01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227

Analysis

max time kernel
1s
max time network
146s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
04/01/2024, 03:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
Size

1.8MB
MD5

434b7f545c31c9c4b28ccabbd1d335fd
SHA1

9920ce89735cfc1f9489575653ede02f7be0fbac
SHA256

01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227
SHA512

f4d588f27b5d264ebd36fe5dd9e2b2c0f3308a770d41850f357abdd318ca68a17d426a5ccaec03e20157ea3b29092eeb6e164d585394ed91587a62a1ad36c29f
SSDEEP

49152:Yx5SUW/cxUitIGLsF0nb+tJVYleAMz77+WA8/snji6attJM:YvbjVkjjCAzJ1EnW6at

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 8 IoCs

pid	Process
480	Process not Found
2076	alg.exe
2484	aspnet_state.exe
2520	mscorsvw.exe
2652	mscorsvw.exe
2808	mscorsvw.exe
1680	mscorsvw.exe
1676	ehRecvr.exe

Loads dropped DLL 3 IoCs

pid	Process
480	Process not Found
480	Process not Found
480	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\28c61b7f56fe8faa.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_de.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_es.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_uk.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_zh-CN.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_zh-TW.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleUpdateCore.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_fr.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_lt.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ml.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleUpdateSetup.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleCrashHandler.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ta.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_tr.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_el.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_hr.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\psmachine_64.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_fi.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_sr.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_te.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_th.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_cs.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\psmachine.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\psuser.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleCrashHandler64.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_bg.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ca.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_gu.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_pt-PT.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdate.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_sv.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_sl.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_no.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_pl.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File opened for modification	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleUpdateSetup.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleUpdateComRegisterShell64.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_en-GB.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_id.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_iw.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ja.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_da.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_fa.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_hi.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ru.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_sk.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_en.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_fil.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_lv.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_sw.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_es-419.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_kn.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_mr.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ms.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_pt-BR.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ur.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\psuser_64.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_hu.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ro.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_vi.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\GoogleUpdateOnDemand.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_ar.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_bn.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_it.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_nl.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Program Files (x86)\Google\Temp\GUM81C.tmp\goopdateres_am.dll	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe

Drops file in Windows directory 18 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\ehome\ehRecvr.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenservicelock.dat	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2028	01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
Token: SeShutdownPrivilege	2808	mscorsvw.exe

C:\Windows\ehome\ehsched.exe
C:\Windows\ehome\ehsched.exe
1⤵
PID:856

C:\Windows\ehome\ehRecvr.exe
C:\Windows\ehome\ehRecvr.exe
1⤵
- Executes dropped EXE
PID:1676

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 16c -InterruptEvent 158 -NGENProcess 15c -Pipe 168 -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 164 -InterruptEvent 1d8 -NGENProcess 1e0 -Pipe 1e4 -Comment "NGen Worker Process"
  2⤵
  PID:3036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e0 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1dc -Comment "NGen Worker Process"
  2⤵
  PID:1400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 250 -InterruptEvent 1cc -NGENProcess 1d0 -Pipe 1e0 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 24c -NGENProcess 254 -Pipe 250 -Comment "NGen Worker Process"
  2⤵
  PID:1408
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 23c -NGENProcess 1d0 -Pipe 238 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 258 -NGENProcess 1cc -Pipe 234 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 25c -InterruptEvent 24c -NGENProcess 260 -Pipe 23c -Comment "NGen Worker Process"
  2⤵
  PID:1896
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 260 -NGENProcess 240 -Pipe 264 -Comment "NGen Worker Process"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 268 -NGENProcess 248 -Pipe 244 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 1e8 -NGENProcess 258 -Pipe 25c -Comment "NGen Worker Process"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  PID:2520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 270 -NGENProcess 24c -Pipe 274 -Comment "NGen Worker Process"
  2⤵
  PID:2164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 260 -NGENProcess 270 -Pipe 268 -Comment "NGen Worker Process"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 270 -InterruptEvent 258 -NGENProcess 1d0 -Pipe 278 -Comment "NGen Worker Process"
  2⤵
  PID:1600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 260 -NGENProcess 27c -Pipe 270 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 27c -NGENProcess 254 -Pipe 280 -Comment "NGen Worker Process"
  2⤵
  PID:2600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 1cc -NGENProcess 284 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:2992
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 26c -InterruptEvent 248 -NGENProcess 288 -Pipe 1e8 -Comment "NGen Worker Process"
  2⤵
  PID:2308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 24c -InterruptEvent 254 -NGENProcess 28c -Pipe 26c -Comment "NGen Worker Process"
  2⤵
  PID:1048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 258 -InterruptEvent 284 -NGENProcess 290 -Pipe 24c -Comment "NGen Worker Process"
  2⤵
  PID:1812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 288 -NGENProcess 294 -Pipe 258 -Comment "NGen Worker Process"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 27c -NGENProcess 290 -Pipe 1cc -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 298 -InterruptEvent 240 -NGENProcess 29c -Pipe 288 -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 240 -InterruptEvent 248 -NGENProcess 290 -Pipe 1d0 -Comment "NGen Worker Process"
  2⤵
  PID:2976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2a4 -NGENProcess 27c -Pipe 2a0 -Comment "NGen Worker Process"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 1bc -NGENProcess 248 -Pipe 21c -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 1bc -InterruptEvent 2c4 -NGENProcess 2a4 -Pipe 2c0 -Comment "NGen Worker Process"
  2⤵
  PID:832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2cc -NGENProcess 2b4 -Pipe 2c8 -Comment "NGen Worker Process"
  2⤵
  PID:2996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d4 -NGENProcess 2cc -Pipe 254 -Comment "NGen Worker Process"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 2bc -NGENProcess 1bc -Pipe 248 -Comment "NGen Worker Process"
  2⤵
  PID:2104
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2cc -NGENProcess 1bc -Pipe 294 -Comment "NGen Worker Process"
  2⤵
  PID:1652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 2e4 -NGENProcess 2cc -Pipe 2c4 -Comment "NGen Worker Process"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2cc -NGENProcess 2bc -Pipe 2b4 -Comment "NGen Worker Process"
  2⤵
  PID:1364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2e8 -NGENProcess 2e0 -Pipe 2dc -Comment "NGen Worker Process"
  2⤵
  PID:3028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2e0 -NGENProcess 2e4 -Pipe 2d0 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2b8 -NGENProcess 2f0 -Pipe 2e8 -Comment "NGen Worker Process"
  2⤵
  PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2f0 -NGENProcess 2d8 -Pipe 2e4 -Comment "NGen Worker Process"
  2⤵
  PID:344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 2d8 -NGENProcess 2ec -Pipe 2fc -Comment "NGen Worker Process"
  2⤵
  PID:1868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2a4 -InterruptEvent 2b0 -NGENProcess 300 -Pipe 2f0 -Comment "NGen Worker Process"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f8 -NGENProcess 2e0 -Pipe 2a4 -Comment "NGen Worker Process"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 2e0 -NGENProcess 2ec -Pipe 300 -Comment "NGen Worker Process"
  2⤵
  PID:2428
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 308 -InterruptEvent 2e0 -NGENProcess 2f8 -Pipe 2cc -Comment "NGen Worker Process"
  2⤵
  PID:2272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2bc -NGENProcess 310 -Pipe 308 -Comment "NGen Worker Process"
  2⤵
  PID:2664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 2bc -NGENProcess 2b8 -Pipe 2f8 -Comment "NGen Worker Process"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 30c -NGENProcess 318 -Pipe 2b0 -Comment "NGen Worker Process"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 30c -NGENProcess 2d8 -Pipe 2b8 -Comment "NGen Worker Process"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f4 -InterruptEvent 314 -NGENProcess 320 -Pipe 304 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 314 -InterruptEvent 31c -NGENProcess 2d8 -Pipe 324 -Comment "NGen Worker Process"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2f4 -NGENProcess 328 -Pipe 314 -Comment "NGen Worker Process"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 2f4 -NGENProcess 2ec -Pipe 2d8 -Comment "NGen Worker Process"
  2⤵
  PID:1380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 1bc -NGENProcess 330 -Pipe 32c -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 1bc -NGENProcess 310 -Pipe 2ec -Comment "NGen Worker Process"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2bc -NGENProcess 338 -Pipe 30c -Comment "NGen Worker Process"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 33c -NGENProcess 2bc -Pipe 334 -Comment "NGen Worker Process"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 318 -NGENProcess 2bc -Pipe 2f4 -Comment "NGen Worker Process"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 318 -InterruptEvent 1bc -NGENProcess 2e0 -Pipe 338 -Comment "NGen Worker Process"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 320 -NGENProcess 2e0 -Pipe 340 -Comment "NGen Worker Process"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 348 -NGENProcess 344 -Pipe 328 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2bc -InterruptEvent 330 -NGENProcess 344 -Pipe 310 -Comment "NGen Worker Process"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 350 -NGENProcess 34c -Pipe 1bc -Comment "NGen Worker Process"
  2⤵
  PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 34c -NGENProcess 2bc -Pipe 318 -Comment "NGen Worker Process"
  2⤵
  PID:2112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 330 -NGENProcess 320 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 2e0 -NGENProcess 354 -Pipe 33c -Comment "NGen Worker Process"
  2⤵
  PID:2052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 35c -NGENProcess 2bc -Pipe 344 -Comment "NGen Worker Process"
  2⤵
  PID:552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 330 -NGENProcess 364 -Pipe 2e0 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 364 -NGENProcess 320 -Pipe 2bc -Comment "NGen Worker Process"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 320 -NGENProcess 350 -Pipe 35c -Comment "NGen Worker Process"
  2⤵
  PID:1344
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 370 -NGENProcess 358 -Pipe 36c -Comment "NGen Worker Process"
  2⤵
  PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 364 -NGENProcess 374 -Pipe 320 -Comment "NGen Worker Process"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 368 -InterruptEvent 354 -NGENProcess 378 -Pipe 34c -Comment "NGen Worker Process"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 358 -NGENProcess 37c -Pipe 368 -Comment "NGen Worker Process"
  2⤵
  PID:696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 350 -InterruptEvent 374 -NGENProcess 380 -Pipe 360 -Comment "NGen Worker Process"
  2⤵
  PID:1028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 378 -NGENProcess 384 -Pipe 350 -Comment "NGen Worker Process"
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 388 -NGENProcess 380 -Pipe 370 -Comment "NGen Worker Process"
  2⤵
  PID:1796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 38c -NGENProcess 358 -Pipe 364 -Comment "NGen Worker Process"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 38c -InterruptEvent 390 -NGENProcess 384 -Pipe 374 -Comment "NGen Worker Process"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 380 -Pipe 31c -Comment "NGen Worker Process"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 38c -NGENProcess 39c -Pipe 390 -Comment "NGen Worker Process"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 358 -NGENProcess 3a0 -Pipe 398 -Comment "NGen Worker Process"
  2⤵
  PID:280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 388 -NGENProcess 380 -Pipe 39c -Comment "NGen Worker Process"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 354 -NGENProcess 358 -Pipe 384 -Comment "NGen Worker Process"
  2⤵
  PID:1696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 3a8 -NGENProcess 394 -Pipe 38c -Comment "NGen Worker Process"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 330 -InterruptEvent 388 -NGENProcess 3ac -Pipe 354 -Comment "NGen Worker Process"
  2⤵
  PID:296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 380 -NGENProcess 3b0 -Pipe 330 -Comment "NGen Worker Process"
  2⤵
  PID:772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 3b4 -Pipe 378 -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 358 -NGENProcess 3b0 -Pipe 3a4 -Comment "NGen Worker Process"
  2⤵
  PID:1764
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3b8 -NGENProcess 380 -Pipe 3a8 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3c0 -NGENProcess 3b4 -Pipe 3bc -Comment "NGen Worker Process"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 358 -NGENProcess 3c4 -Pipe 3b8 -Comment "NGen Worker Process"
  2⤵
  PID:1576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b0 -InterruptEvent 388 -NGENProcess 3c8 -Pipe 37c -Comment "NGen Worker Process"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3cc -NGENProcess 3c4 -Pipe 3ac -Comment "NGen Worker Process"
  2⤵
  PID:2136
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 3b0 -NGENProcess 3d0 -Pipe 388 -Comment "NGen Worker Process"
  2⤵
  PID:1240
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3c0 -NGENProcess 3d4 -Pipe 380 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3c0 -NGENProcess 3a0 -Pipe 3c4 -Comment "NGen Worker Process"
  2⤵
  PID:2576
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d8 -NGENProcess 3dc -Pipe 3d0 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3d4 -NGENProcess 3e0 -Pipe 3c8 -Comment "NGen Worker Process"
  2⤵
  PID:276
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3cc -NGENProcess 3dc -Pipe 3b0 -Comment "NGen Worker Process"
  2⤵
  PID:2232
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e4 -InterruptEvent 3e8 -NGENProcess 394 -Pipe 3d4 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 3d8 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
  2⤵
  PID:1036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 3dc -NGENProcess 3f0 -Pipe 358 -Comment "NGen Worker Process"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3c0 -NGENProcess 3ec -Pipe 3e0 -Comment "NGen Worker Process"
  2⤵
  PID:1980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 3b4 -NGENProcess 3f8 -Pipe 3dc -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3cc -InterruptEvent 3d8 -NGENProcess 3fc -Pipe 3f4 -Comment "NGen Worker Process"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3ec -NGENProcess 404 -Pipe 3cc -Comment "NGen Worker Process"
  2⤵
  PID:1520
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3f8 -NGENProcess 408 -Pipe 3a0 -Comment "NGen Worker Process"
  2⤵
  PID:1668
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f0 -InterruptEvent 404 -NGENProcess 40c -Pipe 3e8 -Comment "NGen Worker Process"
  2⤵
  PID:1564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3fc -NGENProcess 410 -Pipe 3f0 -Comment "NGen Worker Process"
  2⤵
  PID:1156
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 414 -NGENProcess 40c -Pipe 3b4 -Comment "NGen Worker Process"
  2⤵
  PID:2860
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3c0 -NGENProcess 418 -Pipe 3fc -Comment "NGen Worker Process"
  2⤵
  PID:920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3f8 -NGENProcess 41c -Pipe 3d8 -Comment "NGen Worker Process"
  2⤵
  PID:1368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 418 -Pipe 410 -Comment "NGen Worker Process"
  2⤵
  PID:2676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 404 -NGENProcess 424 -Pipe 3f8 -Comment "NGen Worker Process"
  2⤵
  PID:2296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3c0 -NGENProcess 428 -Pipe 420 -Comment "NGen Worker Process"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 418 -NGENProcess 42c -Pipe 394 -Comment "NGen Worker Process"
  2⤵
  PID:1160
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 424 -NGENProcess 430 -Pipe 408 -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 41c -InterruptEvent 428 -NGENProcess 434 -Pipe 414 -Comment "NGen Worker Process"
  2⤵
  PID:108
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 42c -NGENProcess 404 -Pipe 41c -Comment "NGen Worker Process"
  2⤵
  PID:2252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 430 -NGENProcess 3ec -Pipe 3c0 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 434 -NGENProcess 438 -Pipe 418 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 200 -NGENProcess 3ec -Pipe 204 -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 200 -InterruptEvent 43c -NGENProcess 430 -Pipe 428 -Comment "NGen Worker Process"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 444 -NGENProcess 438 -Pipe 440 -Comment "NGen Worker Process"
  2⤵
  PID:1264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 42c -Pipe 40c -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 430 -Pipe 3ec -Comment "NGen Worker Process"
  2⤵
  PID:2528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 444 -NGENProcess 454 -Pipe 448 -Comment "NGen Worker Process"
  2⤵
  PID:2908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 458 -NGENProcess 444 -Pipe 200 -Comment "NGen Worker Process"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 450 -NGENProcess 434 -Pipe 430 -Comment "NGen Worker Process"
  2⤵
  PID:2988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 45c -NGENProcess 444 -Pipe 44c -Comment "NGen Worker Process"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 454 -InterruptEvent 404 -NGENProcess 460 -Pipe 450 -Comment "NGen Worker Process"
  2⤵
  PID:2084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 424 -NGENProcess 464 -Pipe 454 -Comment "NGen Worker Process"
  2⤵
  PID:1268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 42c -NGENProcess 460 -Pipe 434 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 460 -NGENProcess 458 -Pipe 404 -Comment "NGen Worker Process"
  2⤵
  PID:1804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 460 -InterruptEvent 470 -NGENProcess 45c -Pipe 43c -Comment "NGen Worker Process"
  2⤵
  PID:488
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 470 -InterruptEvent 474 -NGENProcess 46c -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 460 -NGENProcess 478 -Pipe 470 -Comment "NGen Worker Process"
  2⤵
  PID:2652
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 458 -NGENProcess 47c -Pipe 444 -Comment "NGen Worker Process"
  2⤵
  PID:1228
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 458 -InterruptEvent 438 -NGENProcess 478 -Pipe 45c -Comment "NGen Worker Process"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 480 -InterruptEvent 424 -NGENProcess 484 -Pipe 458 -Comment "NGen Worker Process"
  2⤵
  PID:1772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 424 -InterruptEvent 488 -NGENProcess 478 -Pipe 464 -Comment "NGen Worker Process"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 42c -InterruptEvent 480 -NGENProcess 48c -Pipe 424 -Comment "NGen Worker Process"
  2⤵
  PID:2836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 438 -InterruptEvent 47c -NGENProcess 490 -Pipe 42c -Comment "NGen Worker Process"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 474 -InterruptEvent 460 -NGENProcess 494 -Pipe 438 -Comment "NGen Worker Process"
  2⤵
  PID:1068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 48c -NGENProcess 270 -Pipe 474 -Comment "NGen Worker Process"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 208 -InterruptEvent 490 -NGENProcess 280 -Pipe 260 -Comment "NGen Worker Process"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 490 -InterruptEvent 47c -NGENProcess 270 -Pipe 224 -Comment "NGen Worker Process"
  2⤵
  PID:2572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
  C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 488 -InterruptEvent 208 -NGENProcess 480 -Pipe 47c -Comment "NGen Worker Process"
  2⤵
  PID:1364

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2652

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
PID:2520

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
1⤵
- Executes dropped EXE
PID:2484

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:2076

C:\Users\Admin\AppData\Local\Temp\01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe
"C:\Users\Admin\AppData\Local\Temp\01285b355fbc72c55542dafc704de00b2eab31036b491ab83dfcbd33bf2bb227.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2028

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1808

C:\Windows\eHome\EhTray.exe
"C:\Windows\eHome\EhTray.exe" /nav:-2
1⤵
PID:2116

C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\GROOVE.EXE" /auditservice
1⤵
PID:948

C:\Windows\ehome\ehRec.exe
C:\Windows\ehome\ehRec.exe -Embedding
1⤵
PID:1616

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
PID:2308

C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
1⤵
PID:2732

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
PID:2628

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
PID:2888

C:\Windows\system32\IEEtwCollector.exe
C:\Windows\system32\IEEtwCollector.exe /V
1⤵
PID:1804

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
PID:2516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
PID:2740

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
PID:2188

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
PID:616

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
PID:1916

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
PID:564

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2144

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:2788

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1292

C:\Program Files\Windows Media Player\wmpnetwk.exe
"C:\Program Files\Windows Media Player\wmpnetwk.exe"
1⤵
PID:2920

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
PID:1652

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\b91050d8b077a4e8.customDestinations-ms

Filesize
24B

MD5
b9bd716de6739e51c620f2086f9c31e4

SHA1
9733d94607a3cba277e567af584510edd9febf62

SHA256
7116ff028244a01f3d17f1d3bc2e1506bc9999c2e40e388458f0cccc4e117312

SHA512
cef609e54c7a81a646ad38dba7ac0b82401b220773b9c792cefac80c6564753229f0c011b34ffb56381dd3154a19aee2bf5f602c4d1af01f2cf0fbc1574e4478

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
114KB

MD5
1514233e791202b7aa42afc343e52d94

SHA1
e8d3bed6bafd1b50f61adad058895115a8db3a06

SHA256
aa653bfb8d6cf316086e4c209b5b3ac40d140bd93f127963cbdd95298e0973fa

SHA512
43d0f2cb4e7489e52632c9638e01a82f6b7fa4912c19dee21aeb510ce094de72efd4b8ee0df3611e97ddb4ecf3caa9ba1dadd4bd5054dbf909cffdf3085f6faa

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

Filesize
238KB

MD5
a870a3026bdab3f19ef03fb084479856

SHA1
b3230f52aaef7cb4a721d4a7f433608648290187

SHA256
1946f49b630453a697d31db69f3c604897c1db8b636f52674054309161833688

SHA512
80ca14b39492081d8753df7515a816cc9271dbd35985f3fb8069043fbcc9d4192c7939d377f516203de333ce81eb1e094c846a9aca2f6af4f5d6cdc1fe2eab8b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
656KB

MD5
595481be49ebccb9c7a15264d79215a7

SHA1
c9ea29dcfb5a78c71bd5d30582778263d8be4353

SHA256
e72ff5e19c757636271b747e508bbf27d38f02c8ddfed9f5705e6cd1677f1ce2

SHA512
7d11d4cf9a1bb03a68117ed765aaacae7e47ff2662347c0e51bf85d4ab876ce9b1cc810a09a0d34426c958a156f4942e7ac502a495e6075ab7e4fa9085051a13

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
578KB

MD5
6514cc847e8adf5b77eed0bfff8d3eac

SHA1
64a56f742252546c09fcf1ba9e2a215b978ad043

SHA256
98627bdade6ac03fd027a05c467d8a068c3894445693f845b0cecae13b420c4a

SHA512
58d881f6178c75e12739ec1d12b8ba7ef02e1fcccb94182b0cce573f3b06232c2dbae6891a98ee416143efe11dd708f40f33f7738fa268f3fd015c833f7e04fd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
238KB

MD5
51d7209596041b1ff2839bfbe18502f2

SHA1
60e7e506cce7c4491c6829414ad0ed0f875fe8a6

SHA256
7d675bfaa160665bc1b91d917a5dde72d3a9f98c94389a91971c1ef66ae0b3ce

SHA512
1daee063e0341ee45e4f26ed57cbad41eeec0d86dc00fc526ca1b5f2a40d6dd2d56658fe8c9a1d754e4816778d88b0101a5b8edd12fa3fe90e67a661fc9f09da

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
343KB

MD5
c6c2c446bf34b529ff5a7a59278d5203

SHA1
fb9e01eb18f3f4140d9828cc76e07f75dace09b6

SHA256
65df3e843ff6ea15d6f59a7eb93f65556ee13ce5665e08d332f5e41fbf9d09bb

SHA512
eebe19e3599d53ec5038a32bad624375a8a3cd6bc421de5ab03ff61a400d91669534c46ba28824d5d5ff2a164be8d14559b023dcf596eba8ad8a306e2a4d4c9e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
297KB

MD5
279dc029d7a0a4b1c9b43aaeea2dd58c

SHA1
58d887c24c18f6ee5194966123a3bc6a1416273c

SHA256
d56b01c35333591706903f05289bfa4a97c12673199280c99976022532435c02

SHA512
1f9cf0d2bbd1a14f30c167e55382d64cc5f5d660e017c26672050a635e891d8b2f2fa4c3feb4a37eafabe6a2dc632b6079107b32b49c291c4242f31e02c6ae7b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
275KB

MD5
94a41aec6af46d2401ed241e85596cc4

SHA1
20ad3af3e993ac313510a9c20985e2abe2a0e7c2

SHA256
fdecddfd942bf89aede9358327d08f0a9b376c0d9983b6b5ccf0e8d8e31ce105

SHA512
0f5fd58b6dc99440498f23e0cb3462b03268e8e631a7febcace25b651b93cdbfc23558a4525aa70b79bb44789901f854a83da766cbe587659e187bf208385988

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
229KB

MD5
bfd0c942c138bff824d39feb11e4c766

SHA1
731ff294c8263e9b257eb57b48457f11251c729e

SHA256
0d23102fd2887318beac24ae9c2b7d9bae988fe32684849804f41f37f65bb7e9

SHA512
cf071d2d0b23d8856c049b0cd121cd9cb6c7013fd727659baff519ecd1948d864f931e892966056b6bf5de5fae79d3777078ce86044975784060dc64a5defdf4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
181KB

MD5
6e7ff8a143701afc4de19b9805c33f6a

SHA1
461f4c145f53f5f3eb4b41a2d60f5f789257218d

SHA256
db6dd679185be4cc8db6628f9bbc9bc9a0e6084b5de3614ab750a6e235ca9cdf

SHA512
cee5464d0d18f9f4ef95331ebe4ec0195105ed2ff208fec0aa2b9f860a85589217d173f5d6df0208edd9d989a32578263f52e3c55411dc221a7729c2d6ed0fee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
191KB

MD5
b6fcb5eabbe3a119d475907a19a43a95

SHA1
46e8c9477881b3b52c0fd4b6cff7ec6836fe6c0a

SHA256
e0f2d0a4806a15c3a0ab89b423a3a16715e96619a05bd6c0bb6c3b12ac2002c0

SHA512
4fe0e37a910c5013024d5c2e238def03a08f72c8745023687bedfd74ff3ca860dcfba859353d04e7bb7ef979d91c214b1eab11312930a5ef6a266f5d6503f6a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
161KB

MD5
54683903b9c441f04bdceafdd2616ef3

SHA1
142e81135c253fd4414090b2069623b08cb3068a

SHA256
01790de47427a35c1d82454a978b70e14ef896fa9be78bc99fa845dd20954aee

SHA512
0f6c07c7fa871d0d1e31f570e18cb88f73e8f3f880d70fe3d48b4bc2e6cd7736634bcacfc668463a1d43e6d1cc1a826fab1f9abb6fbedf6857500fcf3ac96e15

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
107KB

MD5
b15aa06620e4dc5bdb7135704976333d

SHA1
01ccb1eb42eaa24d5eb8b80082d1e7dcb852f95a

SHA256
7ae9562b70ea2e2d25595b2d2602c92df59941b756e00854dbfc419f60c14e64

SHA512
1b686f039274d7da04dbfc779cf9dd9aad6f295a15bb4a138badf9878e0b8d9ea224a6b2a0d8d500661562b25caea90d188c93495da1fda8843096495efa0009

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
240KB

MD5
cf432bb402d57781692de0024fc3e7b4

SHA1
d232e9558be403f160388d205ed0f6f6a065d4e5

SHA256
1d87dd707f25d4403f182716a5a996ed1cde9803bf1ab2fd3d62fd0740cfbc8d

SHA512
945674ea7fde932b3150beac63f7a1e261c84f4197a4c8c0f6f0a066b4adc580ca3c86f8e3aeb93eba51e5eea2e6509b380625834185d8de5eb69688a9dfb980

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
124KB

MD5
15eb3b443d0f7ecbcc5bdeb07e984fd2

SHA1
cdfda8403a101ee96959e04ad0ebfca38975813c

SHA256
144f7d834a6a2e32de77648662f59aa68b5c72e40e27336aa4bbf62ca8a3d40a

SHA512
fce48ad9a8d35430debc9ef9f4c53794cab53a7e2cc599bec7e6077c0df8174a8eb119e2534e0bc519ac49d085ab8bab2b67cbfa740f982d3ffcfa239ca94434

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
184KB

MD5
056d00d2fa5018bd758d70b45d67ff62

SHA1
a9b94944f9c042cd331dadbb57d030e25c718f3c

SHA256
a18a573899bbab8a3618f47665bd46b87f55f03e31506b9bc9c32b59710df3a5

SHA512
da045ce3f0fbfea15e00cb304a173d05257d39a0395974412869012a16a31f86d4938c05ceafeb220d0fa7a66f4c98a420287f6ec95a9372914cacf26e38234f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
124KB

MD5
af2ab66881d8f02f6f869ed2eac32a3c

SHA1
121cf1c5bef0131883704b987178e76cf5159f9c

SHA256
f63aea2c10845e61054adfd636e70d993bf3f2fb6b5b7c2ea51e4f2c395d27f9

SHA512
7dcf1675365d39a25708c002015e0805445fef4f25e13cdda0b66d2f826b226b16044b5357e6566448cf9992aea7779d77ad60c7a239dc67b039d6c533bd42a3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
195KB

MD5
68ba8f2afff27f72013c0cd047ccbf62

SHA1
e13a5dc0514e7dd47a9e667c6f8171b8c19a5e07

SHA256
48c899ca1283fbc4c935af3ddd6985bd187813da45670d9c25fbb02946e2cb8e

SHA512
dbe03ccd0e33de889cda5c513b8209bab5597ee5aa9bebdc732ba293a840cec40916e6415bc24a07ac6450569527f477a8cb3090d83ae42a1b989732b0ec49a1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
124KB

MD5
aef7aad87d6da989b00e279b29143684

SHA1
79c539f5169e7bc244c9d8e79b540b5ef1da1bf6

SHA256
55a21c7c05dcf13beeae120ae10f3bf42b726cc4419a16d0dd49b2e1c68fe249

SHA512
e999fc367e1fec15b080caddb7978c5a93840e8d144d0964bfb6862bf495a3dcd62e45cbfbd79fb62afaf5fe79d944cd6b999b51656213622fd7ba98346f65d8

Download Submit
memory/832-537-0x0000000000710000-0x0000000000777000-memory.dmp

Filesize
412KB

Download
memory/832-543-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/856-247-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/856-165-0x0000000000BD0000-0x0000000000C30000-memory.dmp

Filesize
384KB

Download
memory/856-163-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/856-380-0x0000000140000000-0x00000001400B2000-memory.dmp

Filesize
712KB

Download
memory/948-271-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/948-268-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/948-263-0x0000000000300000-0x0000000000367000-memory.dmp

Filesize
412KB

Download
memory/948-466-0x000000002E000000-0x000000002FE1E000-memory.dmp

Filesize
30.1MB

Download
memory/1156-541-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-540-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1156-529-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1156-526-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/1400-341-0x0000000000B00000-0x0000000000B67000-memory.dmp

Filesize
412KB

Download
memory/1400-490-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1400-399-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1400-491-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1400-339-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1408-525-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1408-499-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1408-513-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1408-507-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/1616-295-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/1616-496-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/1616-297-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1616-524-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/1616-292-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1616-346-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/1616-492-0x000007FEF4650000-0x000007FEF4FED000-memory.dmp

Filesize
9.6MB

Download
memory/1616-544-0x0000000001070000-0x00000000010F0000-memory.dmp

Filesize
512KB

Download
memory/1652-480-0x0000000000600000-0x0000000000667000-memory.dmp

Filesize
412KB

Download
memory/1652-509-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-494-0x0000000072BF0000-0x00000000732DE000-memory.dmp

Filesize
6.9MB

Download
memory/1652-506-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/1676-164-0x0000000001980000-0x0000000001990000-memory.dmp

Filesize
64KB

Download
memory/1676-149-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-320-0x0000000140000000-0x000000014013C000-memory.dmp

Filesize
1.2MB

Download
memory/1676-248-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1676-150-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1676-156-0x00000000003B0000-0x0000000000410000-memory.dmp

Filesize
384KB

Download
memory/1676-167-0x0000000001990000-0x00000000019A0000-memory.dmp

Filesize
64KB

Download
memory/1676-409-0x0000000001A30000-0x0000000001A31000-memory.dmp

Filesize
4KB

Download
memory/1680-144-0x0000000140000000-0x00000001400AE000-memory.dmp

Filesize
696KB

Download
memory/1808-252-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1808-259-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/1808-258-0x00000000008E0000-0x0000000000940000-memory.dmp

Filesize
384KB

Download
memory/1808-417-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2028-141-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2028-242-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2028-0-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2028-1-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2028-6-0x0000000000650000-0x00000000006B7000-memory.dmp

Filesize
412KB

Download
memory/2076-159-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2076-29-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2076-12-0x0000000100000000-0x00000001000A4000-memory.dmp

Filesize
656KB

Download
memory/2076-13-0x00000000003E0000-0x0000000000440000-memory.dmp

Filesize
384KB

Download
memory/2308-287-0x0000000000910000-0x0000000000970000-memory.dmp

Filesize
384KB

Download
memory/2308-289-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/2484-92-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2484-250-0x0000000140000000-0x000000014009D000-memory.dmp

Filesize
628KB

Download
memory/2520-97-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2520-122-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2520-102-0x0000000000240000-0x00000000002A7000-memory.dmp

Filesize
412KB

Download
memory/2520-96-0x0000000010000000-0x000000001009F000-memory.dmp

Filesize
636KB

Download
memory/2628-305-0x000000002E000000-0x000000002E0B5000-memory.dmp

Filesize
724KB

Download
memory/2652-139-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2652-112-0x0000000010000000-0x00000000100A7000-memory.dmp

Filesize
668KB

Download
memory/2732-300-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2732-410-0x0000000073FF8000-0x000000007400D000-memory.dmp

Filesize
84KB

Download
memory/2732-307-0x0000000000860000-0x00000000008C0000-memory.dmp

Filesize
384KB

Download
memory/2732-493-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2732-317-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2732-512-0x0000000100000000-0x0000000100542000-memory.dmp

Filesize
5.3MB

Download
memory/2732-531-0x0000000073FF8000-0x000000007400D000-memory.dmp

Filesize
84KB

Download
memory/2808-124-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download
memory/2808-125-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2808-131-0x0000000000230000-0x0000000000297000-memory.dmp

Filesize
412KB

Download
memory/2808-274-0x0000000000400000-0x00000000004A8000-memory.dmp

Filesize
672KB

Download