redline | 3eadfa021e89e69ffe4dbf5c3d3eec4843ceb7ad5033498477b914ba6316657b

Resubmissions

05/08/2024, 19:21

240805-x258cswblp 10

05/08/2024, 18:50

240805-xgxeqaydqh 10

Analysis

max time kernel
42s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
05/08/2024, 18:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TextUtils.exe
Size

398KB
MD5

1c09825dd1fa0637c1d5089a65702ede
SHA1

a1da9a5c8d8b79689c9153adf459960fbccde80b
SHA256

3eadfa021e89e69ffe4dbf5c3d3eec4843ceb7ad5033498477b914ba6316657b
SHA512

948252d25c6a481432c52c762637c66d764f7fd90b0fa65d7c44b21af048b87950f918831b7d716fe65f6d10da42c337cb8b5860f2a223d7dc4c8f9d38d9fc00
SSDEEP

12288:kdJoSpPkFtttttttCttttttttttttttpst8ZcxruaZ4A3G31111111111111111/:kdlPgrua13Q11111111111111111D11x

Score

10^/10

redline sectoprat ultimatecrackpack discovery execution infostealer rat trojan

Malware Config

Extracted

Family

redline

Botnet

UltimateCrackPack

51.83.170.23:16128

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine payload 1 IoCs

resource	yara_rule
behavioral2/memory/7260-90-0x0000000000400000-0x000000000041E000-memory.dmp	family_redline

SectopRAT
SectopRAT is a remote access trojan first seen in November 2019.
trojan rat sectoprat

SectopRAT payload 1 IoCs

resource	yara_rule
behavioral2/memory/7260-90-0x0000000000400000-0x000000000041E000-memory.dmp	family_sectoprat

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4182098368-2521458979-3782681353-1000\Control Panel\International\Geo\Nation	TextUtils.exe

Executes dropped EXE 64 IoCs

pid	Process
5100	Ultimate-Crack-Pack.exe
4568	Ultimate-Crack-Pack.exe
3116	Ultimate-Crack-Pack.exe
2892	Ultimate-Crack-Pack.exe
1900	Ultimate-Crack-Pack.exe
1180	Ultimate-Crack-Pack.exe
548	Ultimate-Crack-Pack.exe
2672	Ultimate-Crack-Pack.exe
2288	Ultimate-Crack-Pack.exe
3688	Ultimate-Crack-Pack.exe
3704	Ultimate-Crack-Pack.exe
1380	Ultimate-Crack-Pack.exe
2596	Ultimate-Crack-Pack.exe
4884	Ultimate-Crack-Pack.exe
1020	Ultimate-Crack-Pack.exe
784	Ultimate-Crack-Pack.exe
4000	Ultimate-Crack-Pack.exe
2652	Ultimate-Crack-Pack.exe
1864	Ultimate-Crack-Pack.exe
3192	Ultimate-Crack-Pack.exe
2496	Ultimate-Crack-Pack.exe
3676	Ultimate-Crack-Pack.exe
1300	Ultimate-Crack-Pack.exe
4184	Ultimate-Crack-Pack.exe
4132	Ultimate-Crack-Pack.exe
4148	Ultimate-Crack-Pack.exe
1956	Ultimate-Crack-Pack.exe
2924	Ultimate-Crack-Pack.exe
4712	Ultimate-Crack-Pack.exe
1604	Ultimate-Crack-Pack.exe
3448	Ultimate-Crack-Pack.exe
5012	Ultimate-Crack-Pack.exe
3076	Ultimate-Crack-Pack.exe
3040	Ultimate-Crack-Pack.exe
4308	Ultimate-Crack-Pack.exe
2660	Ultimate-Crack-Pack.exe
1640	Ultimate-Crack-Pack.exe
3472	Ultimate-Crack-Pack.exe
5072	Ultimate-Crack-Pack.exe
3184	Ultimate-Crack-Pack.exe
2136	Ultimate-Crack-Pack.exe
1044	Ultimate-Crack-Pack.exe
1096	Ultimate-Crack-Pack.exe
2228	Ultimate-Crack-Pack.exe
3268	Ultimate-Crack-Pack.exe
864	Ultimate-Crack-Pack.exe
4624	Ultimate-Crack-Pack.exe
4836	Ultimate-Crack-Pack.exe
4768	Ultimate-Crack-Pack.exe
2284	Ultimate-Crack-Pack.exe
2512	Ultimate-Crack-Pack.exe
1740	Ultimate-Crack-Pack.exe
4512	Ultimate-Crack-Pack.exe
3540	Ultimate-Crack-Pack.exe
4688	Ultimate-Crack-Pack.exe
4432	Ultimate-Crack-Pack.exe
1680	Ultimate-Crack-Pack.exe
3476	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
772	Ultimate-Crack-Pack.exe
3960	Ultimate-Crack-Pack.exe
2832	Ultimate-Crack-Pack.exe
5172	Ultimate-Crack-Pack.exe
5248	Ultimate-Crack-Pack.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
7268	powershell.exe
7876	powershell.exe
8248	powershell.exe
10700	powershell.exe
1664	powershell.exe
4188	powershell.exe
7200	powershell.exe
9004	powershell.exe
9520	powershell.exe
9864	powershell.exe
10688	powershell.exe
9820	powershell.exe
5476	powershell.exe
8832	powershell.exe
7576	powershell.exe
7228	powershell.exe
8856	powershell.exe
10088	powershell.exe
11636	powershell.exe
8580	powershell.exe
3800	powershell.exe
7412	powershell.exe
1032	powershell.exe
7756	powershell.exe
9656	powershell.exe
11176	powershell.exe
8316	powershell.exe
1676	powershell.exe
10640	powershell.exe
12596	powershell.exe
4500	powershell.exe
9108	powershell.exe
2524	powershell.exe
10664	powershell.exe
11568	powershell.exe
8568	powershell.exe
8908	powershell.exe
9040	powershell.exe
3092	powershell.exe
11528	powershell.exe
9160	powershell.exe
7548	powershell.exe
8636	powershell.exe
1048	powershell.exe
9440	powershell.exe
10612	powershell.exe
11020	powershell.exe
2148	powershell.exe
8360	powershell.exe
9300	powershell.exe
10092	powershell.exe
7240	powershell.exe
8588	powershell.exe
8576	powershell.exe
9236	powershell.exe
9064	powershell.exe
2836	powershell.exe
10792	powershell.exe
11184	powershell.exe
8256	powershell.exe
6136	powershell.exe
11672	powershell.exe
4384	powershell.exe
3176	powershell.exe

Looks up external IP address via web service 28 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
130	ipinfo.io
54	ipinfo.io
62	ipinfo.io
119	ipinfo.io
129	ipinfo.io
50	ipinfo.io
71	ipinfo.io
42	ipinfo.io
47	ipinfo.io
49	ipinfo.io
60	ipinfo.io
31	api.ipify.org
37	ipinfo.io
39	ipinfo.io
40	ipinfo.io
68	ipinfo.io
73	ipinfo.io
117	ipinfo.io
69	ipinfo.io
132	ipinfo.io
135	ipinfo.io
30	api.ipify.org
116	ipinfo.io
122	ipinfo.io
29	api.ipify.org
128	ipinfo.io
136	ipinfo.io
131	ipinfo.io

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process	procid_target
PID 3116 set thread context of 7260	3116	Ultimate-Crack-Pack.exe	413
PID 4568 set thread context of 7336	4568	Ultimate-Crack-Pack.exe	418
PID 2892 set thread context of 7344	2892	Ultimate-Crack-Pack.exe	417
PID 5100 set thread context of 7580	5100	Ultimate-Crack-Pack.exe	426
PID 1900 set thread context of 7536	1900	Ultimate-Crack-Pack.exe	883
PID 1180 set thread context of 7852	1180	Ultimate-Crack-Pack.exe	435
PID 2288 set thread context of 7472	2288	Ultimate-Crack-Pack.exe	440
PID 548 set thread context of 7180	548	Ultimate-Crack-Pack.exe	442
PID 2672 set thread context of 7524	2672	Ultimate-Crack-Pack.exe	443
PID 3704 set thread context of 1600	3704	Ultimate-Crack-Pack.exe	448
PID 3688 set thread context of 7496	3688	Ultimate-Crack-Pack.exe	454
PID 2596 set thread context of 8324	2596	Ultimate-Crack-Pack.exe	460
PID 1380 set thread context of 8384	1380	Ultimate-Crack-Pack.exe	461
PID 1020 set thread context of 8392	1020	Ultimate-Crack-Pack.exe	462
PID 4884 set thread context of 8596	4884	Ultimate-Crack-Pack.exe	470
PID 1864 set thread context of 8644	1864	Ultimate-Crack-Pack.exe	472
PID 784 set thread context of 8716	784	Ultimate-Crack-Pack.exe	474
PID 4000 set thread context of 8724	4000	Ultimate-Crack-Pack.exe	475
PID 2496 set thread context of 8848	2496	Ultimate-Crack-Pack.exe	480
PID 2652 set thread context of 8864	2652	Ultimate-Crack-Pack.exe	482
PID 1300 set thread context of 9012	1300	Ultimate-Crack-Pack.exe	490
PID 3676 set thread context of 9048	3676	Ultimate-Crack-Pack.exe	492
PID 4184 set thread context of 9116	4184	Ultimate-Crack-Pack.exe	496
PID 4132 set thread context of 7804	4132	Ultimate-Crack-Pack.exe	501
PID 2924 set thread context of 2256	2924	Ultimate-Crack-Pack.exe	505
PID 3192 set thread context of 8788	3192	Ultimate-Crack-Pack.exe	513
PID 4148 set thread context of 8584	4148	Ultimate-Crack-Pack.exe	515
PID 1956 set thread context of 9252	1956	Ultimate-Crack-Pack.exe	521
PID 3040 set thread context of 9528	3040	Ultimate-Crack-Pack.exe	527
PID 3076 set thread context of 9604	3076	Ultimate-Crack-Pack.exe	528
PID 4308 set thread context of 9612	4308	Ultimate-Crack-Pack.exe	529
PID 2660 set thread context of 9644	2660	Ultimate-Crack-Pack.exe	533
PID 5012 set thread context of 9664	5012	Ultimate-Crack-Pack.exe	535
PID 1604 set thread context of 9680	1604	Ultimate-Crack-Pack.exe	536
PID 1640 set thread context of 9828	1640	Ultimate-Crack-Pack.exe	538
PID 1096 set thread context of 9876	1096	Ultimate-Crack-Pack.exe	540
PID 5072 set thread context of 9932	5072	Ultimate-Crack-Pack.exe	545
PID 4712 set thread context of 9940	4712	Ultimate-Crack-Pack.exe	546
PID 3448 set thread context of 10176	3448	Ultimate-Crack-Pack.exe	554
PID 3472 set thread context of 2680	3472	Ultimate-Crack-Pack.exe	559
PID 3184 set thread context of 8740	3184	Ultimate-Crack-Pack.exe	566
PID 2512 set thread context of 2592	2512	Ultimate-Crack-Pack.exe	567
PID 2284 set thread context of 9284	2284	Ultimate-Crack-Pack.exe	570
PID 1044 set thread context of 3468	1044	Ultimate-Crack-Pack.exe	572
PID 864 set thread context of 1864	864	Ultimate-Crack-Pack.exe	574
PID 2136 set thread context of 9692	2136	Ultimate-Crack-Pack.exe	578
PID 4624 set thread context of 9816	4624	Ultimate-Crack-Pack.exe	581
PID 4836 set thread context of 624	4836	Ultimate-Crack-Pack.exe	586
PID 3268 set thread context of 3044	3268	Ultimate-Crack-Pack.exe	587
PID 4768 set thread context of 9232	4768	Ultimate-Crack-Pack.exe	594
PID 3476 set thread context of 10384	3476	Ultimate-Crack-Pack.exe	595
PID 3540 set thread context of 10624	3540	Ultimate-Crack-Pack.exe	599
PID 2832 set thread context of 10648	2832	Ultimate-Crack-Pack.exe	602
PID 1740 set thread context of 10656	1740	Ultimate-Crack-Pack.exe	603
PID 2228 set thread context of 10672	2228	Ultimate-Crack-Pack.exe	605
PID 4688 set thread context of 10708	4688	Ultimate-Crack-Pack.exe	609
PID 4512 set thread context of 10716	4512	Ultimate-Crack-Pack.exe	610
PID 3960 set thread context of 10800	3960	Ultimate-Crack-Pack.exe	612
PID 772 set thread context of 11200	772	Ultimate-Crack-Pack.exe	627
PID 4432 set thread context of 11224	4432	Ultimate-Crack-Pack.exe	629
PID 5248 set thread context of 3724	5248	Ultimate-Crack-Pack.exe	635
PID 1680 set thread context of 10160	1680	Ultimate-Crack-Pack.exe	638
PID 5328 set thread context of 2952	5328	Ultimate-Crack-Pack.exe	644
PID 5172 set thread context of 10636	5172	Ultimate-Crack-Pack.exe	645

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 38 IoCs

pid	pid_target	Process	procid_target
12472	4836	WerFault.exe	691
11476	9236	WerFault.exe	520
5704	8840	WerFault.exe	479
8620	7012	WerFault.exe	344
9204	5936	WerFault.exe	266
10508	5228	WerFault.exe	238
12104	7128	WerFault.exe	326
8816	7804	WerFault.exe	501
6952	6264	WerFault.exe	304
8280	6756	WerFault.exe	356
6812	5608	WerFault.exe	300
7036	5368	WerFault.exe	298
6996	4472	WerFault.exe	296
7412	6432	WerFault.exe	308
12948	6348	WerFault.exe	306
3972	6664	WerFault.exe	314
7536	6588	WerFault.exe	312
7964	5712	WerFault.exe	224
3976	6740	WerFault.exe	316
3896	5660	WerFault.exe	246
8168	6896	WerFault.exe	320
7100	6972	WerFault.exe	322
8604	7048	WerFault.exe	324
7592	6816	WerFault.exe	318
9264	5376	WerFault.exe	286
8692	5920	WerFault.exe	278
8060	3556	WerFault.exe	292
8456	5212	WerFault.exe	280
6780	5768	WerFault.exe	274
6000	4812	WerFault.exe	294
7956	6188	WerFault.exe	302
8148	6652	WerFault.exe	364
6340	6364	WerFault.exe	332
7460	6416	WerFault.exe	362
7936	6508	WerFault.exe	310
8160	11508	WerFault.exe	815
12624	12500	WerFault.exe	699
12520	11200	WerFault.exe	627

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegAsm.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Ultimate-Crack-Pack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2672	Ultimate-Crack-Pack.exe
2672	Ultimate-Crack-Pack.exe
2672	Ultimate-Crack-Pack.exe
2672	Ultimate-Crack-Pack.exe
1380	Ultimate-Crack-Pack.exe
1380	Ultimate-Crack-Pack.exe
1380	Ultimate-Crack-Pack.exe
1380	Ultimate-Crack-Pack.exe
1020	Ultimate-Crack-Pack.exe
1020	Ultimate-Crack-Pack.exe
1020	Ultimate-Crack-Pack.exe
1020	Ultimate-Crack-Pack.exe
7200	powershell.exe
7200	powershell.exe
7548	powershell.exe
7548	powershell.exe
7268	powershell.exe
7268	powershell.exe
7240	powershell.exe
7240	powershell.exe
3192	Ultimate-Crack-Pack.exe
3192	Ultimate-Crack-Pack.exe
3192	Ultimate-Crack-Pack.exe
3192	Ultimate-Crack-Pack.exe
7876	powershell.exe
7876	powershell.exe
5072	Ultimate-Crack-Pack.exe
5072	Ultimate-Crack-Pack.exe
5072	Ultimate-Crack-Pack.exe
5072	Ultimate-Crack-Pack.exe
4712	Ultimate-Crack-Pack.exe
4712	Ultimate-Crack-Pack.exe
4712	Ultimate-Crack-Pack.exe
4712	Ultimate-Crack-Pack.exe
3448	Ultimate-Crack-Pack.exe
3448	Ultimate-Crack-Pack.exe
3448	Ultimate-Crack-Pack.exe
3448	Ultimate-Crack-Pack.exe
7576	powershell.exe
7576	powershell.exe
4768	Ultimate-Crack-Pack.exe
4768	Ultimate-Crack-Pack.exe
4768	Ultimate-Crack-Pack.exe
4768	Ultimate-Crack-Pack.exe
5172	Ultimate-Crack-Pack.exe
5172	Ultimate-Crack-Pack.exe
5172	Ultimate-Crack-Pack.exe
5172	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
212	Ultimate-Crack-Pack.exe
5636	Ultimate-Crack-Pack.exe
5636	Ultimate-Crack-Pack.exe
5636	Ultimate-Crack-Pack.exe
5636	Ultimate-Crack-Pack.exe
1032	powershell.exe
1032	powershell.exe
7412	powershell.exe
7412	powershell.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7260	RegAsm.exe
Token: SeDebugPrivilege	1380	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	1020	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7580	RegAsm.exe
Token: SeDebugPrivilege	7200	powershell.exe
Token: SeDebugPrivilege	7548	powershell.exe
Token: SeDebugPrivilege	7268	powershell.exe
Token: SeDebugPrivilege	7240	powershell.exe
Token: SeDebugPrivilege	7576	powershell.exe
Token: SeDebugPrivilege	3192	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7344	RegAsm.exe
Token: SeDebugPrivilege	7536	RegAsm.exe
Token: SeDebugPrivilege	7876	powershell.exe
Token: SeDebugPrivilege	1600	RegAsm.exe
Token: SeDebugPrivilege	5072	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	3448	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	4712	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7336	RegAsm.exe
Token: SeDebugPrivilege	7472	RegAsm.exe
Token: SeDebugPrivilege	7852	RegAsm.exe
Token: SeDebugPrivilege	4768	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7524	RegAsm.exe
Token: SeDebugPrivilege	5172	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	212	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	8384	RegAsm.exe
Token: SeDebugPrivilege	5636	Ultimate-Crack-Pack.exe
Token: SeDebugPrivilege	7180	RegAsm.exe
Token: SeDebugPrivilege	8324	RegAsm.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	7412	powershell.exe
Token: SeDebugPrivilege	7228	powershell.exe
Token: SeDebugPrivilege	7496	RegAsm.exe
Token: SeDebugPrivilege	8316	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1472 wrote to memory of 5100	1472	TextUtils.exe	84
PID 1472 wrote to memory of 5100	1472	TextUtils.exe	84
PID 1472 wrote to memory of 5100	1472	TextUtils.exe	84
PID 1472 wrote to memory of 4340	1472	TextUtils.exe	85
PID 1472 wrote to memory of 4340	1472	TextUtils.exe	85
PID 4340 wrote to memory of 4568	4340	TextUtils.exe	86
PID 4340 wrote to memory of 4568	4340	TextUtils.exe	86
PID 4340 wrote to memory of 4568	4340	TextUtils.exe	86
PID 4340 wrote to memory of 4748	4340	TextUtils.exe	87
PID 4340 wrote to memory of 4748	4340	TextUtils.exe	87
PID 4748 wrote to memory of 3116	4748	TextUtils.exe	88
PID 4748 wrote to memory of 3116	4748	TextUtils.exe	88
PID 4748 wrote to memory of 3116	4748	TextUtils.exe	88
PID 4748 wrote to memory of 400	4748	TextUtils.exe	89
PID 4748 wrote to memory of 400	4748	TextUtils.exe	89
PID 400 wrote to memory of 2892	400	TextUtils.exe	91
PID 400 wrote to memory of 2892	400	TextUtils.exe	91
PID 400 wrote to memory of 2892	400	TextUtils.exe	91
PID 400 wrote to memory of 5108	400	TextUtils.exe	92
PID 400 wrote to memory of 5108	400	TextUtils.exe	92
PID 5108 wrote to memory of 1900	5108	TextUtils.exe	93
PID 5108 wrote to memory of 1900	5108	TextUtils.exe	93
PID 5108 wrote to memory of 1900	5108	TextUtils.exe	93
PID 5108 wrote to memory of 4500	5108	TextUtils.exe	94
PID 5108 wrote to memory of 4500	5108	TextUtils.exe	94
PID 4500 wrote to memory of 1180	4500	TextUtils.exe	95
PID 4500 wrote to memory of 1180	4500	TextUtils.exe	95
PID 4500 wrote to memory of 1180	4500	TextUtils.exe	95
PID 4500 wrote to memory of 3564	4500	TextUtils.exe	96
PID 4500 wrote to memory of 3564	4500	TextUtils.exe	96
PID 3564 wrote to memory of 548	3564	TextUtils.exe	98
PID 3564 wrote to memory of 548	3564	TextUtils.exe	98
PID 3564 wrote to memory of 548	3564	TextUtils.exe	98
PID 3564 wrote to memory of 2464	3564	TextUtils.exe	99
PID 3564 wrote to memory of 2464	3564	TextUtils.exe	99
PID 2464 wrote to memory of 2672	2464	TextUtils.exe	100
PID 2464 wrote to memory of 2672	2464	TextUtils.exe	100
PID 2464 wrote to memory of 2672	2464	TextUtils.exe	100
PID 2464 wrote to memory of 4104	2464	TextUtils.exe	101
PID 2464 wrote to memory of 4104	2464	TextUtils.exe	101
PID 4104 wrote to memory of 2288	4104	TextUtils.exe	102
PID 4104 wrote to memory of 2288	4104	TextUtils.exe	102
PID 4104 wrote to memory of 2288	4104	TextUtils.exe	102
PID 4104 wrote to memory of 4132	4104	TextUtils.exe	134
PID 4104 wrote to memory of 4132	4104	TextUtils.exe	134
PID 4132 wrote to memory of 3688	4132	TextUtils.exe	104
PID 4132 wrote to memory of 3688	4132	TextUtils.exe	104
PID 4132 wrote to memory of 3688	4132	TextUtils.exe	104
PID 4132 wrote to memory of 4396	4132	TextUtils.exe	105
PID 4132 wrote to memory of 4396	4132	TextUtils.exe	105
PID 4396 wrote to memory of 3704	4396	TextUtils.exe	106
PID 4396 wrote to memory of 3704	4396	TextUtils.exe	106
PID 4396 wrote to memory of 3704	4396	TextUtils.exe	106
PID 4396 wrote to memory of 864	4396	TextUtils.exe	176
PID 4396 wrote to memory of 864	4396	TextUtils.exe	176
PID 864 wrote to memory of 1380	864	TextUtils.exe	108
PID 864 wrote to memory of 1380	864	TextUtils.exe	108
PID 864 wrote to memory of 1380	864	TextUtils.exe	108
PID 864 wrote to memory of 4432	864	TextUtils.exe	196
PID 864 wrote to memory of 4432	864	TextUtils.exe	196
PID 4432 wrote to memory of 2596	4432	TextUtils.exe	110
PID 4432 wrote to memory of 2596	4432	TextUtils.exe	110
PID 4432 wrote to memory of 2596	4432	TextUtils.exe	110
PID 4432 wrote to memory of 432	4432	TextUtils.exe	111

C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
"C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1472
- C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
  "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  PID:5100
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:7548
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:7580
  - - C:\Windows\System32\Conhost.exe
      \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
      4⤵
      PID:7604
- C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
  "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4340
- - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
    "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    PID:4568
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:7240
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:7336
- - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
    "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4748
  - - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
      "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      PID:3116
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7200
    - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7260
  - - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
      "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:400
    - - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2892
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7268
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:7344
    - - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        5⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:5108
      - C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        7⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7536
      - C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        6⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4500
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1180
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7876
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7852
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        7⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:548
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:7228
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2464
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        
        PID:7172
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7524
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4104
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2288
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:7412
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "7412" "1920" "1876" "1924" "0" "0" "1928" "0" "0" "0" "0" "0"
        12⤵
        
        PID:1660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        10⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:7756
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:7496
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        11⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:4396
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        13⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "1032" "2360" "2120" "2364" "0" "0" "2368" "0" "0" "0" "0" "0"
        14⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        13⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        12⤵
        Checks computer location settings
        Suspicious use of WriteProcessMemory
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        
        PID:8304
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:8384
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        15⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:8316
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        15⤵
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        14⤵
        Checks computer location settings
        
        PID:432
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4884
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8588
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        16⤵
        
        PID:8596
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        15⤵
        Checks computer location settings
        
        PID:3908
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:8296
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        17⤵
        
        PID:8392
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        16⤵
        Checks computer location settings
        
        PID:4380
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:784
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        18⤵
        
        PID:8716
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        17⤵
        
        PID:2656
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8576
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        19⤵
        
        PID:8724
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        18⤵
        Checks computer location settings
        
        PID:3176
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        20⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:8856
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        20⤵
        
        PID:8864
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        19⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        21⤵
        
        PID:8644
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        20⤵
        
        PID:1092
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8908
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:8916
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        22⤵
        
        PID:8788
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        23⤵
        
        PID:8304
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        21⤵
        
        PID:3800
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2496
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        23⤵
        
        PID:8840
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 8840 -s 916
        24⤵
        Program crash
        
        PID:5704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        23⤵
        
        PID:8848
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        22⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        24⤵
        
        PID:9048
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        23⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1300
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        25⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:9004
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        25⤵
        
        PID:9012
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        24⤵
        Checks computer location settings
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9108
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        26⤵
        
        PID:9116
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        25⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4132
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1048
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        27⤵
        
        PID:7804
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7804 -s 252
        28⤵
        Program crash
        
        PID:8816
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        26⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4148
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9064
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        28⤵
        
        PID:8584
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        27⤵
        
        PID:2512
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9236
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 9236 -s 912
        30⤵
        Program crash
        
        PID:11476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        29⤵
        
        PID:9252
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        28⤵
        Checks computer location settings
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        30⤵
        
        PID:3168
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        30⤵
        
        PID:2256
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        29⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4712
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:9628
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        31⤵
        
        PID:9940
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        30⤵
        
        PID:4896
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9656
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        32⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        31⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:9636
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        33⤵
        
        PID:10176
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        32⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5012
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        34⤵
        
        PID:9664
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        33⤵
        Checks computer location settings
        
        PID:2176
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        34⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3076
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        35⤵
        System Location Discovery: System Language Discovery
        
        PID:9512
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        35⤵
        
        PID:9604
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        34⤵
        Checks computer location settings
        
        PID:4768
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3040
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        36⤵
        
        PID:9528
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        35⤵
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        36⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4308
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9520
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        37⤵
        
        PID:9612
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        36⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        38⤵
        
        PID:9644
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        37⤵
        
        PID:2628
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        38⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        39⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:9820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        39⤵
        
        PID:9828
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        38⤵
        
        PID:864
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        40⤵
        
        PID:2680
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        39⤵
        Checks computer location settings
        
        PID:2932
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        40⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:9620
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        41⤵
        
        PID:9932
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        40⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        42⤵
        
        PID:8740
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        41⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        42⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2136
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2524
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        43⤵
        
        PID:9692
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        42⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1044
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        44⤵
        
        PID:3716
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        44⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        43⤵
        
        PID:4496
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        44⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9864
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        45⤵
        
        PID:9876
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        44⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        45⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2228
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        46⤵
        
        PID:10672
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        45⤵
        
        PID:632
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        46⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3268
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        47⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        46⤵
        
        PID:772
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:864
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2836
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        48⤵
        
        PID:1864
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        47⤵
        
        PID:4904
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        48⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:4624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        49⤵
        
        PID:9804
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        49⤵
        
        PID:9816
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        48⤵
        Checks computer location settings
        
        PID:4512
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        49⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4836
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        50⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        50⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        49⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        50⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        51⤵
        System Location Discovery: System Language Discovery
        
        PID:9428
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:4564
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        51⤵
        
        PID:9232
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        50⤵
        
        PID:2832
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        52⤵
        
        PID:9284
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        51⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        52⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        53⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:1676
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        53⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        52⤵
        
        PID:4432
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        53⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1740
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        54⤵
        
        PID:10656
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        53⤵
        Checks computer location settings
        
        PID:4840
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        54⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10700
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        55⤵
        
        PID:10716
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        54⤵
        Checks computer location settings
        
        PID:640
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        55⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3540
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        56⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:10612
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        56⤵
        
        PID:10624
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        55⤵
        Checks computer location settings
        
        PID:3476
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        56⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4688
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10688
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        57⤵
        
        PID:10708
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        56⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        57⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:4432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        58⤵
        
        PID:11212
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "11212" "1252" "1140" "1256" "0" "0" "1260" "0" "0" "0" "0" "0"
        59⤵
        
        PID:3976
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        58⤵
        
        PID:11224
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        57⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        58⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1680
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        59⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10092
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        59⤵
        
        PID:10160
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        58⤵
        Checks computer location settings
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        59⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        60⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        60⤵
        
        PID:10384
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        59⤵
        Checks computer location settings
        
        PID:4452
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        60⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        61⤵
        
        PID:11236
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:11248
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:10452
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        61⤵
        
        PID:11328
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        60⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        61⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:772
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        62⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:11184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        62⤵
        
        PID:11200
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11200 -s 920
        63⤵
        Program crash
        
        PID:12520
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        61⤵
        
        PID:4636
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        62⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:3960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        63⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10792
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        63⤵
        
        PID:10800
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        62⤵
        Checks computer location settings
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        63⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        64⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10640
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        64⤵
        
        PID:10648
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        63⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        64⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5172
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        65⤵
        Command and Scripting Interpreter: PowerShell
        System Location Discovery: System Language Discovery
        
        PID:11176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:11192
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        65⤵
        
        PID:10636
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        64⤵
        
        PID:5180
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        65⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5248
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        66⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:10088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        66⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        65⤵
        Checks computer location settings
        
        PID:5272
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        66⤵
        Suspicious use of SetThreadContext
        
        PID:5328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        67⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1664
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        67⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        66⤵
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        67⤵
        
        PID:5404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        68⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        68⤵
        
        PID:11536
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        67⤵
        Checks computer location settings
        
        PID:5420
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        68⤵
        System Location Discovery: System Language Discovery
        
        PID:5484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        69⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        69⤵
        
        PID:11036
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        68⤵
        Checks computer location settings
        
        PID:5492
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        69⤵
        
        PID:5560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        70⤵
        
        PID:10080
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        70⤵
        
        PID:10196
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        69⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        70⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5636
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        71⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3176
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:684
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        71⤵
        
        PID:11404
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        70⤵
        Checks computer location settings
        
        PID:5652
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        71⤵
        
        PID:5712
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5712 -s 1040
        72⤵
        Program crash
        
        PID:7964
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        71⤵
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:5788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        73⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        73⤵
        
        PID:11576
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        72⤵
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        73⤵
        
        PID:5864
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        73⤵
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        74⤵
        System Location Discovery: System Language Discovery
        
        PID:5940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        75⤵
        
        PID:11448
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        75⤵
        
        PID:11456
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        74⤵
        
        PID:5952
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        75⤵
        
        PID:6020
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        76⤵
        
        PID:12792
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        75⤵
        Checks computer location settings
        
        PID:6028
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        76⤵
        
        PID:6100
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        76⤵
        
        PID:6108
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        77⤵
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        77⤵
        Checks computer location settings
        
        PID:3248
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        78⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5228 -s 1040
        79⤵
        Program crash
        
        PID:10508
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        78⤵
        
        PID:5220
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        79⤵
        
        PID:5316
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        79⤵
        Checks computer location settings
        
        PID:5320
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        80⤵
        
        PID:5364
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        80⤵
        
        PID:5444
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        81⤵
        
        PID:5524
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        81⤵
        Checks computer location settings
        
        PID:5496
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        82⤵
        System Location Discovery: System Language Discovery
        
        PID:5660
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5660 -s 1040
        83⤵
        Program crash
        
        PID:3896
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        82⤵
        Checks computer location settings
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        83⤵
        System Location Discovery: System Language Discovery
        
        PID:5744
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        83⤵
        Checks computer location settings
        
        PID:5820
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        84⤵
        
        PID:5852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        85⤵
        
        PID:12500
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 12500 -s 904
        86⤵
        Program crash
        
        PID:12624
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        84⤵
        
        PID:5924
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        85⤵
        
        PID:5992
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        85⤵
        Checks computer location settings
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        86⤵
        
        PID:6116
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        86⤵
        Checks computer location settings
        
        PID:6044
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        87⤵
        
        PID:5160
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        87⤵
        
        PID:5188
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        88⤵
        
        PID:5272
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:2820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        89⤵
        
        PID:5940
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        88⤵
        
        PID:5292
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        89⤵
        
        PID:5384
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        89⤵
        Checks computer location settings
        
        PID:5440
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        90⤵
        
        PID:5612
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        90⤵
        Checks computer location settings
        
        PID:5624
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        91⤵
        System Location Discovery: System Language Discovery
        
        PID:5776
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        91⤵
        
        PID:5572
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        92⤵
        System Location Discovery: System Language Discovery
        
        PID:5936
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5936 -s 1040
        93⤵
        Program crash
        
        PID:9204
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        92⤵
        
        PID:5932
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        93⤵
        System Location Discovery: System Language Discovery
        
        PID:6056
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        93⤵
        
        PID:5956
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        94⤵
        System Location Discovery: System Language Discovery
        
        PID:5304
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        94⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        95⤵
        
        PID:5424
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        95⤵
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        96⤵
        
        PID:5768
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5768 -s 1040
        97⤵
        Program crash
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        96⤵
        
        PID:5676
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        97⤵
        System Location Discovery: System Language Discovery
        
        PID:5900
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        97⤵
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        98⤵
        System Location Discovery: System Language Discovery
        
        PID:5920
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5920 -s 1040
        99⤵
        Program crash
        
        PID:8692
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        98⤵
        Checks computer location settings
        
        PID:4204
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        99⤵
        System Location Discovery: System Language Discovery
        
        PID:5212
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5212 -s 1040
        100⤵
        Program crash
        
        PID:8456
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        99⤵
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        100⤵
        
        PID:5440
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        101⤵
        
        PID:12140
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        100⤵
        Checks computer location settings
        
        PID:5396
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:6096
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:1160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        102⤵
        
        PID:5800
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        101⤵
        Checks computer location settings
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        102⤵
        System Location Discovery: System Language Discovery
        
        PID:5376
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5376 -s 1040
        103⤵
        Program crash
        
        PID:9264
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        102⤵
        
        PID:5556
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        103⤵
        
        PID:5916
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        103⤵
        Checks computer location settings
        
        PID:5164
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        104⤵
        System Location Discovery: System Language Discovery
        
        PID:5392
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        104⤵
        
        PID:5836
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        105⤵
        
        PID:3556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3556 -s 1040
        106⤵
        Program crash
        
        PID:8060
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        105⤵
        Checks computer location settings
        
        PID:5368
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        106⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4812 -s 1040
        107⤵
        Program crash
        
        PID:6000
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        106⤵
        Checks computer location settings
        
        PID:2888
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        107⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4472 -s 1040
        108⤵
        Program crash
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        107⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        108⤵
        
        PID:5368
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5368 -s 1040
        109⤵
        Program crash
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        108⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        109⤵
        
        PID:5608
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 5608 -s 1040
        110⤵
        Program crash
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        109⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        110⤵
        
        PID:6188
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6188 -s 1040
        111⤵
        Program crash
        
        PID:7956
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        110⤵
        
        PID:6196
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        111⤵
        
        PID:6264
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6264 -s 1040
        112⤵
        Program crash
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        111⤵
        Checks computer location settings
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        112⤵
        System Location Discovery: System Language Discovery
        
        PID:6348
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6348 -s 1040
        113⤵
        Program crash
        
        PID:12948
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        112⤵
        
        PID:6356
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        113⤵
        
        PID:6432
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6432 -s 1040
        114⤵
        Program crash
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        113⤵
        Checks computer location settings
        
        PID:6448
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        114⤵
        
        PID:6508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6508 -s 1044
        115⤵
        Program crash
        
        PID:7936
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        114⤵
        
        PID:6532
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        115⤵
        
        PID:6588
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6588 -s 1036
        116⤵
        Program crash
        
        PID:7536
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        115⤵
        
        PID:6604
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        116⤵
        
        PID:6664
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6664 -s 1036
        117⤵
        Program crash
        
        PID:3972
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        116⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        117⤵
        
        PID:6740
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6740 -s 1036
        118⤵
        Program crash
        
        PID:3976
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        117⤵
        
        PID:6756
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        118⤵
        
        PID:6816
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6816 -s 1036
        119⤵
        Program crash
        
        PID:7592
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        118⤵
        Checks computer location settings
        
        PID:6832
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        119⤵
        
        PID:6896
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6896 -s 1036
        120⤵
        Program crash
        
        PID:8168
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        119⤵
        Checks computer location settings
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        120⤵
        
        PID:6972
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6972 -s 1036
        121⤵
        Program crash
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        120⤵
        Checks computer location settings
        
        PID:6996
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        121⤵
        
        PID:7048
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7048 -s 1036
        122⤵
        Program crash
        
        PID:8604
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        121⤵
        Checks computer location settings
        
        PID:7072
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        122⤵
        
        PID:7128
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7128 -s 1036
        123⤵
        Program crash
        
        PID:12104
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        122⤵
        
        PID:7144
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        123⤵
        
        PID:5532
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        123⤵
        Checks computer location settings
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        124⤵
        
        PID:6240
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:3528
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:1500
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        125⤵
        
        PID:12736
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        124⤵
        Checks computer location settings
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        125⤵
        
        PID:6364
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6364 -s 1036
        126⤵
        Program crash
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        125⤵
        
        PID:6276
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        126⤵
        
        PID:5736
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        126⤵
        Checks computer location settings
        
        PID:6480
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        127⤵
        
        PID:6552
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        128⤵
        
        PID:3656
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        127⤵
        Checks computer location settings
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        128⤵
        
        PID:6624
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        128⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        129⤵
        
        PID:6780
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        129⤵
        
        PID:6808
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        130⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        130⤵
        
        PID:6944
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        131⤵
        
        PID:7012
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 7012 -s 1036
        132⤵
        Program crash
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        131⤵
        
        PID:7000
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        132⤵
        
        PID:5236
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        132⤵
        Checks computer location settings
        
        PID:5856
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        133⤵
        System Location Discovery: System Language Discovery
        
        PID:3812
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        133⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        134⤵
        
        PID:6460
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        134⤵
        
        PID:6380
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        135⤵
        System Location Discovery: System Language Discovery
        
        PID:6648
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        135⤵
        
        PID:6560
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        136⤵
        
        PID:6580
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        136⤵
        
        PID:6688
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        137⤵
        System Location Discovery: System Language Discovery
        
        PID:6756
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        138⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2148
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6756 -s 1044
        138⤵
        Program crash
        
        PID:8280
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        137⤵
        
        PID:6812
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        138⤵
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        138⤵
        Checks computer location settings
        
        PID:7152
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        139⤵
        
        PID:1228
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        139⤵
        
        PID:7164
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        140⤵
        
        PID:6416
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6416 -s 1008
        141⤵
        Program crash
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        140⤵
        
        PID:6504
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        141⤵
        System Location Discovery: System Language Discovery
        
        PID:6652
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 6652 -s 1036
        142⤵
        Program crash
        
        PID:8148
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        141⤵
        
        PID:6632
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        142⤵
        
        PID:6796
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        142⤵
        
        PID:6856
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        143⤵
        System Location Discovery: System Language Discovery
        
        PID:6952
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        143⤵
        
        PID:7124
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        144⤵
        System Location Discovery: System Language Discovery
        
        PID:6332
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        144⤵
        Checks computer location settings
        
        PID:6200
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        145⤵
        
        PID:6564
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        146⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11636
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        147⤵
        
        PID:4384
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        146⤵
        
        PID:7612
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        145⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        146⤵
        
        PID:7024
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        147⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8580
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        147⤵
        
        PID:13172
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        146⤵
        Checks computer location settings
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        147⤵
        System Location Discovery: System Language Discovery
        
        PID:5856
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        148⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3800
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        148⤵
        
        PID:3244
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        147⤵
        Checks computer location settings
        
        PID:836
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        148⤵
        
        PID:7000
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        149⤵
        
        PID:10860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        149⤵
        
        PID:11712
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        148⤵
        
        PID:6904
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        149⤵
        
        PID:6304
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        150⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:12596
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "12596" "1912" "1860" "1916" "0" "0" "1920" "0" "0" "0" "0" "0"
        151⤵
        
        PID:6932
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        150⤵
        
        PID:13204
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        149⤵
        
        PID:6392
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        150⤵
        
        PID:6400
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        151⤵
        
        PID:12600
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:4624
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        151⤵
        
        PID:9512
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        150⤵
        
        PID:4336
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        151⤵
        
        PID:7204
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        152⤵
        
        PID:10616
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "10616" "1928" "1908" "1932" "0" "0" "1936" "0" "0" "0" "0" "0"
        153⤵
        
        PID:1820
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:12704
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:4088
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:9660
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        152⤵
        
        PID:11076
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        151⤵
        
        PID:7220
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        152⤵
        
        PID:7284
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        153⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:4188
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "4188" "1904" "1120" "1908" "0" "0" "1912" "0" "0" "0" "0" "0"
        154⤵
        
        PID:8000
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        153⤵
        
        PID:3084
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        152⤵
        
        PID:7300
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        153⤵
        
        PID:7360
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        154⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8256
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:12496
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        154⤵
        
        PID:4612
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        153⤵
        
        PID:7384
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        154⤵
        
        PID:7436
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        155⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9300
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        155⤵
        
        PID:5428
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        154⤵
        
        PID:7460
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        155⤵
        
        PID:7512
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        156⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8832
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        156⤵
        
        PID:4720
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        155⤵
        
        PID:7520
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        156⤵
        System Location Discovery: System Language Discovery
        
        PID:7588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        157⤵
        
        PID:12116
        
        C:\Windows\SysWOW64\wermgr.exe
        
        "C:\Windows\system32\wermgr.exe" "-outproc" "0" "12116" "1436" "1268" "1440" "0" "0" "1444" "0" "0" "0" "0" "0"
        158⤵
        
        PID:9184
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        157⤵
        
        PID:6888
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        156⤵
        Checks computer location settings
        
        PID:7604
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        157⤵
        System Location Discovery: System Language Discovery
        
        PID:7664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        158⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:9160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        158⤵
        
        PID:9152
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        157⤵
        Checks computer location settings
        
        PID:7680
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        158⤵
        
        PID:7740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        159⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:8360
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        159⤵
        
        PID:8184
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        158⤵
        Checks computer location settings
        
        PID:7756
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        159⤵
        System Location Discovery: System Language Discovery
        
        PID:7820
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        160⤵
        
        PID:12268
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        160⤵
        
        PID:12400
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        159⤵
        Checks computer location settings
        
        PID:7828
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        160⤵
        System Location Discovery: System Language Discovery
        
        PID:7896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        161⤵
        
        PID:5404
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        161⤵
        
        PID:11760
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        160⤵
        
        PID:7904
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        161⤵
        
        PID:7972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        162⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:5476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        162⤵
        
        PID:13100
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        163⤵
        
        PID:9620
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        161⤵
        
        PID:7988
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        162⤵
        
        PID:8048
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        163⤵
        
        PID:12464
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:6476
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        163⤵
        
        PID:11856
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        162⤵
        
        PID:8064
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        163⤵
        System Location Discovery: System Language Discovery
        
        PID:8124
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        164⤵
        
        PID:11508
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 11508 -s 980
        165⤵
        Program crash
        
        PID:8160
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        164⤵
        
        PID:7776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        165⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        163⤵
        
        PID:8132
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        164⤵
        
        PID:6860
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        165⤵
        
        PID:1640
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        166⤵
        
        PID:6884
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        164⤵
        Checks computer location settings
        
        PID:7028
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:7480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        166⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:6136
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:4568
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        166⤵
        
        PID:7284
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        165⤵
        
        PID:7508
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:8676
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe" Remove-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe';New-ItemProperty -Path 'HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion\Run' -Name 'msconfig.exe' -Value '"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\System Configuration\msconfig.exe.exe"' -PropertyType 'String'
        167⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:11672
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        168⤵
        
        PID:5852
        
        C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        167⤵
        
        PID:5468
        
        C:\Users\Admin\AppData\Local\Temp\TextUtils.exe
        
        "C:\Users\Admin\AppData\Local\Temp\TextUtils.exe"
        166⤵
        
        PID:9020
        
        C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe"
        167⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4836 -s 752
        168⤵
        Program crash
        
        PID:12472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 688 -p 4836 -ip 4836
1⤵
PID:10968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 764 -p 8840 -ip 8840
1⤵
PID:7340

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 9236 -ip 9236
1⤵
PID:9060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 852 -p 8316 -ip 8316
1⤵
PID:10612

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 872 -p 7756 -ip 7756
1⤵
PID:11176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 988 -p 7876 -ip 7876
1⤵
PID:13120

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1064 -p 5532 -ip 5532
1⤵
PID:3428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 848 -p 6580 -ip 6580
1⤵
PID:8356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 824 -p 8636 -ip 8636
1⤵
PID:9140

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1120 -p 8908 -ip 8908
1⤵
PID:10788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1132 -p 5160 -ip 5160
1⤵
PID:6096

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1144 -p 5316 -ip 5316
1⤵
PID:5848

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 692 -p 5524 -ip 5524
1⤵
PID:6716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 564 -p 6332 -ip 6332
1⤵
PID:368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 788 -p 6056 -ip 6056
1⤵
PID:11216

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1152 -p 5384 -ip 5384
1⤵
PID:2244

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 5612 -ip 5612
1⤵
PID:4208

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1052 -p 6648 -ip 6648
1⤵
PID:9408

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 6964 -ip 6964
1⤵
PID:6184

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 6796 -ip 6796
1⤵
PID:8620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 1228 -ip 1228
1⤵
PID:13048

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 448 -p 6780 -ip 6780
1⤵
PID:12496

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1056 -p 6952 -ip 6952
1⤵
PID:12948

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 812 -p 6624 -ip 6624
1⤵
PID:7412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1036 -p 3812 -ip 3812
1⤵
PID:4788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 964 -p 5744 -ip 5744
1⤵
PID:8260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1092 -p 6100 -ip 6100
1⤵
PID:10836

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1080 -p 6116 -ip 6116
1⤵
PID:3936

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1168 -p 6460 -ip 6460
1⤵
PID:8248

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 5236 -ip 5236
1⤵
PID:7716

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 5364 -ip 5364
1⤵
PID:11900

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 5992 -ip 5992
1⤵
PID:5168

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 732 -p 1552 -ip 1552
1⤵
PID:8428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 676 -p 5776 -ip 5776
1⤵
PID:11060

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 696 -p 5900 -ip 5900
1⤵
PID:9040

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 5304 -ip 5304
1⤵
PID:10356

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1084 -p 5936 -ip 5936
1⤵
PID:6052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 7012 -ip 7012
1⤵
PID:6608

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 7128 -ip 7128
1⤵
PID:9884

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1172 -p 5228 -ip 5228
1⤵
PID:4180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 5864 -ip 5864
1⤵
PID:3624

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 7804 -ip 7804
1⤵
PID:11180

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 6756 -ip 6756
1⤵
PID:7976

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 6264 -ip 6264
1⤵
PID:12556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1128 -p 5608 -ip 5608
1⤵
PID:7972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1036 -p 5368 -ip 5368
1⤵
PID:8488

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 4472 -ip 4472
1⤵
PID:7924

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1132 -p 6432 -ip 6432
1⤵
PID:7024

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 6348 -ip 6348
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 6664 -ip 6664
1⤵
PID:4492

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 488 -p 3556 -ip 3556
1⤵
PID:7520

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 5212 -ip 5212
1⤵
PID:6392

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 452 -p 5768 -ip 5768
1⤵
PID:12108

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 580 -p 4812 -ip 4812
1⤵
PID:7576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 576 -p 6188 -ip 6188
1⤵
PID:6316

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 604 -p 6652 -ip 6652
1⤵
PID:4352

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 612 -p 6364 -ip 6364
1⤵
PID:7972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 632 -p 6416 -ip 6416
1⤵
PID:13284

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 644 -p 6508 -ip 6508
1⤵
PID:7768

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 568 -p 9680 -ip 9680
1⤵
PID:1604

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 596 -p 8184 -ip 8184
1⤵
PID:8200

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 664 -p 9692 -ip 9692
1⤵
PID:7444

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 10624 -ip 10624
1⤵
PID:8680

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 556 -p 12792 -ip 12792
1⤵
PID:540

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 544 -p 10656 -ip 10656
1⤵
PID:5536

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 7612 -ip 7612
1⤵
PID:5312

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1084 -p 11508 -ip 11508
1⤵
PID:5360

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 808 -p 10080 -ip 10080
1⤵
PID:10288

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1048 -p 10176 -ip 10176
1⤵
PID:7888

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1036 -p 12500 -ip 12500
1⤵
PID:7556

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 424 -p 10708 -ip 10708
1⤵
PID:12972

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1076 -p 9232 -ip 9232
1⤵
PID:1528

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1152 -p 11200 -ip 11200
1⤵
PID:7176

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1048 -p 10716 -ip 10716
1⤵
PID:2880

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 1084 -p 5476 -ip 5476
1⤵
PID:10468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 792 -p 9864 -ip 9864
1⤵
PID:9916

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:5952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextUtils.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ultimate-Crack-Pack.exe

Filesize
115KB

MD5
dc6f230a993249cbe632aea3edbbd63e

SHA1
ee67ed14eb647918d0d7ffd11ba7b665eeb19c27

SHA256
a6c001e47fd68b6c97fa484c5c98f918eed5d231bd8f1a4e4ad65af20788118b

SHA512
7e9b46e5d8e8fa609c839d570cf6cf80c7464de553f094e02b6f86e96dc81ce65a1f5f071acd6fadec9d1f4690f48972d4425a7dc2bb0bab7d0588eae81fa5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hwb11jai.gms.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp444F.tmp

Filesize
40KB

MD5
a182561a527f929489bf4b8f74f65cd7

SHA1
8cd6866594759711ea1836e86a5b7ca64ee8911f

SHA256
42aad7886965428a941508b776a666a4450eb658cb90e80fae1e7457fc71f914

SHA512
9bc3bf5a82f6f057e873adebd5b7a4c64adef966537ab9c565fe7c4bb3582e2e485ff993d5ab8a6002363231958fabd0933b48811371b8c155eaa74592b66558

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4530.tmp

Filesize
114KB

MD5
0c1ed087a46b3f71327c7b00a935c342

SHA1
149e32ab98b640229886f9daca5fcf93a6a2ed62

SHA256
ff39b4812a90876b408365be758c698fd40b7f0b2d6591099e021f7d642ff991

SHA512
cc51370dc3ad9ad4c3cd34f18b2c2032d8f9ee8fa90ed8326e40d75c9d9f2c1070170551e4128de2089081c8518f8da048c3c7b9a1bd963b0a21b2f1e64fd3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp455B.tmp

Filesize
48KB

MD5
349e6eb110e34a08924d92f6b334801d

SHA1
bdfb289daff51890cc71697b6322aa4b35ec9169

SHA256
c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a

SHA512
2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4561.tmp

Filesize
20KB

MD5
49693267e0adbcd119f9f5e02adf3a80

SHA1
3ba3d7f89b8ad195ca82c92737e960e1f2b349df

SHA256
d76e7512e496b7c8d9fcd3010a55e2e566881dc6dacaf0343652a4915d47829f

SHA512
b4b9fcecf8d277bb0ccbb25e08f3559e3fc519d85d8761d8ad5bca983d04eb55a20d3b742b15b9b31a7c9187da40ad5c48baa7a54664cae4c40aa253165cbaa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4567.tmp

Filesize
116KB

MD5
f70aa3fa04f0536280f872ad17973c3d

SHA1
50a7b889329a92de1b272d0ecf5fce87395d3123

SHA256
8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8

SHA512
30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp45C2.tmp

Filesize
96KB

MD5
40f3eb83cc9d4cdb0ad82bd5ff2fb824

SHA1
d6582ba879235049134fa9a351ca8f0f785d8835

SHA256
cdd772b00ae53d4050150552b67028b7344bb1d345bceb495151cc969c27a0a0

SHA512
cdd4dbf0b1ba73464cd7c5008dc05458862e5f608e336b53638a14965becd4781cdea595fd6bd18d0bf402dccffd719da292a6ce67d359527b4691dc6d6d4cc2

Download Submit
memory/784-116-0x0000000004AD0000-0x0000000004AF2000-memory.dmp

Filesize
136KB

Download
memory/864-156-0x0000000004D00000-0x0000000004D22000-memory.dmp

Filesize
136KB

Download
memory/1048-974-0x0000000007530000-0x0000000007538000-memory.dmp

Filesize
32KB

Download
memory/1048-937-0x0000000007A40000-0x00000000080BA000-memory.dmp

Filesize
6.5MB

Download
memory/1048-905-0x0000000006C00000-0x0000000006C32000-memory.dmp

Filesize
200KB

Download
memory/1048-906-0x0000000070630000-0x000000007067C000-memory.dmp

Filesize
304KB

Download
memory/1048-916-0x0000000004900000-0x000000000491E000-memory.dmp

Filesize
120KB

Download
memory/1048-917-0x0000000006E40000-0x0000000006EE3000-memory.dmp

Filesize
652KB

Download
memory/1048-973-0x00000000075E0000-0x00000000075FA000-memory.dmp

Filesize
104KB

Download
memory/1048-971-0x00000000074F0000-0x0000000007504000-memory.dmp

Filesize
80KB

Download
memory/1048-968-0x00000000074E0000-0x00000000074EE000-memory.dmp

Filesize
56KB

Download
memory/1048-955-0x00000000074A0000-0x00000000074B1000-memory.dmp

Filesize
68KB

Download
memory/1048-950-0x0000000007340000-0x000000000734A000-memory.dmp

Filesize
40KB

Download
memory/1096-152-0x0000000004B10000-0x0000000004B32000-memory.dmp

Filesize
136KB

Download
memory/1180-93-0x0000000004A20000-0x0000000004A42000-memory.dmp

Filesize
136KB

Download
memory/1472-1-0x0000000000F40000-0x0000000000FA8000-memory.dmp

Filesize
416KB

Download
memory/1472-0-0x00007FFCA3DE3000-0x00007FFCA3DE5000-memory.dmp

Filesize
8KB

Download
memory/1552-238-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/2660-145-0x0000000004E10000-0x0000000004E32000-memory.dmp

Filesize
136KB

Download
memory/3076-143-0x0000000004DC0000-0x0000000004DE2000-memory.dmp

Filesize
136KB

Download
memory/3116-84-0x0000000004DF0000-0x0000000004E12000-memory.dmp

Filesize
136KB

Download
memory/3116-87-0x0000000004FF0000-0x000000000500E000-memory.dmp

Filesize
120KB

Download
memory/3184-153-0x0000000005320000-0x0000000005342000-memory.dmp

Filesize
136KB

Download
memory/4340-20-0x00007FFCA3DE0000-0x00007FFCA48A1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-15-0x00007FFCA3DE0000-0x00007FFCA48A1000-memory.dmp

Filesize
10.8MB

Download
memory/4568-24-0x0000000005940000-0x00000000059B6000-memory.dmp

Filesize
472KB

Download
memory/4568-85-0x00000000056F0000-0x0000000005712000-memory.dmp

Filesize
136KB

Download
memory/4568-19-0x0000000005C20000-0x00000000061C4000-memory.dmp

Filesize
5.6MB

Download
memory/4812-300-0x00000000055B0000-0x00000000055D2000-memory.dmp

Filesize
136KB

Download
memory/5100-86-0x0000000005970000-0x0000000005992000-memory.dmp

Filesize
136KB

Download
memory/5100-23-0x0000000005860000-0x000000000586A000-memory.dmp

Filesize
40KB

Download
memory/5100-21-0x00000000056B0000-0x0000000005742000-memory.dmp

Filesize
584KB

Download
memory/5100-17-0x0000000000CC0000-0x0000000000CE4000-memory.dmp

Filesize
144KB

Download
memory/5100-16-0x000000007453E000-0x000000007453F000-memory.dmp

Filesize
4KB

Download
memory/5228-227-0x0000000005700000-0x0000000005722000-memory.dmp

Filesize
136KB

Download
memory/5328-208-0x0000000004B70000-0x0000000004B92000-memory.dmp

Filesize
136KB

Download
memory/5560-217-0x0000000004CC0000-0x0000000004CE2000-memory.dmp

Filesize
136KB

Download
memory/5660-241-0x0000000004E20000-0x0000000004E42000-memory.dmp

Filesize
136KB

Download
memory/5776-281-0x00000000058D0000-0x00000000058F2000-memory.dmp

Filesize
136KB

Download
memory/6020-233-0x0000000005520000-0x0000000005542000-memory.dmp

Filesize
136KB

Download
memory/6096-289-0x0000000004BA0000-0x0000000004BC2000-memory.dmp

Filesize
136KB

Download
memory/6332-366-0x0000000004DB0000-0x0000000004DD2000-memory.dmp

Filesize
136KB

Download
memory/6460-330-0x0000000005770000-0x0000000005792000-memory.dmp

Filesize
136KB

Download
memory/6588-301-0x0000000004C90000-0x0000000004CB2000-memory.dmp

Filesize
136KB

Download
memory/6796-358-0x00000000053F0000-0x0000000005412000-memory.dmp

Filesize
136KB

Download
memory/6860-575-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/7048-325-0x00000000052F0000-0x0000000005312000-memory.dmp

Filesize
136KB

Download
memory/7200-757-0x0000000006380000-0x0000000006416000-memory.dmp

Filesize
600KB

Download
memory/7200-162-0x0000000005710000-0x0000000005776000-memory.dmp

Filesize
408KB

Download
memory/7200-107-0x0000000004F00000-0x0000000005528000-memory.dmp

Filesize
6.2MB

Download
memory/7200-106-0x00000000024A0000-0x00000000024D6000-memory.dmp

Filesize
216KB

Download
memory/7200-160-0x0000000004EC0000-0x0000000004EE2000-memory.dmp

Filesize
136KB

Download
memory/7200-171-0x0000000005780000-0x0000000005AD4000-memory.dmp

Filesize
3.3MB

Download
memory/7200-426-0x0000000005E90000-0x0000000005EAE000-memory.dmp

Filesize
120KB

Download
memory/7200-759-0x0000000006420000-0x0000000006442000-memory.dmp

Filesize
136KB

Download
memory/7200-758-0x0000000006310000-0x000000000632A000-memory.dmp

Filesize
104KB

Download
memory/7200-161-0x00000000056A0000-0x0000000005706000-memory.dmp

Filesize
408KB

Download
memory/7260-109-0x0000000005190000-0x00000000051DC000-memory.dmp

Filesize
304KB

Download
memory/7260-117-0x0000000005430000-0x000000000553A000-memory.dmp

Filesize
1.0MB

Download
memory/7260-586-0x0000000007800000-0x0000000007D2C000-memory.dmp

Filesize
5.2MB

Download
memory/7260-571-0x0000000007100000-0x00000000072C2000-memory.dmp

Filesize
1.8MB

Download
memory/7260-102-0x00000000055D0000-0x0000000005BE8000-memory.dmp

Filesize
6.1MB

Download
memory/7260-103-0x0000000004FB0000-0x0000000004FC2000-memory.dmp

Filesize
72KB

Download
memory/7260-104-0x0000000005050000-0x000000000508C000-memory.dmp

Filesize
240KB

Download
memory/7260-90-0x0000000000400000-0x000000000041E000-memory.dmp

Filesize
120KB

Download
memory/7480-595-0x0000000005940000-0x0000000005962000-memory.dmp

Filesize
136KB

Download
memory/7512-492-0x0000000004C30000-0x0000000004C52000-memory.dmp

Filesize
136KB

Download