bc614a45b8db4c9b35165de6d5d3c4a5828b2587a4d4f0128d2671fa7d568315e2d768d37f416233755d73ba12ce9b82c216ef92c06852923cd75a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
08e28770e0aa9b1a6dfb227f4e76fe03

SHA1
ed2396630fe7ec57733bdd909fb2417876dfd1ea

SHA256
43b13323ee036fe10479dc2dc5b527cfd7607b2b0b5e45fbe8187ce36b252595

SHA512
7742f525d0cd1a1c91017c364101ce6890933d9898e5d7c45aefd3f677101b1bd6a8a3fb413e16b31f0ebd0d279f93c6060e89d8890d1d56b00086c6617f9a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a4bcd8309f0d268903e8026d6254b027

SHA1
df792f6b1449c4f5684f441322d0b9f86aa2d0cb

SHA256
abfcd4c3b817d9e47ea78156c5ab4a1d3e3bdaa03268f153c43b3a3791d53df1

SHA512
072b4a7d6611f675839c08a25c1daed9ed06fd4dc8578c3e552b94aaf35fa3362c410d6c5bbebabb4a07321616ea5e82aa86d938c2aa8dafd809c1983106c578

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
3baf06ff8956543f735f051ec48be48f

SHA1
b73bde561abff7e37a0b90701195ef4442e1e2dd

SHA256
8094916929ec49732d28db6d1add0d48e1dd0ae34eb4aa32a77e32cc941c1077

SHA512
360ec73a45632227299be0ef472596fe339923b1e92cb38b0ab3bae3df7023d80f41d7491df213966349ef3efc674d304748d79412fda8eb5de64ddfe894d26d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
7cfc46351b9f6d0d46394e7f241c9bcb

SHA1
c5f2c8e6c4e4cb8473c77ac76aee27d665f6b044

SHA256
544c98ced5a1b17d640461338b546a852df5f0b9210d4fb190548fe3858a844f

SHA512
ba428de49e1e02b02bcbeae4b9c5b53c373fe30bd107f11ab3c180c892a9cf402702ef7940bf061ff41ab6d111cdbf12ee987209be971089b7143fa1323dcadf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
bb06c30aff38f4d89559fd6a5ad95aa6

SHA1
9e803715d911f1e272e34e0c23ba13356013ab0c

SHA256
9cb011bfbf1ad2c319da7ffb38c15b33ee780c2dcf7ea1f10f894beb0250fef2

SHA512
cd7169500eba0284efb6354d42330eeedc03a8c7e528b56801bdc0bca30ee180c9fddd636b0578aeda2a3c6cfc0333e6c4aa183da5de97f8b391de146a1e0610

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
285baf9b5239ddd300a0df188da6631f

SHA1
57c593649c6c8703b3a6ae3c000e6675d00f9ec0

SHA256
3669783704e3498216207bb5179adcc313f4b6a860e0c8bb6a84d1c522c904aa

SHA512
bf06fc2a8b44729ff4e1b514741d5b59457001d7e0399ccce035c70f053bd95474264b1ee511d17f6fe8f18c41901f5cea41305237ca4ad19c15c2e214c03110

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
4468190b715da5a5bf8d0d018cbf6516

SHA1
0eb04f5b5f67e24bfba573e82a660a328f8866ed

SHA256
0f4ec1642bce9caeea478eab9a045fd6876afdcab2b5cf65a606c20ab7501216

SHA512
09b45421256932d7a7f21204eeab5b76c17da930c2e190b3e1be12ad832535a8a435cc92a0e007ae5b50fe18788f82044745386c63b2892a635f84c95012e47e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
3c45d17162babb7c4536d565e78c20de

SHA1
dbbcc5e06b496a521321489f8f793e662b310661

SHA256
b39133bbcf8b744e59b36a22bcb127341264e404edb60c46fdcdaf98dab6eb04

SHA512
bb951793d0ee6125f4e7894ebd3df98fd6733779a69357919247ef40d1dfec945174308d43fddbd898b6d405e5d109bd1d112f2a0b3430285d2307722201fe14

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
a0e018a093ab1d7e5c8b492a9e6ef184

SHA1
55b0df45b2437e37567fb0428b784f36c81b6b80

SHA256
cd45c97f1b5070de002edbd42b9e5e07c83dc9150257a82a171019aacf5f90f9

SHA512
f64d601d8e3ead884c10e3ea097e98b340c04a844e71e0e271ff3026a45afd9ccf69df57967aab40da795a39e6f29cf6b155e85d8c53a527dad7931f53d92f6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
194KB

MD5
5f96b4ba34e2c63ddf192c09d124a4a0

SHA1
947113cffddf819a358e78d2bbdd37fae4a1eae5

SHA256
2d3adcb3387e133afffe0692e7c839159020279757e49394c24c5b59fdbc7bed

SHA512
5d0a63de1ddbabed763edda1835eeec08a3797c99e5c15b43f2c59b7e8e751c362313376f84b27e0a17609f0d069a1cad1c29068888f5fad163d9d29915d0520

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextUtils.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe

Filesize
115KB

MD5
dc6f230a993249cbe632aea3edbbd63e

SHA1
ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

SHA256
a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

SHA512
7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_o4lkfpzw.ppr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/512-131-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/944-156-0x0000000005590000-0x00000000055B2000-memory.dmp

Filesize
136KB

Download
memory/1568-154-0x0000000004B50000-0x0000000004B72000-memory.dmp

Filesize
136KB

Download
memory/2132-0-0x00007FFDDFB43000-0x00007FFDDFB45000-memory.dmp

Filesize
8KB

Download
memory/2132-1-0x0000000000B20000-0x0000000000B88000-memory.dmp

Filesize
416KB

Download
memory/2580-129-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2580-20-0x0000000004CF0000-0x0000000004D82000-memory.dmp

Filesize
584KB

Download
memory/2580-18-0x00000000052A0000-0x0000000005844000-memory.dmp

Filesize
5.6MB

Download
memory/2580-17-0x0000000000440000-0x0000000000464000-memory.dmp

Filesize
144KB

Download
memory/2580-16-0x000000007507E000-0x000000007507F000-memory.dmp

Filesize
4KB

Download
memory/2656-21-0x00007FFDDFB40000-0x00007FFDE0601000-memory.dmp

Filesize
10.8MB

Download
memory/2656-15-0x00007FFDDFB40000-0x00007FFDE0601000-memory.dmp

Filesize
10.8MB

Download
memory/2832-23-0x0000000004DC0000-0x0000000004E36000-memory.dmp

Filesize
472KB

Download
memory/2832-22-0x0000000004C10000-0x0000000004C1A000-memory.dmp

Filesize
40KB

Download
memory/2832-130-0x0000000004E40000-0x0000000004E5E000-memory.dmp

Filesize
120KB

Download
memory/2832-128-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/2864-176-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/3484-165-0x0000000005410000-0x0000000005432000-memory.dmp

Filesize
136KB

Download
memory/4016-147-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/5268-260-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/5348-234-0x0000000005660000-0x0000000005682000-memory.dmp

Filesize
136KB

Download
memory/5732-280-0x0000000004E90000-0x0000000004EB2000-memory.dmp

Filesize
136KB

Download
memory/5868-232-0x0000000004A30000-0x0000000004A52000-memory.dmp

Filesize
136KB

Download
memory/5948-296-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download
memory/6076-305-0x0000000004D60000-0x0000000004D82000-memory.dmp

Filesize
136KB

Download
memory/6164-397-0x0000000005300000-0x0000000005322000-memory.dmp

Filesize
136KB

Download
memory/6624-331-0x0000000004E60000-0x0000000004E82000-memory.dmp

Filesize
136KB

Download
memory/6756-372-0x0000000005600000-0x0000000005622000-memory.dmp

Filesize
136KB

Download
memory/7092-391-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/7200-483-0x0000000005950000-0x0000000005972000-memory.dmp

Filesize
136KB

Download
memory/7640-540-0x0000000004B80000-0x0000000004BA2000-memory.dmp

Filesize
136KB

Download
memory/7728-514-0x0000000005460000-0x0000000005482000-memory.dmp

Filesize
136KB

Download
memory/7740-544-0x0000000005200000-0x0000000005222000-memory.dmp

Filesize
136KB

Download
memory/7836-476-0x00000000054E0000-0x0000000005502000-memory.dmp

Filesize
136KB

Download
memory/8000-450-0x0000000005210000-0x0000000005232000-memory.dmp

Filesize
136KB

Download
memory/8100-526-0x0000000004AF0000-0x0000000004B12000-memory.dmp

Filesize
136KB

Download
memory/8356-562-0x0000000004DE0000-0x0000000004E02000-memory.dmp

Filesize
136KB

Download
memory/8524-149-0x0000000005A80000-0x0000000006098000-memory.dmp

Filesize
6.1MB

Download
memory/8604-135-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/8604-151-0x00000000053E0000-0x000000000541C000-memory.dmp

Filesize
240KB

Download
memory/8604-153-0x0000000005420000-0x000000000546C000-memory.dmp

Filesize
304KB

Download
memory/8604-160-0x00000000057C0000-0x00000000058CA000-memory.dmp

Filesize
1.0MB

Download
memory/8604-150-0x0000000005370000-0x0000000005382000-memory.dmp

Filesize
72KB

Download
memory/8688-618-0x00000000069E0000-0x00000000069FA000-memory.dmp

Filesize
104KB

Download
memory/8688-210-0x0000000005360000-0x00000000053C6000-memory.dmp

Filesize
408KB

Download
memory/8688-211-0x00000000053D0000-0x0000000005436000-memory.dmp

Filesize
408KB

Download
memory/8688-619-0x0000000006A30000-0x0000000006A52000-memory.dmp

Filesize
136KB

Download
memory/8688-209-0x00000000052C0000-0x00000000052E2000-memory.dmp

Filesize
136KB

Download
memory/8688-213-0x0000000005440000-0x0000000005794000-memory.dmp

Filesize
3.3MB

Download
memory/8688-617-0x0000000006A60000-0x0000000006AF6000-memory.dmp

Filesize
600KB

Download
memory/8688-152-0x0000000004490000-0x00000000044C6000-memory.dmp

Filesize
216KB

Download
memory/8688-155-0x0000000004BD0000-0x00000000051F8000-memory.dmp

Filesize
6.2MB

Download
memory/8688-475-0x0000000005A50000-0x0000000005A6E000-memory.dmp

Filesize
120KB

Download
memory/8864-581-0x00000000054D0000-0x00000000054F2000-memory.dmp

Filesize
136KB

Download
memory/9064-582-0x0000000002640000-0x0000000002662000-memory.dmp

Filesize
136KB

Download
memory/9176-587-0x0000000005B30000-0x0000000005B52000-memory.dmp

Filesize
136KB

Download