280a84ca1f8ece3fc5af67010041af8c1a1bfa2e34e80961e60312800d37db2c

Resubmissions

05/10/2022, 19:46

221005-yhfc9sfdc4 1

04/10/2022, 14:21

04/10/2022, 14:14

04/10/2022, 09:53

04/10/2022, 07:58

03/10/2022, 15:56

Analysis

max time kernel
2107s
max time network
1773s
platform
windows10-2004_x64
resource
win10v2004-20220812-es
resource tags

arch:x64arch:x86image:win10v2004-20220812-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
03/10/2022, 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

BarTender Enterprise 2021 R5 11.2.166048 Multilingual.zip
Size

766.3MB
MD5

09ea7e2bef5722cdb9ee37a7dab48ff3
SHA1

d4fb2231f80333b1b50e6f790d3b59eb3ff26374
SHA256

280a84ca1f8ece3fc5af67010041af8c1a1bfa2e34e80961e60312800d37db2c
SHA512

eb9d65e42bccf4b700eb51c3f2890ac80f2e61a04ff661cdc3c173ff85a1f8e7f9e1cf2de89fd3517ca0b106240791f60158a7af12a5395b49e5299b22d3bf38
SSDEEP

12582912:whzb6xxr5Ni69eds1tauM0I7j0LFCLw0FEl1oZ+rPAkIYw+oKj7XkFgMKiLVVKYH:whzb639Ni6agtW7ZwU6+8roYwS7dN2jr

Score

8^/10

discovery persistence

Malware Config

Signatures

Drops file in Drivers directory 7 IoCs

description	ioc	Process
File created	C:\Windows\system32\Drivers\RsFx0321.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0300.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0301.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0310.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0311.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0312.sys	msiexec.exe
File created	C:\Windows\system32\Drivers\RsFx0320.sys	msiexec.exe

Executes dropped EXE 24 IoCs

pid	Process
4972	Setup_x64.exe
4100	Setup_x64.exe
1252	Setup_x64.exe
4296	dismhost.exe
3964	dismhost.exe
1520	sqlwriter.exe
1580	SQLEXPR_x64_ENU.exe
1496	SETUP.EXE
1940	ScenarioEngine.exe
3672	FixSqlRegistryKey_x64.exe
2184	FixSqlRegistryKey_x86.exe
4608	FixSqlRegistryKey_x64.exe
4232	FixSqlRegistryKey_x86.exe
4248	sqlwriter.exe
1884	FixSqlRegistryKey_x64.exe
4552	FixSqlRegistryKey_x86.exe
4260	sqlservr.exe
4976	sqlservr.exe
2668	sqlbrowser.exe
2280	sqlbrowser.exe
1572	sqlservr.exe
4688	sqlservr.exe
4168	dismhost.exe
5036	dismhost.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2E5582D-7771-4777-89A2-90C374777FDB}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{07DE94E0-7D49-4F29-B02F-F5EECB93718D}\InprocServer32\12.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D7EC70B2-6DA1-42CB-8ED5-1A604D1B57D2}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\Binn\\DTS.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{034AD88A-55AF-424B-96FF-37AC6CF5688D}\InprocServer32\12.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0EEBC2F1-118A-4E42-82A1-55C61253259D}\InprocServer32\12.0.0.0\Assembly = "Microsoft.SqlServer.TransferLoginsTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27833D52-88A7-43FF-BBB8-993D92BF2054}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3E7F2475-46B6-4E93-A6C1-3763504B97D3}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28C6D9E3-3761-4C47-884A-518A38CB2805}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{975BD5A5-CB0A-4D03-BDB5-7019A0FBC56C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{975BD5A5-CB0A-4D03-BDB5-7019A0FBC56C}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\COM\\sqlwep120.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{0B3A7B75-A9B0-4580-9AA5-1A7DA47AD1CB}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FF3FEC06-FAA6-4874-B061-7BEB17A0C215}\InprocServer32\ThreadingModel = "free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{A58245C3-BCEC-4872-BA19-E4101054BF7B}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{80A062CF-A8C4-4701-A9F4-3B070E4BFCEC}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4A65C18-ABF3-4981-BC9A-EB2CF9DC1D7F}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9345248B-9709-4C04-90C1-0853F8B68EE8}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\PipelineComponents\\TxLookup.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C3EC6BC0-D544-47D5-A0F2-2825E47DBE24}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{7CE452F4-F3B9-42CD-95EE-C79AEF24F4C3}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{8ca6fbb1-a53d-4d7c-808f-ac38e25e1e80}\InprocServer32\ThreadingModel = "free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{D25B0C6A-FC76-4169-B045-24C2CEFF0F86}\InprocServer32\12.0.0.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1818FF09-AF4D-4EA8-8C9D-0AB43B5775E5}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D5353B56-34DA-4C97-AC94-722B91013E89}\InprocServer32\Class = "Microsoft.SqlServer.Dts.Runtime.Wrapper.ConnectionManagerAdoNetClass"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{C4A65C18-ABF3-4981-BC9A-EB2CF9DC1D7F}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEA54E41-38AD-4402-B986-5E72366883BF}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{24BC3F86-AD7A-4A2D-B55E-A11132D655F4}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7664A6C1-2613-49C8-8835-579C74B8BDA8}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2446DAB2-9843-436B-AEE0-5C47BA67FAB9}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EF0E5837-295D-45A2-93BD-5751BB57F697}\InprocServer32\12.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{71BC64F3-2225-4231-8339-A6FE16F4A04F}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{84A010DC-8A4E-425C-8935-19C6E0A538A4}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{798B9084-1221-4281-9CED-89654F2ADF8F}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server Compact Edition\\v4.0\\sqlceoledb40.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60E01B07-DF80-4C9B-B7E3-998D515BBD76}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D25B0C6A-FC76-4169-B045-24C2CEFF0F86}\InprocServer32\12.0.0.0\Class = "Microsoft.SqlServer.Dts.Tasks.TransferErrorMessagesTask.TransferErrorMessagesTask"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5ADC3E0D-2722-4394-9195-0543C18AB53A}\InprocServer32\ThreadingModel = "free"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5F5B1CF-7950-436C-B3BD-E193B1F5E5A5}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\Binn\\DTS.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1818FF09-AF4D-4EA8-8C9D-0AB43B5775E5}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A67FF3E-5F04-499C-BEE1-C65CA3BCC939}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{EF0E5837-295D-45A2-93BD-5751BB57F697}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{0B3A7B75-A9B0-4580-9AA5-1A7DA47AD1CB}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server Compact Edition\\v4.0\\sqlceca40.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4F6B1254-7507-43BA-A8B3-E9FF02083699}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9345248B-9709-4C04-90C1-0853F8B68EE8}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{500A81E3-EDFE-45A9-88DA-2A2AECB19B35}\InprocServer32\Class = "Microsoft.SqlServer.Dts.Runtime.Wrapper.ForEachItemEnumeratorClass"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{7CE452F4-F3B9-42CD-95EE-C79AEF24F4C3}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{3329C4EB-0351-4C75-B4D5-BDAC853226D5}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{60E01B07-DF80-4C9B-B7E3-998D515BBD76}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\Shared\\sqlmgmprovider.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{856F4FD7-5BCA-46A7-8C22-0EC572BBE25F}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\Binn\\DTSPipeline.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{806835AE-FD04-4870-A1E8-D65535358293}\InprocServer32\Assembly = "MsDtsSrvr, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEA54E41-38AD-4402-B986-5E72366883BF}\InprocServer32\12.0.0.0\Class = "Microsoft.SqlServer.Dts.Runtime.PackageFormatUpdate.VersionUpdate"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{16C5E8E5-3B93-45AE-B266-F53A30110591}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\Binn\\DtsConn.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{09DE4B3B-70A8-4417-B879-87E68D0A2916}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{87DFB650-A967-47C4-A6C2-85E816880F0F}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{FFEDAAC9-D6BD-4E6B-90AB-D4D296B5096A}\InprocServer32\ThreadingModel = "Both"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A67FF3E-5F04-499C-BEE1-C65CA3BCC939}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54719D66-18CF-463D-A30F-38BB0FD88876}\InprocServer32\Class = "Microsoft.SqlServer.Dts.Runtime.Wrapper.PackageRemote32Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D2E5582D-7771-4777-89A2-90C374777FDB}\InprocServer32\ = "C:\\Windows\\system32\\sqlncli11.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{1BC73A45-2E29-4297-8496-336522098E7C}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{BA5B06BC-5EC0-47EC-BFE8-036AB26C6A02}\InprocServer32\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\PipelineComponents\\TxRowCount.dll"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{AEA54E41-38AD-4402-B986-5E72366883BF}\InprocServer32\Class = "Microsoft.SqlServer.Dts.Runtime.PackageFormatUpdate.VersionUpdate"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1D1D0CCF-EE18-428F-AF79-512868F3674D}\InprocServer32\12.0.0.0\Class = "Microsoft.SqlServer.Dts.Tasks.ExpressionTask.ExpressionTask"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4B65D6B4-07C1-4A35-9C35-D38A2F249706}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{02102D82-3E9A-48AE-8A3F-AC8C01F4A044}\InprocServer32\Class = "Microsoft.SqlServer.Dts.Runtime.Wrapper.PackageClass"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B34A3D99-7C7E-4192-BC68-4F3D6CBEC91A}\InprocServer32\ = "C:\\Windows\\system32\\mscoree.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{53A0FC2A-0360-4F76-846A-35493E6BA762}\InprocServer32	msiexec.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	rundll32.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\Control Panel\International\Geo\Nation	ScenarioEngine.exe

Loads dropped DLL 64 IoCs

pid	Process
4972	Setup_x64.exe
4972	Setup_x64.exe
4972	Setup_x64.exe
4972	Setup_x64.exe
1436	MsiExec.exe
1436	MsiExec.exe
2684	MsiExec.exe
904	MsiExec.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
4928	rundll32.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
904	MsiExec.exe
4148	rundll32.exe
4148	rundll32.exe
4148	rundll32.exe
2684	MsiExec.exe
904	MsiExec.exe
3776	rundll32.exe
3776	rundll32.exe
3776	rundll32.exe
904	MsiExec.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
2684	MsiExec.exe
2684	MsiExec.exe
2684	MsiExec.exe
1252	Setup_x64.exe
904	MsiExec.exe
3444	rundll32.exe
3444	rundll32.exe
3444	rundll32.exe
904	MsiExec.exe
656	rundll32.exe
656	rundll32.exe
656	rundll32.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe
4296	dismhost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\{82C52A2E-2B10-4059-821F-248F9CDD76B7} = "\"C:\\Users\\Admin\\Desktop\\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\\Setup_x64.exe\" /cmdloc \"HKCU\\Software\\Seagull Scientific AiTemp\\{82C52A2E-2B10-4059-821F-248F9CDD76B7}\""	MsiExec.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\Desktop.ini	ScenarioEngine.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	ScenarioEngine.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	Setup_x64.exe
File opened (read-only)	\??\G:	Setup_x64.exe
File opened (read-only)	\??\N:	Setup_x64.exe
File opened (read-only)	\??\V:	Setup_x64.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	Setup_x64.exe
File opened (read-only)	\??\I:	Setup_x64.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	Setup_x64.exe
File opened (read-only)	\??\W:	Setup_x64.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	Setup_x64.exe
File opened (read-only)	\??\S:	Setup_x64.exe
File opened (read-only)	\??\T:	Setup_x64.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	Setup_x64.exe
File opened (read-only)	\??\R:	Setup_x64.exe
File opened (read-only)	\??\U:	Setup_x64.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	Setup_x64.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	Setup_x64.exe
File opened (read-only)	\??\Y:	Setup_x64.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\J:	Setup_x64.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\E:	Setup_x64.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	Setup_x64.exe
File opened (read-only)	\??\Q:	Setup_x64.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\X:	Setup_x64.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\5EA9411076914705A44E58C3AD6D762C\AUTORUN.INF	SQLEXPR_x64_ENU.exe
File created	C:\5EA9411076914705A44E58C3AD6D762C\AUTORUN.INF	SQLEXPR_x64_ENU.exe

Drops file in System32 directory 52 IoCs

description	ioc	Process
File created	C:\Windows\system32\wbem\AutoRecover\BE6903D761258575FE377B51B20FC262.mof	mofcomp.exe
File created	C:\Windows\system32\fssres.dll	ScenarioEngine.exe
File created	C:\Windows\system32\perfc00C.dat	ScenarioEngine.exe
File created	C:\Windows\system32\perfh010.dat	ScenarioEngine.exe
File created	C:\Windows\system32\perfh011.dat	ScenarioEngine.exe
File created	C:\Windows\system32\wbem\AutoRecover\4AF63F4DD635E4B4302E398CCE4D9129.mof	mofcomp.exe
File created	C:\Windows\system32\msodbcdiag11.dll	msiexec.exe
File created	C:\Windows\system32\1033\sqlnclir11.rll	msiexec.exe
File created	C:\Windows\SysWOW64\msodbcdiag11.dll	msiexec.exe
File created	C:\Windows\SysWOW64\1033\s11ch_msodbcsql.chm	msiexec.exe
File created	C:\Windows\system32\1033\s11ch_msodbcsql.chm	msiexec.exe
File created	C:\Windows\system32\msodbcsql11.dll	msiexec.exe
File created	C:\Windows\SysWOW64\1033\msodbcsqlr11.rll	msiexec.exe
File created	C:\Windows\system32\DTSPipelinePerf120.dll	msiexec.exe
File created	C:\Windows\SysWOW64\sqlncli11.dll	msiexec.exe
File opened for modification	C:\Windows\system32\PerfStringBackup.INI	ScenarioEngine.exe
File created	C:\Windows\system32\perfh007.dat	ScenarioEngine.exe
File created	C:\Windows\system32\perfc00A.dat	ScenarioEngine.exe
File created	C:\Windows\system32\perfc010.dat	ScenarioEngine.exe
File created	C:\Windows\system32\wbem\AutoRecover\805DBDACE5B25CCAC84EAE763BBBC1A8.mof	mofcomp.exe
File created	C:\Windows\system32\perf-MSSQL12.BARTENDER-sqlagtctr.dll	ScenarioEngine.exe
File opened for modification	C:\Windows\SysWOW64\ResourceCleaner.pdb	MsiExec.exe
File created	C:\Windows\system32\PerfStringBackup.TMP	ScenarioEngine.exe
File opened for modification	C:\Windows\system32\SqlServerSpatial120.dll	msiexec.exe
File created	C:\Windows\system32\perf-MSSQL$BARTENDER-sqlctr12.3.6024.0.dll	ScenarioEngine.exe
File created	C:\Windows\system32\perfh00C.dat	ScenarioEngine.exe
File opened for modification	C:\Windows\SysWOW64\symbols\tmp\ResourceCleaner.pdb	MsiExec.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	MsiExec.exe
File created	C:\Windows\SysWOW64\1033\s11ch_sqlncli.chm	msiexec.exe
File created	C:\Windows\SysWOW64\msodbcsql11.dll	msiexec.exe
File created	C:\Windows\SysWOW64\perf-MSSQL$BARTENDER-sqlctr12.3.6024.0.dll	ScenarioEngine.exe
File created	C:\Windows\system32\perfc011.dat	ScenarioEngine.exe
File opened for modification	C:\Windows\SysWOW64\tmp\ResourceCleaner.pdb	MsiExec.exe
File created	C:\Windows\system32\1033\s11ch_sqlncli.chm	msiexec.exe
File created	C:\Windows\SysWOW64\1033\sqlnclir11.rll	msiexec.exe
File created	C:\Windows\system32\perfc009.dat	ScenarioEngine.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	MsiExec.exe
File created	C:\Windows\system32\sqlncli11.dll	msiexec.exe
File created	C:\Windows\system32\wbem\AutoRecover\D0FD2FB80E7F342F25E26F4B4C88AF33.mof	mofcomp.exe
File created	C:\Windows\system32\hadrres.dll	ScenarioEngine.exe
File created	C:\Windows\system32\perfc007.dat	ScenarioEngine.exe
File created	C:\Windows\SysWOW64\SQLServerManager12.msc	msiexec.exe
File created	C:\Windows\system32\SQLServerManager12.msc	msiexec.exe
File created	C:\Windows\system32\1033\msodbcsqlr11.rll	msiexec.exe
File created	C:\Windows\system32\wbem\AutoRecover\0950B2C1FF71405362A6117F42C8EABD.mof	mofcomp.exe
File created	C:\Windows\system32\perfh009.dat	ScenarioEngine.exe
File created	C:\Windows\system32\perfh00A.dat	ScenarioEngine.exe
File created	C:\Windows\system32\wbem\AutoRecover\487255C31163B8FBE9DECE1C4151FAB6.mof	mofcomp.exe
File created	C:\Windows\system32\wbem\AutoRecover\D8452C4CD6798BFF011A0FAE2EB2D5B6.mof	mofcomp.exe
File created	C:\Windows\SysWOW64\perf-MSSQL12.BARTENDER-sqlagtctr.dll	ScenarioEngine.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	MsiExec.exe
File created	C:\Windows\system32\SqlServerSpatial120.dll	msiexec.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\Private\amd64\sqlcecompact40.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\SQLBROWSER.MSP	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\SQLServer2014\1033_ENU_LP\x64\1033\license_Expr.rtf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\LocalDB\Binn\Resources\1031\msxmlsql.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\MICROSOFT.SQLSERVER.CONFIGURATION.WIZARDFRAMEWORK.XMLSERIALIZERS.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\es\MICROSOFT.SQLSERVER.CONFIGURATION.BOOTSTRAPEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\zh-chs\MICROSOFT.SQLSERVER.CONFIGURATION.CONFIGEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\it\MICROSOFT.SQLSERVER.CONFIGURATION.MSIEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\zh-chs\MICROSOFT.SQLSERVER.CONFIGURATION.INSTALLWIZARDFRAMEWORK.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\RsFx_Cpu64_1.log	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\SetupARP.exe.config	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Shared\RsFxInstall\RsFx0301.inf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\bin\{5082A9F3-AEE5-4639-9BA7-C19661BA7331}sqlca.dll	MsiExec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\Gac\Q2BDSRKB.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\de\MICROSOFT.SQLSERVER.CONFIGURATION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\winsxs\lrmcncs6.tn2\VRMCNCS6.TN2	ScenarioEngine.exe
File opened for modification	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\SqlSqmShared_Cpu64_1.log	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Install\xpstar.sql	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Resources\1041\odsole70.rll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v4.0\Private\amd64\sqlceca40.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\Datastore\_Scenario_GlobalObjects_DetectPackageIdFilter.xml	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\fr\MICROSOFT.SQLSERVER.CONFIGURATION.INSTALLWIZARDFRAMEWORK.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\ru\MICROSOFT.SQLSERVER.CONFIGURATION.SMO.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\SQLATXSS.DLL	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\LocalDB\Binn\xepkg0.mof	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\80\Tools\Binn\sqlvdi.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\PFiles\SqlServr\120\Setup\1-l9bmi0\x64\IOXPSKNB.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\winsxs\manifest\TEFN04MK.VE6	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\winsxs\vlv6b2rp.6fi\ZLV6B2RP.6FI	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\de\MICROSOFT.SQLSERVER.SETUP.CHAINER.WORKFLOW.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\it\MICROSOFT.SQLSERVER.CONFIGURATION.RULESENGINEEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\pt\MICROSOFT.SQLSERVER.CONFIGURATION.SMARTSETUPEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\FusionCheck.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\Microsoft.SqlServer.Configuration.RSExtension.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\100\Setup Bootstrap\Release\x64\Microsoft.SqlServer.Configuration.RSExtension.dll	msiexec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\DATA\MSDBLog.ldf	sqlservr.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\Datastore\Package.xml	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\Datastore\ProductSettings_ClusterNodesStatus_Public.xml	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\ko\LANDINGPAGE.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\ru\MICROSOFT.SQLSERVER.CONFIGURATION.SLPEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\SQLServer2014\x64\SetupARP.exe	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server\120\SDK\Assemblies\en\Microsoft.SqlServer.WmiEnum.xml	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\COM\Resources\1033\REPLRES.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\LocalDB\Binn\opends60.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\ja\MICROSOFT.SQLSERVER.CHAINER.EXTENSIONCOMMON.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\120\SDK\Assemblies\en\Microsoft.SqlServer.ConnectionInfo.xml	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\DTS\PipelineComponents\FlatFileSrc.dll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\LocalDB\Binn\Resources\1041\sqlevn70.rll	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\MICROSOFT.SQLSERVER.CONFIGURATION.SETUPEXTENSION.XMLSERIALIZERS.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\MICROSOFT.SQLSERVER.CONFIGURATION.SMARTSETUPEXTENSION.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\zh-cht\MICROSOFT.SQLSERVER.CONFIGURATION.SLPEXTENSION.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\Client SDK\ODBC\110\SDK\Include\msodbcsql.h	msiexec.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\120\SDK\Assemblies\Microsoft.SqlServer.DmfSqlClrWrapper.dll	msiexec.exe
File opened for modification	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\Datastore\_Extension_Agent_AgentLogDllPath.xml	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Log\20221004_093248\Datastore\_Extensions_Msi_PackagesInstallStateProperties.xml	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\winsxs\pefn04mk.ve6\2FFN04MK.VE6	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\1033_ENU_LP\x64\Setup\sqlsupport_msi\Windows\winsxs\Policies\u1sw1o0k.9hi\Y1SW1O0K.9HI	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\es\MICROSOFT.SQLSERVER.CONFIGURATION.CLUSTER.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\it\MICROSOFT.SQLSERVER.MANAGEMENT.CONTROLS.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\ko\MICROSOFT.SQLSERVER.CHAINER.INFRASTRUCTURE.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files\Microsoft SQL Server\120\Setup Bootstrap\Update Cache\KB4022619\ServicePack\x64\zh-chs\MICROSOFT.SQLSERVER.CONFIGURATION.SQLENUM.RESOURCES.DLL	ScenarioEngine.exe
File created	C:\Program Files (x86)\Microsoft SQL Server\Client SDK\ODBC\110\SDK\Include\msodbcsql.h	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Templates\mastlog.ldf	msiexec.exe
File created	C:\Program Files\Microsoft SQL Server\120\LocalDB\Binn\Resources\2052\xesqlminpkg.rll	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Installer\SourceHash{8424B163-D1E0-48B7-88A2-C7A61767B3D7}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDE6F.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\assembly\tmp\U89HQRR4\Microsoft.SqlServer.FileSystemTask.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8B035CCA4B6B6D045BB9514286FC740D\12.0.2000\SSIS_dtutil_exe_64	msiexec.exe
File created	C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\DCB13571726C2A64F9E1C79C020E9EA4\12.0.2000\MPT_xe_dll_64	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\3F9A28055EEA9364B97A1C6916AB3713\12.0.2000	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI894F.tmp-\pt\Seagull.InstallWizard.resources.dll	rundll32.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20221004093448768.1	msiexec.exe
File opened for modification	C:\Windows\Installer\e6a46cd.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\DCB13571726C2A64F9E1C79C020E9EA4\12.0.2000\ENG_RE_sqlos_dll_64	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\99376FABDC585554B994F108BE29C153\12.3.6024\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20221004093448784.0\msvcp80.dll	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\DCB13571726C2A64F9E1C79C020E9EA4\12.0.2000\ENG_XTP_VC_msvcp110_64	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20221004093201534.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDA04.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI807C.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\763D39D9CC2A8734DB3697FEF37EC687\11.4.7462\F_CENTRAL_msvcr100_x64.BFF61907_AA2D_3A26_8666_98D956A62ABC	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI43E0.tmp	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\8B035CCA4B6B6D045BB9514286FC740D\12.0.2000\SSIS_DTEPkg_dll_64	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\stmp2102	MsiExec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20221004093522096.1	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\XQ60X0NM\Microsoft.SqlServer.Management.XEventEnum.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\763D39D9CC2A8734DB3697FEF37EC687\11.4.7462\F_CENTRAL_msvcp100_x86.AFA96EB4_FA9F_335C_A7CB_36079407553D	msiexec.exe
File created	C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\Installer\e6a46ea.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\517DC6634FF24B048A4B0AE5D5129A54\12.0.2000\ENG_SEI_sqlwvss_dll_64	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\9A748B1DB60B4624E90F876E1E75E156\12.0.2000	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\8B035CCA4B6B6D045BB9514286FC740D\12.0.2000\SSIS_DTEPkg_dll_64	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20221004093448737.0\x86_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_a53d26c6.cat	msiexec.exe
File created	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Installer\MSIE248.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\500B6D056D0BF52459B31033E1C2F7BC\12.3.6024	msiexec.exe
File created	C:\Windows\Installer\e6a4717.msp	msiexec.exe
File created	C:\Windows\assembly\tmp\XB69P2HX\Microsoft.SqlServer.TransactSql.ScriptDom.Resources.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\assembly\tmp\ZYYE5P3Z\Microsoft.SqlServer.VSTAScriptingLib.dll	msiexec.exe
File created	C:\Windows\assembly\tmp\C6ZC2VRG\Microsoft.SqlServer.ManagedConnections.dll	msiexec.exe
File created	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.lock	ngen.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\DCB13571726C2A64F9E1C79C020E9EA4\12.0.2000\ENG_XTP_VC_msobj110_64	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI894F.tmp-\Seagull.InstallWizard.dll	rundll32.exe
File created	C:\Windows\WinSxS\InstallTemp\20221004093448721.0\amd64_Microsoft.VC80.ATL_1fc8b3b9a1e18e3b_8.0.50727.6229_x-ww_d7470ca6.manifest	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3B6.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE989.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.log	ngen.exe
File created	C:\Windows\assembly\tmp\1KRGOYSR\Microsoft.SqlServer.WebServiceTask.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\415D29264A71F304899F1E051FC040D3	msiexec.exe
File created	C:\Windows\assembly\tmp\YZ8AFG68\Microsoft.SqlServer.PolicyEnum.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.log	ngen.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2900	828	WerFault.exe	79

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\AttributesTableCache = a2a0d0ebe5b9334487c068b6b72699c70000000000000000	sqlservr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000007c4a2b5d7b48cb040000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800007c4a2b5d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809007c4a2b5d000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000007c4a2b5d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	sqlservr.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	sqlservr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	sqlservr.exe

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	wermgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	sqlservr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	wermgr.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	wermgr.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	wermgr.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sqlservr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sqlservr.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sqlservr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sqlservr.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2d	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sqlservr.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sqlservr.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sqlservr.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sqlservr.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sqlservr.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sqlservr.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{3A03E94E-4B28-46CE-8DF5-98FCDC39260C}\ProxyStubClsid\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BA5B06BC-5EC0-47EC-BFE8-036AB26C6A02}\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{843EEC79-C3E8-40AE-ABBD-3030DBCA47D1}\ProgID\ = "SQLTaskConnections.SQLTaskConnectionAD.4"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Win32Assemblies\Global\Microsoft.VC80.ATL,version="8.0.50727.1833",publicKeyToken="1fc8b3b9a1e18e3b",processorArchitecture="x86",type="win32" = 5d003d0077006200470064002900300060003800420038005e007e0041006800350074005b0037003e00700052005e007000580049006000510075006f00650038004d006b0062004900640046007700550000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{8407F3FE-7F30-4FFC-B34E-F07E9DAF4041}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{54719D66-18CF-463D-A30F-38BB0FD88876}\InprocServer32\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSSQL.VDI.Server\CurVer\ = "MSSQL.VDI.Server.2"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{07DE94E0-7D49-4F29-B02F-F5EECB93718D}\Implemented Categories	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9F5C585F-2F02-4622-B273-F75D52419D4A}\Implemented Categories\{5F817056-9558-4FC9-B1DE-87FF04E42375}	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8B035CCA4B6B6D045BB9514286FC740D\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Assemblies\Global\Microsoft.SqlServer.TransactSql.ScriptDom.resources,fileVersion="12.0.2000.8",version="12.0.0.0000",culture="ru",publicKeyToken="89845DCD8080CC91",processorArchitecture="MSIL" = 2e0057005d007a004a0058005400350026003f003200450046002b0027006a002700260029002a003e004f0034006a006800360063003d003f0065004000610069007d005d004d0042003f0043002c00440000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{68BCA3B7-406E-4261-AB30-3DB1E090C760}\ = "IDTSOutputCollection100"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{F9B5BD99-3496-4956-960F-D309C161BC21}\1.0\0\win64\ = "C:\\Program Files\\Microsoft SQL Server\\120\\DTS\\Binn\\DataCollectorTasks.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4b87f42c-8d0e-4074-a643-ef2753588924}\DTSInfo	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{A6C13763-F975-4CAD-AAE2-50C691A27018}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SSIS.ProjectConnectionsCreator.2\ = "ProjectConnectionsCreator Class"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SQLTaskConnections.SQLTaskConnectionOD.4\CLSID\ = "{1240A011-EAC5-4904-9069-005642E4A792}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{C3EC6BC0-D544-47D5-A0F2-2825E47DBE24}\TypeLib	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{D15993F9-E814-415C-95F2-B404AAB9119D}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\18BD6746362F40C45847AA3D11633C40\SourceList\LastUsedSource = "n;1;C:\\5EA9411076914705A44E58C3AD6D762C\\x64\\setup\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SQLNCLI11.ErrorLookup\ = "SQL Server Native Client 11.0 Error Lookup"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Microsoft.SqlServer.Management.DatabaseMaintenance.DbMaintenanceTSQLExecuteTask\CurVer	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2AD26418-B53F-4C80-973E-23A9FD13F05F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SQLTaskConnections.SQLTaskConnectionAD.4	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4F6B1254-7507-43BA-A8B3-E9FF02083699}\ProgID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{9345248B-9709-4C04-90C1-0853F8B68EE8}\Programmable	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{54719D66-18CF-463D-A30F-38BB0FD88876}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\DTSAdapter.FlatFileDestination\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{C9D763C3-3207-441B-8A11-D66BDBD4B4B8}\TypeLib	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{18E9A11B-7393-47C5-9D47-687BE04A6B09}\DTSInfo\CurrentVersion = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{BA5B06BC-5EC0-47EC-BFE8-036AB26C6A02}\Implemented Categories	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1CC36899-A0ED-4899-892C-ED1CE92B2438}\InprocServer32\Assembly = "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{30E2AF9E-8832-4297-AF3D-1F4E45E3329B}\Implemented Categories\{62C8FE65-4EBB-45E7-B440-6E39B2CDBF29}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{941CD0E2-AC00-437D-AAEE-C887AA739A60}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{2F51EB90-678D-43DC-9C3D-6C28A3B9FED0}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{271FBE00-45B1-4594-89D2-413CD751D0D6}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{034AD88A-55AF-424B-96FF-37AC6CF5688D}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B1889A56-DFAF-4128-BC46-91143524FC3F}\InprocServer32\ThreadingModel = "Free"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{b5e7a132-a7bd-11d1-84c2-00c04fc21759}\InprocServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{40700425-0080-11d2-851f-00c04fc21759}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{14B4FF30-723B-437C-820B-6B980AAE7E8C}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\DTS.ConnectionManagerOlap.4\ = "DTS Connection Manager for Analysis Services"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9A748B1DB60B4624E90F876E1E75E156\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{783A0BE2-F6D1-4D9A-8595-C26494F511C3}\TypeLib\Version = "1.0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{28C6D9E3-3761-4C47-884A-518A38CB2805}\DTSInfo\TaskType = "NOTOOLBOX"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{9D633BDA-F290-4449-BCCF-D51C8CE5FB8A}	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Microsoft.SqlServer.Replication.ReplicationServer.10\CLSID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B5F5B1CF-7950-436C-B3BD-E193B1F5E5A5}\ = "Package Neutral Class"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{70C1E6E0-BB94-4019-B1B0-50C81BB8D325}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\DCB13571726C2A64F9E1C79C020E9EA4\MPT_AGENT_CORE_MNGD_CNI = "SQL_Engine_Core_Inst"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\CLSID\{CA99D701-E6E7-4db4-A5CC-81541C75188A}\ProgID	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Patches\70C0FBFD871282E4FB6D02DB55CD9012\SourceList\PackageName = "sql_common_core.msp"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\SSIS.Pipeline\CLSID	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{E4CD6BA0-4F7F-4DE8-A71F-A31670C2019F}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{CFC7ADCC-5275-4F89-9DB2-D7BDCAC4BE87}\TypeLib	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{FCFEE18C-244A-4F11-AB79-58DCAE4AA7EE}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{397C2819-8272-4532-AD3A-FB5E43BEAA39}\ExtendedErrors	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.SqlServer.Dts.Tasks.WmiDataReaderTask.WmiDataReaderTask\CurVer\ = "Microsoft.SqlServer.Dts.Tasks.WmiDataReaderTask.WmiDataReaderTask.10"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.SqlServer.Dts.Tasks.TransferJobsTask.TransferJobsTask\CurVer\ = "Microsoft.SqlServer.Dts.Tasks.TransferJobsTask.TransferJobsTask.10"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TxLookup.LookupCache.3\CLSID\ = "{64C374B9-5572-4D23-A87B-C799978FA578}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\WOW6432Node\Interface\{189148B4-7134-4E57-93F7-FD5E73B30AA7}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{043D3369-C38C-4175-9B5E-70C12C9FC903}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{294E0FA0-649E-4A8A-8769-3948E4DAE936}\InprocServer32\12.0.0.0\RuntimeVersion = "v4.0.30319"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{27833D52-88A7-43FF-BBB8-993D92BF2054}\ConnectionType = "FLATFILE"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
3696	rundll32.exe
4972	Setup_x64.exe
4972	Setup_x64.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
4076	msiexec.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
1940	ScenarioEngine.exe
2584	MsiExec.exe
2584	MsiExec.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
672	Process not Found
672	Process not Found

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	4952	7zG.exe
Token: 35	4952	7zG.exe
Token: SeSecurityPrivilege	4952	7zG.exe
Token: SeSecurityPrivilege	4952	7zG.exe
Token: SeSecurityPrivilege	4076	msiexec.exe
Token: SeCreateTokenPrivilege	4972	Setup_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4972	Setup_x64.exe
Token: SeLockMemoryPrivilege	4972	Setup_x64.exe
Token: SeIncreaseQuotaPrivilege	4972	Setup_x64.exe
Token: SeMachineAccountPrivilege	4972	Setup_x64.exe
Token: SeTcbPrivilege	4972	Setup_x64.exe
Token: SeSecurityPrivilege	4972	Setup_x64.exe
Token: SeTakeOwnershipPrivilege	4972	Setup_x64.exe
Token: SeLoadDriverPrivilege	4972	Setup_x64.exe
Token: SeSystemProfilePrivilege	4972	Setup_x64.exe
Token: SeSystemtimePrivilege	4972	Setup_x64.exe
Token: SeProfSingleProcessPrivilege	4972	Setup_x64.exe
Token: SeIncBasePriorityPrivilege	4972	Setup_x64.exe
Token: SeCreatePagefilePrivilege	4972	Setup_x64.exe
Token: SeCreatePermanentPrivilege	4972	Setup_x64.exe
Token: SeBackupPrivilege	4972	Setup_x64.exe
Token: SeRestorePrivilege	4972	Setup_x64.exe
Token: SeShutdownPrivilege	4972	Setup_x64.exe
Token: SeDebugPrivilege	4972	Setup_x64.exe
Token: SeAuditPrivilege	4972	Setup_x64.exe
Token: SeSystemEnvironmentPrivilege	4972	Setup_x64.exe
Token: SeChangeNotifyPrivilege	4972	Setup_x64.exe
Token: SeRemoteShutdownPrivilege	4972	Setup_x64.exe
Token: SeUndockPrivilege	4972	Setup_x64.exe
Token: SeSyncAgentPrivilege	4972	Setup_x64.exe
Token: SeEnableDelegationPrivilege	4972	Setup_x64.exe
Token: SeManageVolumePrivilege	4972	Setup_x64.exe
Token: SeImpersonatePrivilege	4972	Setup_x64.exe
Token: SeCreateGlobalPrivilege	4972	Setup_x64.exe
Token: SeCreateTokenPrivilege	4972	Setup_x64.exe
Token: SeAssignPrimaryTokenPrivilege	4972	Setup_x64.exe
Token: SeLockMemoryPrivilege	4972	Setup_x64.exe
Token: SeIncreaseQuotaPrivilege	4972	Setup_x64.exe
Token: SeMachineAccountPrivilege	4972	Setup_x64.exe
Token: SeTcbPrivilege	4972	Setup_x64.exe
Token: SeSecurityPrivilege	4972	Setup_x64.exe
Token: SeTakeOwnershipPrivilege	4972	Setup_x64.exe
Token: SeLoadDriverPrivilege	4972	Setup_x64.exe
Token: SeSystemProfilePrivilege	4972	Setup_x64.exe
Token: SeSystemtimePrivilege	4972	Setup_x64.exe
Token: SeProfSingleProcessPrivilege	4972	Setup_x64.exe
Token: SeIncBasePriorityPrivilege	4972	Setup_x64.exe
Token: SeCreatePagefilePrivilege	4972	Setup_x64.exe
Token: SeCreatePermanentPrivilege	4972	Setup_x64.exe
Token: SeBackupPrivilege	4972	Setup_x64.exe
Token: SeRestorePrivilege	4972	Setup_x64.exe
Token: SeShutdownPrivilege	4972	Setup_x64.exe
Token: SeDebugPrivilege	4972	Setup_x64.exe
Token: SeAuditPrivilege	4972	Setup_x64.exe
Token: SeSystemEnvironmentPrivilege	4972	Setup_x64.exe
Token: SeChangeNotifyPrivilege	4972	Setup_x64.exe
Token: SeRemoteShutdownPrivilege	4972	Setup_x64.exe
Token: SeUndockPrivilege	4972	Setup_x64.exe
Token: SeSyncAgentPrivilege	4972	Setup_x64.exe
Token: SeEnableDelegationPrivilege	4972	Setup_x64.exe
Token: SeManageVolumePrivilege	4972	Setup_x64.exe
Token: SeImpersonatePrivilege	4972	Setup_x64.exe
Token: SeCreateGlobalPrivilege	4972	Setup_x64.exe
Token: SeCreateTokenPrivilege	4972	Setup_x64.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
4952	7zG.exe
4972	Setup_x64.exe
4972	Setup_x64.exe
2340	msiexec.exe
2340	msiexec.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4076 wrote to memory of 1436	4076	msiexec.exe	104
PID 4076 wrote to memory of 1436	4076	msiexec.exe	104
PID 4076 wrote to memory of 1436	4076	msiexec.exe	104
PID 4972 wrote to memory of 2340	4972	Setup_x64.exe	105
PID 4972 wrote to memory of 2340	4972	Setup_x64.exe	105
PID 4972 wrote to memory of 2340	4972	Setup_x64.exe	105
PID 4076 wrote to memory of 2684	4076	msiexec.exe	106
PID 4076 wrote to memory of 2684	4076	msiexec.exe	106
PID 4076 wrote to memory of 2684	4076	msiexec.exe	106
PID 4076 wrote to memory of 904	4076	msiexec.exe	107
PID 4076 wrote to memory of 904	4076	msiexec.exe	107
PID 904 wrote to memory of 4928	904	MsiExec.exe	108
PID 904 wrote to memory of 4928	904	MsiExec.exe	108
PID 904 wrote to memory of 4148	904	MsiExec.exe	109
PID 904 wrote to memory of 4148	904	MsiExec.exe	109
PID 904 wrote to memory of 3776	904	MsiExec.exe	110
PID 904 wrote to memory of 3776	904	MsiExec.exe	110
PID 904 wrote to memory of 3696	904	MsiExec.exe	111
PID 904 wrote to memory of 3696	904	MsiExec.exe	111
PID 2684 wrote to memory of 1252	2684	MsiExec.exe	118
PID 2684 wrote to memory of 1252	2684	MsiExec.exe	118
PID 2684 wrote to memory of 1252	2684	MsiExec.exe	118
PID 904 wrote to memory of 3444	904	MsiExec.exe	119
PID 904 wrote to memory of 3444	904	MsiExec.exe	119
PID 904 wrote to memory of 656	904	MsiExec.exe	120
PID 904 wrote to memory of 656	904	MsiExec.exe	120
PID 656 wrote to memory of 1712	656	rundll32.exe	121
PID 656 wrote to memory of 1712	656	rundll32.exe	121
PID 1712 wrote to memory of 4296	1712	dism.exe	123
PID 1712 wrote to memory of 4296	1712	dism.exe	123
PID 656 wrote to memory of 1080	656	rundll32.exe	126
PID 656 wrote to memory of 1080	656	rundll32.exe	126
PID 1080 wrote to memory of 3964	1080	dism.exe	128
PID 1080 wrote to memory of 3964	1080	dism.exe	128
PID 656 wrote to memory of 3672	656	rundll32.exe	138
PID 656 wrote to memory of 3672	656	rundll32.exe	138
PID 2684 wrote to memory of 4460	2684	MsiExec.exe	140
PID 2684 wrote to memory of 4460	2684	MsiExec.exe	140
PID 2684 wrote to memory of 4460	2684	MsiExec.exe	140
PID 4076 wrote to memory of 2336	4076	msiexec.exe	143
PID 4076 wrote to memory of 2336	4076	msiexec.exe	143
PID 4076 wrote to memory of 2336	4076	msiexec.exe	143
PID 4076 wrote to memory of 4008	4076	msiexec.exe	144
PID 4076 wrote to memory of 4008	4076	msiexec.exe	144
PID 4076 wrote to memory of 4008	4076	msiexec.exe	144
PID 2684 wrote to memory of 3320	2684	MsiExec.exe	145
PID 2684 wrote to memory of 3320	2684	MsiExec.exe	145
PID 2684 wrote to memory of 3320	2684	MsiExec.exe	145
PID 4076 wrote to memory of 5040	4076	msiexec.exe	146
PID 4076 wrote to memory of 5040	4076	msiexec.exe	146
PID 4076 wrote to memory of 3472	4076	msiexec.exe	147
PID 4076 wrote to memory of 3472	4076	msiexec.exe	147
PID 904 wrote to memory of 4776	904	MsiExec.exe	149
PID 904 wrote to memory of 4776	904	MsiExec.exe	149
PID 4776 wrote to memory of 1580	4776	rundll32.exe	150
PID 4776 wrote to memory of 1580	4776	rundll32.exe	150
PID 4776 wrote to memory of 1580	4776	rundll32.exe	150
PID 1580 wrote to memory of 1496	1580	SQLEXPR_x64_ENU.exe	151
PID 1580 wrote to memory of 1496	1580	SQLEXPR_x64_ENU.exe	151
PID 1496 wrote to memory of 2712	1496	SETUP.EXE	153
PID 1496 wrote to memory of 2712	1496	SETUP.EXE	153
PID 1496 wrote to memory of 1892	1496	SETUP.EXE	154
PID 1496 wrote to memory of 1892	1496	SETUP.EXE	154
PID 1496 wrote to memory of 1892	1496	SETUP.EXE	154

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,"C:\Users\Admin\AppData\Local\Temp\BarTender Enterprise 2021 R5 11.2.166048 Multilingual.zip"
1⤵
PID:4820

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 828 -ip 828
1⤵
PID:2392

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 828 -s 2392
1⤵
- Program crash
PID:2900

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3592

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\" -spe -an -ai#7zMap23012:164:7zEvent29602
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4952

C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe
"C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4972
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\system32\msiexec.exe" /i C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\BEAAB75\BarTender.msi TRANSFORMS=:3082 AI_SETUPEXEPATH="C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe" SETUPEXEDIR="C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1664634068 "
  2⤵
  - Enumerates connected drives
  - Suspicious use of FindShellTrayWindow
  PID:2340

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Drops file in Drivers directory
- Registers COM server for autorun
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4076
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding D797227BC2CC1A121134C304E36153E2 C
  2⤵
  - Loads dropped DLL
  PID:1436
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding CDF7DA5C85CD0D5088BDB1C914FD82D3 C
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Suspicious use of WriteProcessMemory
  PID:2684
- - C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe
    "C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe" /groupsextract:103;111; /out:"C:\Users\Admin\AppData\Roaming\Seagull\BarTender\prerequisites" /callbackid:2684
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1252
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Seagull\BarTender\prerequisites\SQL Server Compact 4.0\SSCERuntime_x64-ENU.msi" /q /norestart
    3⤵
    PID:4460
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\system32\msiexec.exe" /i "C:\Users\Admin\AppData\Roaming\Seagull\BarTender\prerequisites\SQL Server LocalDB 2014 SP3\SqlLocalDB_x64.msi" /qn /norestart IACCEPTSQLLOCALDBLICENSETERMS=YES
    3⤵
    PID:3320
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0011B3D82C10531E9D86AC11DF633AB9 C
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:904
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240855328 2 CustomActions!CustomActions.CustomActions.SilentInstallProperties
    3⤵
    - Loads dropped DLL
    PID:4928
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240862390 74 CustomActions!CustomActions.CustomActions.ForceUpgradeProperty
    3⤵
    - Loads dropped DLL
    PID:4148
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240867968 79 CustomActions!CustomActions.CustomActions.SetInstalledVersion
    3⤵
    - Loads dropped DLL
    PID:3776
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_240872234 84 CustomActions!CustomActions.CustomActions.InstallOptions
    3⤵
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3696
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSI47A5.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241257109 338 CustomActions!CustomActions.CustomActions.ExtractSQLExpress
    3⤵
    - Loads dropped DLL
    PID:3444
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSICC96.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241290390 348 CustomActions!CustomActions.CustomActions.WindowsOptionalFeatures
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:656
  - - C:\Windows\system32\dism.exe
      "C:\Windows\system32\dism.exe" /Online /Get-Features /Format:Table
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Users\Admin\AppData\Local\Temp\142E611F-2786-49A5-BB1B-1122B9195181\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\142E611F-2786-49A5-BB1B-1122B9195181\dismhost.exe {6DD33BAE-3977-45D8-A22D-CC3F1BFC2DF1}
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:4296
  - - C:\Windows\system32\dism.exe
      "C:\Windows\system32\dism.exe" /Online /Enable-Feature /FeatureName:MSMQ-Container /FeatureName:MSMQ-Server /All /NoRestart
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1080
    - - C:\Users\Admin\AppData\Local\Temp\BAADF675-E454-473E-BE2D-DE35F5318C28\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\BAADF675-E454-473E-BE2D-DE35F5318C28\dismhost.exe {97049443-283A-471D-A31A-DA55E1F81833}
        5⤵
        Executes dropped EXE
        
        PID:3964
  - - C:\Windows\Microsoft.Net\Framework64\v4.0.30319\ServiceModelReg.exe
      "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\ServiceModelReg.exe" -r
      4⤵
      PID:3672
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIB981.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_241875312 1458 CustomActions!CustomActions.CustomActions.InstallSQLExpress
    3⤵
    - Checks computer location settings
    - Suspicious use of WriteProcessMemory
    PID:4776
  - - C:\Users\Admin\AppData\Local\Temp\SQLEXPR_x64_ENU.exe
      "C:\Users\Admin\AppData\Local\Temp\SQLEXPR_x64_ENU.exe" /q /ACTION=Install /FEATURES=SQLEngine,FullText /INSTANCENAME=BarTender /SQLSYSADMINACCOUNTS="Builtin\Administrators" "NT AUTHORITY\SYSTEM" /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /ADDCURRENTUSERASSQLADMIN /TCPENABLED=1 /IACCEPTSQLSERVERLICENSETERMS /HIDECONSOLE /SkipInstallerRunCheck /UpdateEnabled=0 /SKIPRULES=RebootRequiredCheck SetupCompatibilityCheck NoRebootPackage
      4⤵
      Executes dropped EXE
      Drops autorun.inf file
      Suspicious use of WriteProcessMemory
      PID:1580
    - - C:\5EA9411076914705A44E58C3AD6D762C\SETUP.EXE
        
        C:\5EA9411076914705A44E58C3AD6D762C\SETUP.EXE /q /ACTION=Install /FEATURES=SQLEngine,FullText /INSTANCENAME=BarTender /SQLSYSADMINACCOUNTS="Builtin\Administrators" "NT AUTHORITY\SYSTEM" /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /ADDCURRENTUSERASSQLADMIN /TCPENABLED=1 /IACCEPTSQLSERVERLICENSETERMS /HIDECONSOLE /SkipInstallerRunCheck /UpdateEnabled=0 /SKIPRULES=RebootRequiredCheck SetupCompatibilityCheck NoRebootPackage
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1496
      - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\caspol.exe
        
        -b
        6⤵
        
        PID:2712
      - C:\Windows\Microsoft.NET\Framework\v2.0.50727\caspol.exe
        
        -b
        6⤵
        
        PID:1892
      - C:\5EA9411076914705A44E58C3AD6D762C\x64\ScenarioEngine.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\ScenarioEngine.exe" /WORKFLOW=Install /TIMESTAMP=20221004_093248 /LOGMARKER= /MEDIASOURCE="C:\5EA9411076914705A44E58C3AD6D762C\\" /INSTALLMEDIAPATH="C:\5EA9411076914705A44E58C3AD6D762C\x64\setup\\" /ENU /MEDIALAYOUT="Core" /q /ACTION=Install /FEATURES=SQLEngine,FullText /INSTANCENAME=BarTender /SQLSYSADMINACCOUNTS="Builtin\Administrators" "NT AUTHORITY\SYSTEM" /SQLSVCACCOUNT="NT AUTHORITY\SYSTEM" /ADDCURRENTUSERASSQLADMIN /TCPENABLED=1 /IACCEPTSQLSERVERLICENSETERMS /HIDECONSOLE /SkipInstallerRunCheck /UpdateEnabled=0 /SKIPRULES=RebootRequiredCheck SetupCompatibilityCheck NoRebootPackage /ACTION=Install
        6⤵
        Executes dropped EXE
        Checks computer location settings
        Drops desktop.ini file(s)
        Drops file in System32 directory
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        
        PID:1940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\z-zk3jud.cmdline"
        7⤵
        
        PID:2896
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFA5D.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFA5C.tmp"
        8⤵
        
        PID:4036
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3aqc40ix.cmdline"
        7⤵
        
        PID:3444
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESFE93.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCFE83.tmp"
        8⤵
        
        PID:3768
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rlsbeyyu.cmdline"
        7⤵
        
        PID:244
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES114.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC113.tmp"
        8⤵
        
        PID:3032
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\_qvk2qru.cmdline"
        7⤵
        
        PID:3556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3A4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC394.tmp"
        8⤵
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nawq1y4f.cmdline"
        7⤵
        
        PID:2984
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES4EC.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC4EB.tmp"
        8⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ziyprb1p.cmdline"
        7⤵
        
        PID:2860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5F6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5F5.tmp"
        8⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gcphjavh.cmdline"
        7⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9A0.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC99F.tmp"
        8⤵
        
        PID:2652
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:3672
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:2184
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ddr6hqcq.cmdline"
        7⤵
        
        PID:1136
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES23EE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC23ED.tmp"
        8⤵
        
        PID:2940
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mrlws7ki.cmdline"
        7⤵
        
        PID:5048
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES24E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC24E7.tmp"
        8⤵
        
        PID:4620
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mqr6id6a.cmdline"
        7⤵
        
        PID:4720
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C6A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C69.tmp"
        8⤵
        
        PID:3612
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\irfndlls.cmdline"
        7⤵
        
        PID:3164
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2CE7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2CE6.tmp"
        8⤵
        
        PID:820
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aotcyszb.cmdline"
        7⤵
        
        PID:1156
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3081.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3080.tmp"
        8⤵
        
        PID:3320
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5tfpj9n3.cmdline"
        7⤵
        
        PID:4636
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3265.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3264.tmp"
        8⤵
        
        PID:2332
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\shgayil0.cmdline"
        7⤵
        
        PID:1516
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES3311.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC3310.tmp"
        8⤵
        
        PID:2040
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:4608
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:4232
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nr8zmnls.cmdline"
        7⤵
        
        PID:2432
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES482F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC482E.tmp"
        8⤵
        
        PID:4760
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\x_1hrnin.cmdline"
        7⤵
        
        PID:3552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5186.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5185.tmp"
        8⤵
        
        PID:772
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nhihn1vn.cmdline"
        7⤵
        
        PID:952
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES5A31.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC5A30.tmp"
        8⤵
        
        PID:4656
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\p7gk0xyc.cmdline"
        7⤵
        
        PID:1596
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES677F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC677E.tmp"
        8⤵
        
        PID:4556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oyshl3ca.cmdline"
        7⤵
        
        PID:3608
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES68B7.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC68B6.tmp"
        8⤵
        
        PID:1488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\onpq50m0.cmdline"
        7⤵
        
        PID:1132
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES69B1.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC69B0.tmp"
        8⤵
        
        PID:2564
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\bt-gllgi.cmdline"
        7⤵
        
        PID:4244
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7133.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7132.tmp"
        8⤵
        
        PID:444
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xzopu1zb.cmdline"
        7⤵
        
        PID:4988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7375.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7374.tmp"
        8⤵
        
        PID:1204
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\67-u8pld.cmdline"
        7⤵
        
        PID:4652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES7412.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC7411.tmp"
        8⤵
        
        PID:216
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n_bqqyre.cmdline"
        7⤵
        
        PID:3356
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8C0E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8C0D.tmp"
        8⤵
        
        PID:1148
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\twaiwnop.cmdline"
        7⤵
        
        PID:3508
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8E21.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8E20.tmp"
        8⤵
        
        PID:1264
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\elkrnmy_.cmdline"
        7⤵
        
        PID:4788
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES8F1B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC8F1A.tmp"
        8⤵
        
        PID:4696
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\oxfpummc.cmdline"
        7⤵
        
        PID:3892
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9015.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9014.tmp"
        8⤵
        
        PID:3556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7t7sedyd.cmdline"
        7⤵
        
        PID:1988
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES913E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC913D.tmp"
        8⤵
        
        PID:3640
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\y-_5pgkz.cmdline"
        7⤵
        
        PID:1172
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES91FA.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC91F9.tmp"
        8⤵
        
        PID:2556
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\synn0pqc.cmdline"
        7⤵
        
        PID:4584
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92E3.tmp"
        8⤵
        
        PID:2652
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qedz8xkf.cmdline"
        7⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES93DE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC93DD.tmp"
        8⤵
        
        PID:5068
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rabtomil.cmdline"
        7⤵
        
        PID:4168
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES94E8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC94E7.tmp"
        8⤵
        
        PID:3328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\jjwa_mox.cmdline"
        7⤵
        
        PID:4968
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES95D2.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC95D1.tmp"
        8⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mva1zg--.cmdline"
        7⤵
        
        PID:1600
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES96EB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC96EA.tmp"
        8⤵
        
        PID:4996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3a40zgfb.cmdline"
        7⤵
        
        PID:2892
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9D44.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9D43.tmp"
        8⤵
        
        PID:924
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\srwushrs.cmdline"
        7⤵
        
        PID:2280
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA255.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA245.tmp"
        8⤵
        
        PID:3312
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\t8u575n8.cmdline"
        7⤵
        
        PID:4852
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA35F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCA35E.tmp"
        8⤵
        
        PID:2124
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1424
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3564
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:780
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:568
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:2184
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1356
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:4608
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1996
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:944
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:4080
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1748
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:392
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:2584
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3824
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1380
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3732
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        Drops file in Windows directory
        
        PID:4860
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3836
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3508
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3544
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1376
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:2488
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:2184
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:4420
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:384
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1712
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:2532
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        Drops file in Windows directory
        
        PID:4252
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:4852
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:1344
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:4604
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue pause
        7⤵
        
        PID:3928
        
        C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe" queue continue
        7⤵
        
        PID:4152
        
        C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
        
        "C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe" queue continue
        7⤵
        
        PID:1680
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x64.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe
        
        "C:\5EA9411076914705A44E58C3AD6D762C\x64\FixSqlRegistryKey_x86.exe" /fix
        7⤵
        Executes dropped EXE
        
        PID:4552
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\res26n9o.cmdline"
        7⤵
        
        PID:1376
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES80B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC80A.tmp"
        8⤵
        
        PID:4044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\2apxqiex.cmdline"
        7⤵
        
        PID:4860
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES943.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC942.tmp"
        8⤵
        
        PID:3180
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files (x86)\Microsoft SQL Server\120\Shared\sqlmgmproviderxpsp2up.mof"
        7⤵
        Drops file in System32 directory
        
        PID:4504
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rhul1mat.cmdline"
        7⤵
        
        PID:1144
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1902.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1901.tmp"
        8⤵
        
        PID:3540
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files (x86)\Microsoft SQL Server\120\Shared\1033\sqlmgmprovider.mfl"
        7⤵
        Drops file in System32 directory
        
        PID:1116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\anvxmmvl.cmdline"
        7⤵
        
        PID:4040
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1A4B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1A4A.tmp"
        8⤵
        
        PID:4932
        
        C:\Windows\system32\unlodctr.exe
        
        "C:\Windows\system32\unlodctr.exe" /m:hkengperfctr.xml
        7⤵
        
        PID:2760
        
        C:\Windows\system32\lodctr.exe
        
        "C:\Windows\system32\lodctr.exe" /m:hkengperfctr.xml
        7⤵
        
        PID:4800
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\edf51rvm.cmdline"
        7⤵
        
        PID:5116
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1EFE.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1EFD.tmp"
        8⤵
        
        PID:1996
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\eooo4xcb.cmdline"
        7⤵
        
        PID:3856
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1FE8.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC1FE7.tmp"
        8⤵
        
        PID:4472
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rut4ktlm.cmdline"
        7⤵
        
        PID:2324
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES2C9A.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC2C99.tmp"
        8⤵
        
        PID:4564
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Sqlwep-uni.mof.transformed"
        7⤵
        Drops file in System32 directory
        
        PID:2496
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\xesqlpkg.mof"
        7⤵
        Drops file in System32 directory
        
        PID:2144
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\xesqlminpkg.mof"
        7⤵
        Drops file in System32 directory
        
        PID:5052
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\xesospkg.mof"
        7⤵
        Drops file in System32 directory
        
        PID:4004
        
        C:\Windows\system32\WBEM\mofcomp.exe
        
        "C:\Windows\system32\WBEM\mofcomp.exe" "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\xepkg0.mof"
        7⤵
        Drops file in System32 directory
        
        PID:976
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\btljskfi.cmdline"
        7⤵
        
        PID:1416
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6454.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6453.tmp"
        8⤵
        
        PID:3272
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vhflxlvl.cmdline"
        7⤵
        
        PID:2328
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES65CB.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC65CA.tmp"
        8⤵
        
        PID:4412
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\nwzclowq.cmdline"
        7⤵
        
        PID:3436
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6AAD.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6AAC.tmp"
        8⤵
        
        PID:4524
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\hueb7rko.cmdline"
        7⤵
        
        PID:4812
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6EA4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6E94.tmp"
        8⤵
        
        PID:2120
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\d9kyuxn4.cmdline"
        7⤵
        
        PID:5020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F02.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC6F01.tmp"
        8⤵
        
        PID:1020
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\n-o6b6eh.cmdline"
        7⤵
        
        PID:5028
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES729C.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC729B.tmp"
        8⤵
        
        PID:5108
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\7n3adynv.cmdline"
        7⤵
        
        PID:2568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES9249.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC9248.tmp"
        8⤵
        
        PID:1568
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kswse8yu.cmdline"
        7⤵
        
        PID:4128
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES92D6.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC92D5.tmp"
        8⤵
        
        PID:5044
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\o6guvufd.cmdline"
        7⤵
        
        PID:2488
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCBA9.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCCBA8.tmp"
        8⤵
        
        PID:3844
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0DBA4D96C781A2483CD556369247B915
  2⤵
  PID:2336
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A8DB9856EDC3DC22C42286C215C7B353 E Global\MSI0000
  2⤵
  PID:4008
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 85ACD2BAE60F4493D4A39F8E97776BD8
  2⤵
  PID:5040
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding B132454390C14C7AF6EDB70C576703C4 E Global\MSI0000
  2⤵
  PID:3472
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding BE2B71806202121895C0B48ED1DDB6A9
  2⤵
  PID:1500
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.GridControl, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1 /NoDependencies
    3⤵
    PID:856
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.GridControl, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1 /NoDependencies
    3⤵
    PID:2796
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94ED16BAF672753C024C4B30BEE5AFB2
  2⤵
  PID:2568
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D635694FDC8479987405DEFA5783BEBF E Global\MSI0000
  2⤵
  PID:1004
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F4B807783984B4F0C7456D00C150D9D5
  2⤵
  PID:3356
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 13E234208ACAFC0707334F1941702161 E Global\MSI0000
  2⤵
  PID:1572
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 6533CCDCDAF0F42AF961F555C515F056 E Global\MSI0000
  2⤵
  PID:1464
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding EE1E9D47F60AD139A2D4D75AED6348D7
  2⤵
  PID:3672
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding ABFB7A38CB6E4632D0EDE20474E43FAD
  2⤵
  PID:4440
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4555C030FA4B3A21085BD891E2191F79 E Global\MSI0000
  2⤵
  PID:3292
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 3409F7F56DA72488064434274B94CF99
  2⤵
  PID:1820
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 2880C262C073FA56313E84115A040459 E Global\MSI0000
  2⤵
  PID:384
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding AE884BE9C361647A434B992755DA7870
  2⤵
  PID:312
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D5C712534B5933CBF863E3E7CA0EB1EF
  2⤵
  PID:3892
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.GridControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2280
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.GridControl, Version=10.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1 /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:4456
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 48A11666048DE295169296910CD31284
  2⤵
  PID:4684
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 84F0A0AA385F3AFC7358406F907B624D E Global\MSI0000
  2⤵
  PID:1464
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 38EB93579B0239814B62E02243A3E5D2
  2⤵
  PID:4804
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.DataWarehouse.Interfaces, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:4244
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.AnalysisServices, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4784
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.OlapEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2144
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.OlapEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4408
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Diagnostics.STrace, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2984
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlTDiagM, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:2556
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Diagnostics.STrace, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:1352
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlTDiagM, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:5028
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Smo, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:4040
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4492
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.WmiEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3672
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.BatchParser, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4644
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ConnectionInfo, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3416
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ConnectionInfoExtended, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4548
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.RegSvrEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3572
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ServiceBrokerEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4824
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SmoExtended, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4116
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlClrProvider, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2332
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.PolicyEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:976
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.BatchParserClient, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2624
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Smo, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3292
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:944
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.WmiEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4024
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.BatchParser, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3212
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ConnectionInfo, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2348
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ConnectionInfoExtended, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2760
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.RegSvrEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:2000
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ServiceBrokerEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2836
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SmoExtended, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:2036
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlClrProvider, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:2896
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.PolicyEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4296
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.BatchParserClient, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:1624
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SString, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4532
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SString, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:1664
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.Sdk.Sfc, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4560
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlWmiManagement, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4620
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.Sdk.Sfc, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:1304
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlWmiManagement, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4064
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DataStorage, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3416
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DlgGrid, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1996
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.MultiServerConnection, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3572
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DataStorage, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4824
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DlgGrid, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4116
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.MultiServerConnection, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4324
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.HelpViewer, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3864
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.HelpViewer, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4984
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3DBD13156697483EE73221E68A1DF25E E Global\MSI0000
  2⤵
  PID:4852
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding FE7C1E7662DF9154D63FE84CC732C2DB
  2⤵
  PID:1516
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding A1DC1970F6521F93E460BEF029A26ED3 E Global\MSI0000
  2⤵
  PID:2348
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding C33EA44DF61D5747426B326EF49D82A1
  2⤵
  PID:4364
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding E949F3C42DC15DFD378D165489DD23F6 E Global\MSI0000
  2⤵
  PID:3180
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 081DB8083D3ABA55EF4C8023F7A3F078
  2⤵
  PID:1664
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 388D2F78F0451AC1737E8F986BEB2988
  2⤵
  PID:4064
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.FileSystemTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1596
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.MaintenancePlanTasks, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1440
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ExpressionTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4360
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.WMIDRTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4260
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.WMIEWTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4452
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferDatabasesTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3928
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferErrorMessagesTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2884
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferJobsTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2984
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferLoginsTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3664
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferStoredProceduresTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3256
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.XMLTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1016
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.PipelineXML, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3444
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.PipelineHost, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1116
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.PackageFormatUpdate, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1684
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ManagedDTS, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1664
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DTSRuntimeWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:4924
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SQLTaskConnectionsWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1204
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SQLTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:3980
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\SDK\Assemblies\Microsoft.SqlServer.ServiceBrokerEnum.dll" /verbose /queue:3
    3⤵
    PID:3856
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\SDK\Assemblies\Microsoft.SqlServer.Replication.dll" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:4688
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.HadrDMF, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4252
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.SmartAdminPolicies, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:3436
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.HadrDMF, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:1448
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Management.SmartAdminPolicies, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:1
    3⤵
    PID:4928
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.FileSystemTask.dll" /verbose /queue:3
    3⤵
    PID:4984
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.MaintenancePlanTasks.dll" /verbose /queue:3
    3⤵
    PID:1788
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.ExpressionTask.dll" /verbose /queue:3
    3⤵
    PID:1392
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.WebServiceTask.dll" /verbose /queue:3
    3⤵
    PID:4024
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.WMIDRTask.dll" /verbose /queue:3
    3⤵
    PID:4060
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.WMIEWTask.dll" /verbose /queue:3
    3⤵
    PID:4888
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.WebServiceTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2644
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.TransferObjectsTask, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:444
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferObjectsTask.dll" /verbose /queue:3
    3⤵
    PID:3816
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferDatabasesTask.dll" /verbose /queue:3
    3⤵
    PID:1500
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferErrorMessagesTask.dll" /verbose /queue:3
    3⤵
    PID:312
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferJobsTask.dll" /verbose /queue:3
    3⤵
    PID:1264
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferLoginsTask.dll" /verbose /queue:3
    3⤵
    PID:1708
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.TransferStoredProceduresTask.dll" /verbose /queue:3
    3⤵
    PID:1624
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.XmlTask.dll" /verbose /queue:3
    3⤵
    PID:1080
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.SqlCEDest, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1792
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ADONETSrc, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3444
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ADONETDest, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1116
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.XmlSrc, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2280
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\PipelineComponents\Microsoft.SqlServer.SqlCEDest.dll" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:2184
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\PipelineComponents\Microsoft.SqlServer.ADONETSrc.dll" /verbose /queue:3
    3⤵
    PID:3900
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\PipelineComponents\Microsoft.SqlServer.ADONETDest.dll" /verbose /queue:3
    3⤵
    PID:2324
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\PipelineComponents\Microsoft.SqlServer.XMLSrc.dll" /verbose /queue:3
    3⤵
    PID:4616
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.PipelineXML.dll" /verbose /queue:3
    3⤵
    PID:3708
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DTSPipelineWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2552
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\DTEParseMgd.dll" /verbose /queue:3
    3⤵
    PID:3396
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "DTEParseMgd, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1316
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\ForEachEnumerators\Microsoft.SqlServer.ForEachSMOEnumerator.dll" /verbose /queue:3
    3⤵
    PID:1404
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\ForEachEnumerators\Microsoft.SqlServer.ForEachAdoEnumerator.dll" /verbose /queue:3
    3⤵
    PID:560
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\ForEachEnumerators\Microsoft.SqlServer.ForEachNodeListEnumerator.dll" /verbose /queue:3
    3⤵
    PID:1876
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\ForEachEnumerators\Microsoft.SqlServer.ForEachFromVarEnumerator.dll" /verbose /queue:3
    3⤵
    PID:4148
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.ForEachFileEnumeratorWrap.dll" /verbose /queue:3
    3⤵
    PID:4712
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ForEachSMOEnumerator, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1612
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ForEachADOEnumerator, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:2664
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ForEachNodeListEnumerator, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:316
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ForEachFromVarEnumerator, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3044
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ForEachFileEnumeratorWrap, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:4604
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.PackageFormatUpdate.dll" /verbose /queue:3
    3⤵
    PID:1680
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.VSTAScriptingLib, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:1032
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.IntegrationServices.VSTA, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:772
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Connections\Microsoft.SqlServer.ManagedConnections.dll" /verbose /queue:3
    3⤵
    PID:212
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.DtsMsg.dll" /verbose /queue:3
    3⤵
    PID:2896
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.DTEnum.dll" /verbose /queue:3
    3⤵
    PID:3332
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.DTSUtilities.dll" /verbose /queue:3
    3⤵
    PID:2124
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\Microsoft.SqlServer.SQLTaskConnectionsWrap.dll" /verbose /queue:3
    3⤵
    PID:2252
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DtsMsg, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3328
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DTEnum, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:4560
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.DTSUtilities, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:1628
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.ManagedConnections, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3260
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Msxml6_interop, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3900
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.SQLTask.dll" /verbose /queue:3
    3⤵
    PID:712
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Binn\DTSWizard.exe" /verbose /queue:3
    3⤵
    PID:3368
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.Dts.Design, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:3408
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.DataTransformationServices.Controls, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:5040
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.PSProvider.dll" /verbose /queue:1
    3⤵
    PID:4136
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.PSSnapins.dll" /verbose /queue:1
    3⤵
    PID:3240
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.CloudAdapter.Client.dll" /verbose /queue:1
    3⤵
    PID:3592
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\PowerShell\Modules\SQLPS\Microsoft.SqlServer.Management.CloudAdapter.Data.dll" /verbose /queue:1
    3⤵
    PID:4852
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\ManagementStudio\Microsoft.SqlServer.Management.PowerShellTasks.dll" /verbose /queue:1
    3⤵
    PID:856
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\SQLPS.exe" /verbose /queue:1
    3⤵
    PID:924
- - C:\Windows\Microsoft.Net\Framework\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files (x86)\Microsoft SQL Server\120\Tools\Binn\SQLPS.exe.config" /verbose /queue:1
    3⤵
    - Drops file in Windows directory
    PID:1596
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\120\DTS\Tasks\Microsoft.SqlServer.Management.CollectorTasks.dll" /verbose /queue:3
    3⤵
    PID:2428
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "Microsoft.SqlServer.IntegrationServices.VSTA.VSTA11, Version=12.0.0.0, Culture=neutral, PublicKeyToken=89845dcd8080cc91" /verbose /queue:3
    3⤵
    PID:4360
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 4E975E47A6C793B63BC3CA2A906480AF E Global\MSI0000
  2⤵
  PID:3480
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding F1A7EAD21C5D3659B3D8A40324734AD2
  2⤵
  PID:4452
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlAutoAdmin.SqlAutoAdmin.dll" /verbose /queue:1
    3⤵
    PID:2376
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlAutoAdmin.AutoBackupAgent.dll" /verbose /queue:1
    3⤵
    PID:1792
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlServer.XE.Core.dll" /verbose /queue:1
    3⤵
    PID:3444
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlServer.XEvent.dll" /verbose /queue:1
    3⤵
    PID:2336
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlServer.XEvent.Configuration.dll" /verbose /queue:1
    3⤵
    PID:4788
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlServer.XEvent.Linq.dll" /verbose /queue:1
    3⤵
    PID:3452
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\Microsoft.SqlServer.XEvent.Targets.dll" /verbose /queue:1
    3⤵
    PID:1996
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\performancecounter.dll" /verbose /queue:3
    3⤵
    - Drops file in Windows directory
    PID:2324
- - C:\Windows\Microsoft.Net\Framework64\v2.0.50727\ngen.exe
    ngen.exe install "C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqltoolsmailutilities.dll" /verbose /queue:3
    3⤵
    PID:2244
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 340F1B0EE018451A36AD6716DACBAD16 E Global\MSI0000
  2⤵
  PID:5084
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 9A2A6B8D2EEF2C1C14C7BD539A269508
  2⤵
  PID:4844
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 77CB28A308A7240EC0924B1F41522289 E Global\MSI0000
  2⤵
  PID:540
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding CD8A52DD262A510260384121F061FD56
  2⤵
  - Drops file in Program Files directory
  PID:3488
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 87ACC872B2E210433780DA5F49B74322 E Global\MSI0000
  2⤵
  PID:3160
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 929583F19548A04C026AF9CF12673D02
  2⤵
  PID:3628
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 3D724DC53192D7BB2E0DE9A6D311B587
  2⤵
  - Drops file in Windows directory
  PID:3472
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI822A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242254156 19043 CustomActions!CustomActions.CustomActions.SilentInstallProperties
    3⤵
    PID:2536
- - C:\Windows\system32\rundll32.exe
    rundll32.exe "C:\Windows\Installer\MSI894F.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_242255937 19048 CustomActions!CustomActions.CustomActions.WindowsOptionalFeatures
    3⤵
    - Drops file in Windows directory
    PID:2664
  - - C:\Windows\system32\dism.exe
      "C:\Windows\system32\dism.exe" /Online /Get-Features /Format:Table
      4⤵
      PID:2220
    - - C:\Users\Admin\AppData\Local\Temp\DDB44DAD-693B-4311-9F4D-050910F3A258\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\DDB44DAD-693B-4311-9F4D-050910F3A258\dismhost.exe {EA90CC2C-7941-48CE-8528-2873CAE39A3C}
        5⤵
        Executes dropped EXE
        
        PID:4168
  - - C:\Windows\system32\dism.exe
      "C:\Windows\system32\dism.exe" /Online /Enable-Feature /FeatureName:MSMQ-Container /FeatureName:MSMQ-Server /All /NoRestart
      4⤵
      PID:1372
    - - C:\Users\Admin\AppData\Local\Temp\EE1B6004-597C-4183-81A2-A52FEF889567\dismhost.exe
        
        C:\Users\Admin\AppData\Local\Temp\EE1B6004-597C-4183-81A2-A52FEF889567\dismhost.exe {72B92781-5D4A-488B-9D38-617B029F469B}
        5⤵
        Executes dropped EXE
        
        PID:5036
  - - C:\Windows\Microsoft.Net\Framework64\v4.0.30319\ServiceModelReg.exe
      "C:\Windows\Microsoft.Net\Framework64\v4.0.30319\ServiceModelReg.exe" -r
      4⤵
      PID:952
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding EE3DA9658AEAC481438F4DEC9C5DC7EA E Global\MSI0000
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:4324
  - - C:\Windows\SysWOW64\chcp.com
      chcp 65001
      4⤵
      PID:2128
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:444
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:4724
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:1720
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:216
- - C:\Windows\SysWOW64\cmd.exe
    /C "C:\Users\Admin\AppData\Local\Temp\{74112358-5FB7-49A0-AD8A-EDB6916A3FAC}.bat"
    3⤵
    PID:1080

C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe
"C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe"
1⤵
- Executes dropped EXE
PID:4100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
PID:1488

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4852

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "3044" "1932" "1044" "2188" "0" "0" "2124" "2040" "0" "0" "0" "0"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:4412

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:5116

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
1⤵
- Executes dropped EXE
PID:1520

C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
"C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe"
1⤵
- Executes dropped EXE
PID:4248

C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe
"C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe" -sBARTENDER
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4260

C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe
"C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe" -sBARTENDER
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4976

C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
"C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
1⤵
- Executes dropped EXE
PID:2668

C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe
"C:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe"
1⤵
- Executes dropped EXE
PID:2280

C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe
"C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe" -sBARTENDER
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:1572

C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe
"C:\Program Files\Microsoft SQL Server\MSSQL12.BARTENDER\MSSQL\Binn\sqlservr.exe" -sBARTENDER
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies data under HKEY_USERS
PID:4688

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:700

C:\Windows\system32\wermgr.exe
"C:\Windows\system32\wermgr.exe" "-outproc" "0" "2768" "2644" "2536" "2648" "0" "0" "2652" "2656" "0" "0" "0" "0"
1⤵
- Checks processor information in registry
- Enumerates system info in registry
PID:1368

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4564

Network

MITRE ATT&CK Enterprise v6

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\3082.dll

Filesize
120KB

MD5
a96297c0b3816788f2a8f930c6e9dcf4

SHA1
307b132d720b1b03ecfb96afa1808fd367ed702b

SHA256
fd9fd341073d906645eed1eff1eb53144af5109c73b26a8f9e56de7be82c81ed

SHA512
7897427df575d4c22d2980aea40d37b891ed416b101b697b4b161b3ddb5005671c74e34722052d3cc7f9b3f742100db8065eb0a8259ab2ec6fb69282b852c84a

Download Submit
C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\3082.dll

Filesize
120KB

MD5
a96297c0b3816788f2a8f930c6e9dcf4

SHA1
307b132d720b1b03ecfb96afa1808fd367ed702b

SHA256
fd9fd341073d906645eed1eff1eb53144af5109c73b26a8f9e56de7be82c81ed

SHA512
7897427df575d4c22d2980aea40d37b891ed416b101b697b4b161b3ddb5005671c74e34722052d3cc7f9b3f742100db8065eb0a8259ab2ec6fb69282b852c84a

Download Submit
C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\BEAAB75\BarTender.msi

Filesize
194.7MB

MD5
cb89850ee9cf83015f30d1df61e97b2a

SHA1
7ebd4b6e0636cc209ed8bc4ac1c1195459dfbab4

SHA256
b8ac3b3c1a2c80ee17c6f8678d6777547477bb726ef7914fac14e2d7f331ba19

SHA512
144272199c96c4eab27a3ad18e1995806d6c439dc00222a7b92979bd5343b422663e6421f68720ffae68a91a8bf1a6f207f6f62126678ee6c83c259fdfc77e24

Download Submit
C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\decoder.dll

Filesize
182KB

MD5
fc136d5c16573d1d1a64b0a62b586235

SHA1
8363d0d80fb25e4ace7b77efcfe119b7675913a1

SHA256
5a12236a02ba2984b62d7acfe5afb048e461fc4c76989d055ffe8965f212ebbf

SHA512
0ad82e28de1a65251eb536aef9739a76baaaa28a41dae78faacb82a9d1acd83d71816051dec16b7664e16a741706803d1fc0ad914bcdca4d28cb2ac2a05ff427

Download Submit
C:\ProgramData\Seagull\Installer\{99937B8D-3B72-49EF-AB3F-45A5EBEAAB75}\decoder.dll

Filesize
182KB

MD5
fc136d5c16573d1d1a64b0a62b586235

SHA1
8363d0d80fb25e4ace7b77efcfe119b7675913a1

SHA256
5a12236a02ba2984b62d7acfe5afb048e461fc4c76989d055ffe8965f212ebbf

SHA512
0ad82e28de1a65251eb536aef9739a76baaaa28a41dae78faacb82a9d1acd83d71816051dec16b7664e16a741706803d1fc0ad914bcdca4d28cb2ac2a05ff427

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\rundll32.exe.log

Filesize
651B

MD5
00bfeb783aeff425ce898d55718d506d

SHA1
aac7a973dc1f9ca7abc529c7ea37ad7eaf491b8f

SHA256
d06099ef43eb002055378b1b6d9853f9b1f891ada476932ba575d1f97065a580

SHA512
2209d5f4999cb36ebf26c6b8cb3195cc9fc0f0a103f4a28dd77b04605d7c6e79d47d806454c63b8d42bbe32864be7cdb56df3cccf71a6c27fe0b331d8304e1ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25B5.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI25B5.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp-\Seagull.InstallWizard.dll

Filesize
372KB

MD5
3061145ea0c0c8378e3d7e678b54eb51

SHA1
432c8f861f196739291b642bb3249b5f08bd5db4

SHA256
7da0ced479531d54f6f4d4cb558b154e4585c1ac241815815dc6375887a9195d

SHA512
621527bdda9a9c3713c7a5428c1607379493ac22006bfdfe10ba42b177b8864b0435698f6133939672aa2858c6b3a0766445c7a16d5d1acd0aaa6b63f4be94ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI26FE.tmp-\Seagull.InstallWizard.dll

Filesize
372KB

MD5
3061145ea0c0c8378e3d7e678b54eb51

SHA1
432c8f861f196739291b642bb3249b5f08bd5db4

SHA256
7da0ced479531d54f6f4d4cb558b154e4585c1ac241815815dc6375887a9195d

SHA512
621527bdda9a9c3713c7a5428c1607379493ac22006bfdfe10ba42b177b8864b0435698f6133939672aa2858c6b3a0766445c7a16d5d1acd0aaa6b63f4be94ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BA0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BA0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BE0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BE0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BF0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3BF0.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3FF8.tmp

Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI3FF8.tmp

Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4103.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI4103.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI44AE.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI47A5.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI47A5.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5643.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5643.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI5A7A.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp

Filesize
780KB

MD5
5ef8fd841c7b39882d909df4b6806db9

SHA1
80cdb05c335fa083262dcccf1ee9930dbf60b139

SHA256
7f2fdc8e2a4383cc7818c1e5f70a3727179187a03bcb56d7befab165af8f9fa4

SHA512
591810d483ed994f5800290117c4b8cfc82177ec7e93bd74c541ef0bb776d286f1820986e30c16cf9e7e9526e3ec500962454403596b3e92bf725498b92dcb3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\CustomActions.dll

Filesize
54KB

MD5
9793eda103b3ce9cbff0f08e7353e104

SHA1
c9808ac631aafb99c1350709c904672ea4dc90f9

SHA256
ab0706949eb844f5e283f8b7c9dd6506a16ba3730fb3f764c88b0053e262ddaa

SHA512
a8e7912d7cc344e0e98fb3f71cfad16097ad0fc7a418c84231844e35ad663eb00907463cbe07a73507de211058d8d459c18579af5c3f87916b5805fb51169b32

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\Seagull.InstallWizard.dll

Filesize
372KB

MD5
3061145ea0c0c8378e3d7e678b54eb51

SHA1
432c8f861f196739291b642bb3249b5f08bd5db4

SHA256
7da0ced479531d54f6f4d4cb558b154e4585c1ac241815815dc6375887a9195d

SHA512
621527bdda9a9c3713c7a5428c1607379493ac22006bfdfe10ba42b177b8864b0435698f6133939672aa2858c6b3a0766445c7a16d5d1acd0aaa6b63f4be94ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\Seagull.InstallWizard.dll

Filesize
372KB

MD5
3061145ea0c0c8378e3d7e678b54eb51

SHA1
432c8f861f196739291b642bb3249b5f08bd5db4

SHA256
7da0ced479531d54f6f4d4cb558b154e4585c1ac241815815dc6375887a9195d

SHA512
621527bdda9a9c3713c7a5428c1607379493ac22006bfdfe10ba42b177b8864b0435698f6133939672aa2858c6b3a0766445c7a16d5d1acd0aaa6b63f4be94ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\es\Seagull.InstallWizard.resources.dll

Filesize
40KB

MD5
7ce120ec6246d303dee35292b74b90f2

SHA1
cc4a8a188d99c1fa57e7af8709d38031e9630f2c

SHA256
db9273aa7f07d249947b1d64b80c7fe57385fb357783c6c48c01dac1b94e1215

SHA512
5d6b80a7585bfc7942a019125e872eef4a88bb8ec8141456fee116e05b26711ada5d24f129480a14c6e63ad90b5afcb2b6ba39571ac17b9d5b4213a2f1dd8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\es\Seagull.InstallWizard.resources.dll

Filesize
40KB

MD5
7ce120ec6246d303dee35292b74b90f2

SHA1
cc4a8a188d99c1fa57e7af8709d38031e9630f2c

SHA256
db9273aa7f07d249947b1d64b80c7fe57385fb357783c6c48c01dac1b94e1215

SHA512
5d6b80a7585bfc7942a019125e872eef4a88bb8ec8141456fee116e05b26711ada5d24f129480a14c6e63ad90b5afcb2b6ba39571ac17b9d5b4213a2f1dd8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI6AA7.tmp-\es\Seagull.InstallWizard.resources.dll

Filesize
40KB

MD5
7ce120ec6246d303dee35292b74b90f2

SHA1
cc4a8a188d99c1fa57e7af8709d38031e9630f2c

SHA256
db9273aa7f07d249947b1d64b80c7fe57385fb357783c6c48c01dac1b94e1215

SHA512
5d6b80a7585bfc7942a019125e872eef4a88bb8ec8141456fee116e05b26711ada5d24f129480a14c6e63ad90b5afcb2b6ba39571ac17b9d5b4213a2f1dd8a80

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA548.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA548.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAB54.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIAB54.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIABF1.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIABF1.tmp

Filesize
525KB

MD5
1c62521f4ade74fe465aaf61049c3634

SHA1
758bd079f98c5f1153213a4c78ee25f89eb64fa6

SHA256
ae5544ebfa8d92072562dcc4f3a6b48e77ab1a1e263e8e8dabebf6a627286f9e

SHA512
4b58f0216f2dcfff69f3e668d09e21c0c85a7087a01621f43a787344afcf31d05644b9374b2ee4719b2ede0019d88083104f7a8122409c1ea961a9c5016262fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID035.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSID035.tmp

Filesize
376KB

MD5
c39daeba173815516c180ca4361f7895

SHA1
db3ae54329834baa954569a35be5b947c86dc25e

SHA256
a34bd87a23349bd52b8b0f25154235b90b698986c8849e101b7e40d11d48e4dc

SHA512
e13cd98647059657355a69917898cdecdfc0b8da91036de1c030d20a4c5c1aacc06cd4d54fac65ecf1c8c44527dbba3c545f588260af1a0104b445e3f21ca929

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFB1E.tmp

Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIFB1E.tmp

Filesize
834KB

MD5
b0b2090c4200fb19e335598969a40f26

SHA1
e31d5533f85ef03dd8eb21723df14ff71586bb60

SHA256
e16ce1f8a1b24d03353502af35fa159ab9962b4ecce8f3bb9dd4b075552505cd

SHA512
177dad69d6773dab432a39a91f113949573caa3f3513e1e79361e9d74efe813746bd25a9101ec6436be7476cd77b663102d7ee138a01afbc902738e3ad75fce2

Download Submit
C:\Users\Admin\AppData\Roaming\Seagull\BarTender\prerequisites\decoder.dll

Filesize
182KB

MD5
fc136d5c16573d1d1a64b0a62b586235

SHA1
8363d0d80fb25e4ace7b77efcfe119b7675913a1

SHA256
5a12236a02ba2984b62d7acfe5afb048e461fc4c76989d055ffe8965f212ebbf

SHA512
0ad82e28de1a65251eb536aef9739a76baaaa28a41dae78faacb82a9d1acd83d71816051dec16b7664e16a741706803d1fc0ad914bcdca4d28cb2ac2a05ff427

Download Submit
C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe

Filesize
763.6MB

MD5
143d94d5593d64dfd6f5ba8d15137413

SHA1
43af1f03e1dae86f0208369385fb0af8a487ffb9

SHA256
0c575035b464a7d2f62e71a164e82ad3cd4ef694aeb27fbeef1c27f86aa648ce

SHA512
1a9894c3ace38aff436211f80836b1153c9a04f095115f114bccd6db2c55b04dd207ca89f2c835005a2be6861bd68291113ecc66de75e9d1da995d46c2f7f455

Download Submit
C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe

Filesize
763.6MB

MD5
143d94d5593d64dfd6f5ba8d15137413

SHA1
43af1f03e1dae86f0208369385fb0af8a487ffb9

SHA256
0c575035b464a7d2f62e71a164e82ad3cd4ef694aeb27fbeef1c27f86aa648ce

SHA512
1a9894c3ace38aff436211f80836b1153c9a04f095115f114bccd6db2c55b04dd207ca89f2c835005a2be6861bd68291113ecc66de75e9d1da995d46c2f7f455

Download Submit
C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe

Filesize
763.6MB

MD5
143d94d5593d64dfd6f5ba8d15137413

SHA1
43af1f03e1dae86f0208369385fb0af8a487ffb9

SHA256
0c575035b464a7d2f62e71a164e82ad3cd4ef694aeb27fbeef1c27f86aa648ce

SHA512
1a9894c3ace38aff436211f80836b1153c9a04f095115f114bccd6db2c55b04dd207ca89f2c835005a2be6861bd68291113ecc66de75e9d1da995d46c2f7f455

Download Submit
C:\Users\Admin\Desktop\BarTender Enterprise 2021 R5 11.2.166048 Multilingual\Setup_x64.exe

Filesize
763.6MB

MD5
143d94d5593d64dfd6f5ba8d15137413

SHA1
43af1f03e1dae86f0208369385fb0af8a487ffb9

SHA256
0c575035b464a7d2f62e71a164e82ad3cd4ef694aeb27fbeef1c27f86aa648ce

SHA512
1a9894c3ace38aff436211f80836b1153c9a04f095115f114bccd6db2c55b04dd207ca89f2c835005a2be6861bd68291113ecc66de75e9d1da995d46c2f7f455

Download Submit
memory/656-226-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/656-223-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/656-230-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/1884-453-0x00007FFA698A0000-0x00007FFA6A2D6000-memory.dmp

Filesize
10.2MB

Download
memory/1892-250-0x00000000715A0000-0x0000000071B51000-memory.dmp

Filesize
5.7MB

Download
memory/1892-249-0x00000000715A0000-0x0000000071B51000-memory.dmp

Filesize
5.7MB

Download
memory/1940-271-0x0000000000A5A000-0x0000000000A5F000-memory.dmp

Filesize
20KB

Download
memory/1940-252-0x00007FFA698A0000-0x00007FFA6A2D6000-memory.dmp

Filesize
10.2MB

Download
memory/1940-287-0x0000000000A5A000-0x0000000000A5F000-memory.dmp

Filesize
20KB

Download
memory/2184-286-0x00000000715A0000-0x0000000071B51000-memory.dmp

Filesize
5.7MB

Download
memory/2184-270-0x00000000715A0000-0x0000000071B51000-memory.dmp

Filesize
5.7MB

Download
memory/2712-247-0x00007FFA698A0000-0x00007FFA6A2D6000-memory.dmp

Filesize
10.2MB

Download
memory/3444-221-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3444-220-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3444-219-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3672-268-0x00007FFA698A0000-0x00007FFA6A2D6000-memory.dmp

Filesize
10.2MB

Download
memory/3696-200-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3696-206-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3696-204-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3776-190-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/3776-191-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4076-239-0x0000015B08C20000-0x0000015B08C7F000-memory.dmp

Filesize
380KB

Download
memory/4076-315-0x0000015B09310000-0x0000015B0931C000-memory.dmp

Filesize
48KB

Download
memory/4076-328-0x0000015B09D00000-0x0000015B09D0A000-memory.dmp

Filesize
40KB

Download
memory/4076-327-0x0000015B0A7E0000-0x0000015B0A7F6000-memory.dmp

Filesize
88KB

Download
memory/4076-326-0x0000015B0A7C0000-0x0000015B0A7D6000-memory.dmp

Filesize
88KB

Download
memory/4076-325-0x0000015B09CF0000-0x0000015B09CF8000-memory.dmp

Filesize
32KB

Download
memory/4076-324-0x0000015B09CE0000-0x0000015B09CE8000-memory.dmp

Filesize
32KB

Download
memory/4076-323-0x0000015B09CD0000-0x0000015B09CDE000-memory.dmp

Filesize
56KB

Download
memory/4076-322-0x0000015B09CC0000-0x0000015B09CCE000-memory.dmp

Filesize
56KB

Download
memory/4076-321-0x0000015B0A900000-0x0000015B0A962000-memory.dmp

Filesize
392KB

Download
memory/4076-320-0x0000015B0A890000-0x0000015B0A8F2000-memory.dmp

Filesize
392KB

Download
memory/4076-235-0x0000015B09370000-0x0000015B0937E000-memory.dmp

Filesize
56KB

Download
memory/4076-234-0x0000015B0BBD0000-0x0000015B0BC46000-memory.dmp

Filesize
472KB

Download
memory/4076-233-0x0000015B093A0000-0x0000015B093E0000-memory.dmp

Filesize
256KB

Download
memory/4076-319-0x0000015B09CB0000-0x0000015B09CBA000-memory.dmp

Filesize
40KB

Download
memory/4076-318-0x0000015B09C70000-0x0000015B09C7A000-memory.dmp

Filesize
40KB

Download
memory/4076-317-0x0000015B09C60000-0x0000015B09C70000-memory.dmp

Filesize
64KB

Download
memory/4076-316-0x0000015B09C50000-0x0000015B09C60000-memory.dmp

Filesize
64KB

Download
memory/4076-314-0x0000015B09C80000-0x0000015B09CA8000-memory.dmp

Filesize
160KB

Download
memory/4076-313-0x0000015B0A710000-0x0000015B0A7BC000-memory.dmp

Filesize
688KB

Download
memory/4076-312-0x0000015B0A660000-0x0000015B0A70C000-memory.dmp

Filesize
688KB

Download
memory/4076-311-0x0000015B0A530000-0x0000015B0A5C2000-memory.dmp

Filesize
584KB

Download
memory/4076-310-0x0000015B0A490000-0x0000015B0A522000-memory.dmp

Filesize
584KB

Download
memory/4076-309-0x0000015B092C0000-0x0000015B092CC000-memory.dmp

Filesize
48KB

Download
memory/4076-308-0x0000015B092B0000-0x0000015B092BC000-memory.dmp

Filesize
48KB

Download
memory/4076-307-0x0000015B09C50000-0x0000015B09C72000-memory.dmp

Filesize
136KB

Download
memory/4076-306-0x0000015B092E0000-0x0000015B09302000-memory.dmp

Filesize
136KB

Download
memory/4076-305-0x0000015B09C10000-0x0000015B09C42000-memory.dmp

Filesize
200KB

Download
memory/4076-296-0x0000015B09BD0000-0x0000015B09C04000-memory.dmp

Filesize
208KB

Download
memory/4076-297-0x0000015B09C10000-0x0000015B09C44000-memory.dmp

Filesize
208KB

Download
memory/4076-299-0x0000015B09C50000-0x0000015B09C74000-memory.dmp

Filesize
144KB

Download
memory/4076-300-0x0000015B09C80000-0x0000015B09CA4000-memory.dmp

Filesize
144KB

Download
memory/4076-301-0x0000015B092A0000-0x0000015B092AE000-memory.dmp

Filesize
56KB

Download
memory/4076-302-0x0000015B092B0000-0x0000015B092BE000-memory.dmp

Filesize
56KB

Download
memory/4076-303-0x0000015B0A470000-0x0000015B0A504000-memory.dmp

Filesize
592KB

Download
memory/4076-304-0x0000015B0A510000-0x0000015B0A5A4000-memory.dmp

Filesize
592KB

Download
memory/4148-181-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4148-178-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4232-291-0x00000000715A0000-0x0000000071B51000-memory.dmp

Filesize
5.7MB

Download
memory/4608-289-0x00007FFA698A0000-0x00007FFA6A2D6000-memory.dmp

Filesize
10.2MB

Download
memory/4776-244-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4776-242-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4928-161-0x0000015F480D0000-0x0000015F481D2000-memory.dmp

Filesize
1.0MB

Download
memory/4928-162-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4928-153-0x0000015F2D770000-0x0000015F2D79E000-memory.dmp

Filesize
184KB

Download
memory/4928-157-0x00007FFA72270000-0x00007FFA72D31000-memory.dmp

Filesize
10.8MB

Download
memory/4928-156-0x0000015F2D7A0000-0x0000015F2D7B2000-memory.dmp

Filesize
72KB

Download
memory/4928-160-0x0000015F47F60000-0x0000015F47FBE000-memory.dmp

Filesize
376KB

Download