928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1

Resubmissions

22/02/2024, 16:49

240222-vbqc4scf6v 6

22/02/2024, 16:45

240222-t9m5zacf31 8

22/02/2024, 16:45

240222-t9darscf3v 1

22/02/2024, 16:41

240222-t68bqsce8v 6

Analysis

max time kernel
147s
max time network
123s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
22/02/2024, 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

setup-lightshot.exe
Size

2.7MB
MD5

a1f6923e771b4ff0df9fec9555f97c65
SHA1

545359cd68d0ee37f4b15e1a22c2c9a5fda69e22
SHA256

928c2808421dfd487ffa697379548cbe682c0e13aeb595eb89973ba9c515b8a1
SHA512

c9e54f48208151dcf60bf049d09a5c69f6ef7e4f046359fdfd50c61d49a6f9a37c3d3a2016d4beb70ae47270e9e9689e03064c02bee1e1d3d95998000e47f153
SSDEEP

49152:/i85nVhfVnQiGmEwZbyVKf3tOOr/o2rm0mMXgT11rNjiG0C+0LRzasw:a85nVZarmEwZecPzJWDLN+GwOnw

Score

8^/10

adware discovery persistence stealer

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 12 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Message\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\CertCheck\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Initialization\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Cryptography\Providers\Trust\Signature\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\Certificate\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Cryptography\Providers\Trust\FinalPolicy\{A7F4C378-21BE-494e-BA0F-BB12C5D208C5}	msiexec.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Lightshot = "C:\\Program Files (x86)\\Skillbrains\\lightshot\\Lightshot.exe"	setup-lightshot.tmp

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Installs/modifies Browser Helper Object 2 TTPs 2 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{DBC80044-A445-435b-BC74-9C25C1C588A9}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}	rundll32.exe

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{09CCBE8E-B964-30EF-AE84-6537AB4197F9}	msiexec.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\perfh009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\wbem\AutoRecover\C9D18202AA357A22C174FCBBAA8AFC56.mof	mofcomp.exe
File created	C:\Windows\system32\perfc007.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfh007.dat	unlodctr.exe
File created	C:\Windows\system32\perfc011.dat	unlodctr.exe
File opened for modification	C:\Windows\SysWOW64\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\perfh010.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh007.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfh010.dat	unlodctr.exe
File opened for modification	C:\Windows\SysWOW64\msvcr110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr110_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc010.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc010.dat	unlodctr.exe
File created	C:\Windows\system32\perfh010.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00A.dat	unlodctr.exe
File opened for modification	C:\Windows\system32\msvcp110_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\msvcr100_clr0400.dll	msiexec.exe
File opened for modification	C:\Windows\system32\en-US\dfshim.dll.mui	msiexec.exe
File created	C:\Windows\system32\perfh010.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfh011.dat	unlodctr.exe
File opened for modification	C:\Windows\system32\aspnet_counters.dll	msiexec.exe
File created	C:\Windows\system32\perfc009.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc011.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh011.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc011.dat	unlodctr.exe
File opened for modification	C:\Windows\SysWOW64\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh011.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfh010.dat	unlodctr.exe
File created	C:\Windows\system32\perfh009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfh011.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfh007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfc009.dat	unlodctr.exe
File created	C:\Windows\system32\perfh009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc010.dat	unlodctr.exe
File opened for modification	C:\Windows\system32\msvcr120_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfh00C.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfc009.dat	unlodctr.exe
File created	C:\Windows\system32\perfh009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc007.dat	unlodctr.exe
File created	C:\Windows\system32\perfc009.dat	unlodctr.exe
File opened for modification	C:\Windows\SysWOW64\msvcr100_clr0400.dll	msiexec.exe
File created	C:\Windows\system32\perfc007.dat	aspnet_regiis.exe
File created	C:\Windows\system32\perfh007.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfc007.dat	unlodctr.exe
File created	C:\Windows\system32\perfc009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc007.dat	unlodctr.exe
File created	C:\Windows\system32\perfc009.dat	unlodctr.exe
File created	C:\Windows\system32\perfc00A.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00C.dat	unlodctr.exe
File created	C:\Windows\system32\perfc011.dat	unlodctr.exe
File created	C:\Windows\system32\perfh00A.dat	aspnet_regiis.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jre7\lib\zi\EST5EDT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Honolulu	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\javafx-iio.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\North_Dakota\Beulah	msiexec.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-IV0JG.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Cairo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chihuahua	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Irkutsk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Tehran	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT+5	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Maputo	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Chicago	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dtplugin\npdeployJava1.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\AssemblyList_4_client.xml	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Dawson	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Recife	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\AST4ADT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\CST6	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jdwp.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Novokuznetsk	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Zaporozhye	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Efate	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\SystemV\EST5	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\mlib_image.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Belem	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Costa_Rica	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Lima	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Khandyga	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Madrid	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\deploy\messages.properties	msiexec.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-KTSD7.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-DH4E3.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Khartoum	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Atlantic\Cape_Verde	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-8	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\fontconfig.bfc	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\wsdetect.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Kuching	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Uzhgorod	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\cmm\LINEAR_RGB.pf	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\ext\jaccess.jar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jfxwebkit.dll	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jp2iexp.dll	msiexec.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\is-0S115.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Araguaina	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Atikokan	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Caracas	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Pacific\Midway	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\hprof.dll	msiexec.exe
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-OQTMN.tmp	setup-lightshot.tmp
File created	C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\is-56QQU.tmp	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\release	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Cuiaba	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Asia\Sakhalin	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Indian\Mahe	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Casablanca	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\America\Detroit	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\GMT-1	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Europe\Gibraltar	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Etc\UCT	msiexec.exe
File opened for modification	C:\Program Files\Java\jre7\bin\dt_shmem.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Skillbrains\lightshot\unins000.dat	setup-lightshot.tmp
File opened for modification	C:\Program Files\Java\jre7\lib\zi\Africa\Nairobi	msiexec.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\en-US\ServiceModelRegUI.dll.mui	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_filter.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI4CE7.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Royale.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1049\SetupResources.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Threading.Overlapped\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Threading.Overlapped.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\K57TIJGVY5\System.DirectoryServices.Protocols.ni.dll.aux	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\temp\NCSNCBXLEX\XamlBuildTask.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Collections.Concurrent.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallCommon.sql	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Common.Tasks	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSI7D5A.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Diagnostics.TextWriterTraceListener.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Xml.XmlSerializer\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Xml.XmlSerializer.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageAllRoles.aspx.resx	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Win32.Primitives.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\WPF\PresentationFramework.Classic.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.Web.DataVisualization.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardAddUser.ascx.resx	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI13EF.tmp	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\LNT2567X91\System.IdentityModel.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\CORPerfMonSymbols.h	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Data.Services.Client\v4.0_4.0.0.0__b77a5c561934e089\System.Data.Services.Client.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Security\Users\addUser.aspx	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\App_Data\GroupedProviders.xml	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\O37EOB0BU8\System.Activities.DurableInstancing.ni.dll	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\_Networkingperfcounters_v2.ini	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI3C83.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\Installer\MSIA70B.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.AppContext.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1028\eula.rtf	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE870.tmp	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Net.Http.WebRequest.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1040\LocalizedData.xml	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Parallel\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Parallel.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Web.ApplicationServices\v4.0_4.0.0.0__31bf3856ad364e35\System.Web.ApplicationServices.dll	msiexec.exe
File opened for modification	C:\Windows\assembly\temp\N50U0HXKTZ\System.Xml.ni.dll.aux	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.DirectoryServices.AccountManagement\v4.0_4.0.0.0__b77a5c561934e089\System.DirectoryServices.AccountManagement.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminHelp_Internals.aspx	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	ngen.exe
File opened for modification	C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.ComponentModel.Annotations\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.ComponentModel.Annotations.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\PerfCounter.dll	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\diasymreader.dll	msiexec.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\temp\W6E5AOESKV\System.ServiceModel.ServiceMoniker40.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\NETFXRepair.1046.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2207.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	ngen.exe
File created	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\temp\PNXKUHV292\System.Data.Services.Design.ni.dll	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\XsdBuildTask.dll	msiexec.exe

Executes dropped EXE 64 IoCs

pid	Process
1304	setup-lightshot.tmp
2364	Lightshot.exe
2368	Lightshot.exe
1604	setupupdater.exe
496	setupupdater.tmp
2604	Updater.exe
3068	Updater.exe
2676	Updater.exe
2512	Updater.exe
2556	Updater.exe
1804	updater.exe
2272	updater.exe
2260	updater.exe
2768	updater.exe
2372	MSI95DC.tmp
1952	mscorsvw.exe
2572	ngen.exe
2448	mscorsvw.exe
2196	ngen.exe
1664	mscorsvw.exe
1032	ngen.exe
2984	mscorsvw.exe
2652	ngen.exe
2504	mscorsvw.exe
2240	ngen.exe
2588	mscorsvw.exe
696	ngen.exe
484	mscorsvw.exe
2132	ngen.exe
2084	mscorsvw.exe
3032	ngen.exe
2364	mscorsvw.exe
1264	ngen.exe
2396	mscorsvw.exe
704	ngen.exe
1252	mscorsvw.exe
2468	ngen.exe
2688	ngen.exe
2228	mscorsvw.exe
2152	ngen.exe
2276	mscorsvw.exe
2764	ngen.exe
1940	mscorsvw.exe
1576	ngen.exe
2280	conhost.exe
2272	ngen.exe
1304	mscorsvw.exe
1328	ngen.exe
2208	ngen.exe
2220	ngen.exe
2212	mscorsvw.exe
1796	ngen.exe
3068	mscorsvw.exe
768	ngen.exe
1952	mscorsvw.exe
2852	ngen.exe
1760	mscorsvw.exe
2388	mscorsvw.exe
2824	ngen.exe
2584	mscorsvw.exe
1696	ngen.exe
2740	mscorsvw.exe
2176	ngen.exe
1488	mscorsvw.exe

Launches sc.exe 8 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1932	sc.exe
2664	sc.exe
1600	sc.exe
1012	sc.exe
444	sc.exe
1948	sc.exe
632	sc.exe
896	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
1132	setup-lightshot.exe
1616	MsiExec.exe
1304	setup-lightshot.tmp
1304	setup-lightshot.tmp
2364	Lightshot.exe
2364	Lightshot.exe
2368	Lightshot.exe
1304	setup-lightshot.tmp
1604	setupupdater.exe
496	setupupdater.tmp
2368	Lightshot.exe
496	setupupdater.tmp
3068	Updater.exe
496	setupupdater.tmp
2676	Updater.exe
1304	setup-lightshot.tmp
1804	updater.exe
1304	setup-lightshot.tmp
2260	updater.exe
1616	MsiExec.exe
2460	msiexec.exe
1616	MsiExec.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
1664	rundll32.exe
2036	MsiExec.exe
2484	MsiExec.exe
2036	MsiExec.exe
2484	MsiExec.exe
2036	MsiExec.exe
2484	MsiExec.exe
2484	MsiExec.exe
2036	MsiExec.exe
2036	MsiExec.exe
1252	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
1952	mscorsvw.exe
2036	MsiExec.exe
3012	Process not Found
2572	ngen.exe
2572	ngen.exe
2572	ngen.exe
2572	ngen.exe
2572	ngen.exe
2448	mscorsvw.exe
2448	mscorsvw.exe
2036	MsiExec.exe
2632	Process not Found
2196	ngen.exe
2196	ngen.exe
2196	ngen.exe
2196	ngen.exe
2196	ngen.exe
1664	mscorsvw.exe
1664	mscorsvw.exe
2036	MsiExec.exe
2940	Process not Found
1032	ngen.exe

Registers COM server for autorun 1 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0057-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0047-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0009-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0001-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0037-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0004-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0077-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0039-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0056-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0028-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0068-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0002-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0042-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0056-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0016-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0007-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0003-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0022-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0007-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0011-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0033-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0081-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0062-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0013-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0014-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0077-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0030-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0020-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0011-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0015-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0012-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0026-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0052-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0082-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\InprocServer32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0023-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0043-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0078-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0026-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0029-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0073-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0061-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0070-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0083-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0027-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0057-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0038-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0072-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	msiexec.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	msiexec.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Setup.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Setup.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
2872	taskkill.exe
2412	taskkill.exe

Modifies Internet Explorer settings 1 TTPs 48 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{E18DE241-D1A1-11EE-815A-6A55B5C6A64E} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{44D1B085-E495-4B5F-9EE6-34795C46E7E7}	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppName	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8FE2181-CAE7-49EE-9B04-DB7EB4DA544A}	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a70000000000200000000001066000000010000200000000db23b2490db647dad864792d2123db0769ba59860120b207692cce77c1ae4a3000000000e80000000020000200000004616a8da2bf0d3096d9d6be1de488fddda0874ad73e7637261b1c4a36cbad92b200000001d530c86ec3f876d139f13722c49425df5245c7a6e98b7a7606ec914f5a102f74000000031e9df892e0c6beb1d4e173fb6f061d9cf7875368d32d441739041fbfa085cf22791169e54f00931d2eb7a0bb833ab47edd9946ac95886aaff729158d7ec4fd0	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 401e27b7ae65da01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a700000000002000000000010660000000100002000000067a107ba70cae317d1f438ef96fcadcd50b01112a78d077d1c7a0deb32110b5b000000000e80000000020000200000003eeb1de304bdf436c00eaba9ff642fd4bac1aec5b2ee4d11cf75c0937b5702ff9000000016205b95ef9f75bafa83f92d64ea6b0113acbfc8de89da82ec0c263d8df9c1991c6607d28e5ec9e1ed3f0481e17f1f6c564221d854e78ad38e414d6644167c2005ccdbbc802a2327f13380a6bf708c05f855bb76ebb818ebdc3a4207c7d3b82b3b3cb8372ad13c7ee67bf395d84b2246ad9380a2abeb47778f6ae4ffac4a74a392715b51a33d8e01c597682db47791b940000000c42d8eeabbdeef78a3a2425b8fd6a6cd7987d1a396f5f5c70d730cbe7734a3fa46374f4f14cb96f49fa62ff3d3e5d6a0b1229a3b72b480fb6f566d2ce2d37000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\AppPath	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AEC-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{C8999AED-AECE-4E27-9BCB-5358B13F9FF9}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5852F5ED-8BF4-11D4-A245-0080C6F74284}\Policy = "19"	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{1F1E561D-AF17-4510-B996-351BBA0862A7}	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies data under HKEY_USERS 51 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2F	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\30	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0075-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{27B33BD9-E6F7-3148-911D-F67340A5353F}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0000-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0018-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0075-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0076-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0030-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0038-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0062-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0004-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0053-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0028-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0093-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0042-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0035-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0046-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0044-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0036-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0057-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{45FB4600-E6E8-4928-B25E-50476FF79425}\Implemented Categories	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{6EE96102-3657-3D66-867A-26B63AAAAF78}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0010-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{5F7A2664-4778-3D72-A78F-D38B6B00180D}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{5437FDFA-9EC9-4CCC-8531-42F8D9C19AF7}\Implemented Categories	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{2A7B042D-578A-4366-9A3D-154C0498458E}\InprocServer32	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0037-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0066-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0015-0000-0071-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0029-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{1E552DAE-602E-3CB5-9BFA-22AEB1FC38A5}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0030-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0065-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0074-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0089-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0008-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0039-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0011-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0065-ABCDEFFEDCBA}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0007-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0001-0000-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0019-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0016-0000-0071-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{75C9E85E-D2D1-32DB-BF9C-0636F94FB0C2}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{8636F9A3-3B92-38E6-95DC-0B965086AC44}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0014-0002-0031-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0078-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0069-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0010-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Record\{048FA0C2-8EBB-3BC2-A47F-01F12A32008E}\4.0.0.0	msiexec.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0017-0000-0002-ABCDEFFEDCBA}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0013-0001-0013-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0014-0002-0038-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4299124F-F2C3-41B4-9C73-9236B2AD0E8F}\DefaultIcon	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0015-0000-0056-ABCDEFFEDCBC}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0031-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0064-ABCDEFFEDCBC}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CAFEEFAC-0017-0000-0041-ABCDEFFEDCBB}	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0013-0001-0012-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0025-ABCDEFFEDCBB}\INPROCSERVER32	rundll32.exe
Key deleted	\REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000_CLASSES\CLSID\{CAFEEFAC-0016-0000-0081-ABCDEFFEDCBA}	rundll32.exe

Opens file in notepad (likely ransom note) 2 IoCs

ransomware

pid	Process
1972	NOTEPAD.EXE
2504	NOTEPAD.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1304	setup-lightshot.tmp
1304	setup-lightshot.tmp
496	setupupdater.tmp
496	setupupdater.tmp
2372	MSI95DC.tmp
656	Setup.exe
656	Setup.exe
656	Setup.exe
656	Setup.exe
656	Setup.exe
656	Setup.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe
2512	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeSecurityPrivilege	2460	msiexec.exe
Token: SeBackupPrivilege	2916	vssvc.exe
Token: SeRestorePrivilege	2916	vssvc.exe
Token: SeAuditPrivilege	2916	vssvc.exe
Token: SeBackupPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeLoadDriverPrivilege	1716	DrvInst.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeDebugPrivilege	2872	taskkill.exe
Token: SeDebugPrivilege	2412	taskkill.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeDebugPrivilege	2372	MSI95DC.tmp
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeBackupPrivilege	1664	rundll32.exe
Token: SeRestorePrivilege	1664	rundll32.exe
Token: SeBackupPrivilege	1664	rundll32.exe
Token: SeRestorePrivilege	1664	rundll32.exe
Token: SeBackupPrivilege	1664	rundll32.exe
Token: SeRestorePrivilege	1664	rundll32.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe
Token: SeTakeOwnershipPrivilege	2460	msiexec.exe
Token: SeRestorePrivilege	2460	msiexec.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1304	setup-lightshot.tmp
496	setupupdater.tmp
2368	Lightshot.exe
2368	Lightshot.exe
2368	Lightshot.exe
2788	iexplore.exe

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
2368	Lightshot.exe
2368	Lightshot.exe
2368	Lightshot.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2788	iexplore.exe
2788	iexplore.exe
1524	IEXPLORE.EXE
1524	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 1132 wrote to memory of 1304	1132	setup-lightshot.exe	28
PID 2460 wrote to memory of 1616	2460	msiexec.exe	35
PID 2460 wrote to memory of 1616	2460	msiexec.exe	35
PID 2460 wrote to memory of 1616	2460	msiexec.exe	35
PID 2460 wrote to memory of 1616	2460	msiexec.exe	35
PID 2460 wrote to memory of 1616	2460	msiexec.exe	35
PID 1304 wrote to memory of 2872	1304	setup-lightshot.tmp	36
PID 1304 wrote to memory of 2872	1304	setup-lightshot.tmp	36
PID 1304 wrote to memory of 2872	1304	setup-lightshot.tmp	36
PID 1304 wrote to memory of 2872	1304	setup-lightshot.tmp	36
PID 1304 wrote to memory of 2412	1304	setup-lightshot.tmp	39
PID 1304 wrote to memory of 2412	1304	setup-lightshot.tmp	39
PID 1304 wrote to memory of 2412	1304	setup-lightshot.tmp	39
PID 1304 wrote to memory of 2412	1304	setup-lightshot.tmp	39
PID 1304 wrote to memory of 2364	1304	setup-lightshot.tmp	41
PID 1304 wrote to memory of 2364	1304	setup-lightshot.tmp	41
PID 1304 wrote to memory of 2364	1304	setup-lightshot.tmp	41
PID 1304 wrote to memory of 2364	1304	setup-lightshot.tmp	41
PID 2364 wrote to memory of 2368	2364	Lightshot.exe	42
PID 2364 wrote to memory of 2368	2364	Lightshot.exe	42
PID 2364 wrote to memory of 2368	2364	Lightshot.exe	42
PID 2364 wrote to memory of 2368	2364	Lightshot.exe	42
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1304 wrote to memory of 1604	1304	setup-lightshot.tmp	43
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 1604 wrote to memory of 496	1604	setupupdater.exe	44
PID 496 wrote to memory of 2760	496	setupupdater.tmp	45
PID 496 wrote to memory of 2760	496	setupupdater.tmp	45
PID 496 wrote to memory of 2760	496	setupupdater.tmp	45
PID 496 wrote to memory of 2760	496	setupupdater.tmp	45
PID 2760 wrote to memory of 2712	2760	net.exe	47
PID 2760 wrote to memory of 2712	2760	net.exe	47
PID 2760 wrote to memory of 2712	2760	net.exe	47
PID 2760 wrote to memory of 2712	2760	net.exe	47
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 2604	496	setupupdater.tmp	48
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49
PID 496 wrote to memory of 3068	496	setupupdater.tmp	49

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\setup-lightshot.exe
"C:\Users\Admin\AppData\Local\Temp\setup-lightshot.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Users\Admin\AppData\Local\Temp\is-4VRM0.tmp\setup-lightshot.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-4VRM0.tmp\setup-lightshot.tmp" /SL5="$70126,2148280,486912,C:\Users\Admin\AppData\Local\Temp\setup-lightshot.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in Program Files directory
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1304
- - C:\Windows\SysWOW64\taskkill.exe
    "C:\Windows\System32\taskkill.exe" /f /im lightshot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2872
- - C:\Windows\SysWOW64\taskkill.exe
    "taskkill.exe" /F /IM lightshot.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2412
- - C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe
    "C:\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe
      "C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2368
- - C:\Users\Admin\AppData\Local\Temp\is-AHVGO.tmp\setupupdater.exe
    "C:\Users\Admin\AppData\Local\Temp\is-AHVGO.tmp\setupupdater.exe" /verysilent
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Users\Admin\AppData\Local\Temp\is-CDQCR.tmp\setupupdater.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-CDQCR.tmp\setupupdater.tmp" /SL5="$1022C,490430,120832,C:\Users\Admin\AppData\Local\Temp\is-AHVGO.tmp\setupupdater.exe" /verysilent
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of FindShellTrayWindow
      Suspicious use of WriteProcessMemory
      PID:496
    - - C:\Windows\SysWOW64\net.exe
        
        "C:\Windows\system32\net.exe" START SCHEDULE
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2760
      - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 START SCHEDULE
        6⤵
        
        PID:2712
    - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addsystask
        5⤵
        Executes dropped EXE
        
        PID:2604
    - - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:3068
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\Updater\info.xml"
        6⤵
        Executes dropped EXE
        
        PID:2512
    - - C:\Program Files (x86)\Skillbrains\Updater\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2676
      - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe
        
        "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe" -runmode=ping -url="http://updater.prntscr.com/getver/updater?ping=true"
        6⤵
        Executes dropped EXE
        
        PID:2556
- - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
    "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addtask
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1804
  - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addtask
      4⤵
      Executes dropped EXE
      PID:2272
- - C:\Program Files (x86)\Skillbrains\Updater\updater.exe
    "C:\Program Files (x86)\Skillbrains\Updater\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2260
  - - C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe
      "C:\Program Files (x86)\Skillbrains\Updater\1.8.0.0\updater.exe" -runmode=addproduct -info="C:\Program Files (x86)\Skillbrains\lightshot\info.xml"
      4⤵
      Executes dropped EXE
      PID:2768
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://app.prntscr.com/thankyou_desktop.html#install_source=default
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2788
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2788 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1524

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
PID:1420

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Loads dropped DLL
- Checks processor information in registry
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding AD8E81E924348C52D424F3ADA7B27118
  2⤵
  - Loads dropped DLL
  PID:1616
- C:\Windows\Installer\MSI95DC.tmp
  "C:\Windows\Installer\MSI95DC.tmp" C:\Program Files\Java\jre7\;C;3
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2372
- C:\Windows\system32\rundll32.exe
  rundll32.exe "C:\Program Files\Java\jre7\bin\\installer.dll",UninstallJREEntryPoint
  2⤵
  - Installs/modifies Browser Helper Object
  - Loads dropped DLL
  - Registers COM server for autorun
  - Modifies Internet Explorer settings
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:1664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2916

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000394" "00000000000004A0"
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\Setup.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\\Setup.exe" /repair /x86 /x64
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:656

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Manipulates Digital Signatures
- Enumerates connected drives
- Modifies Installed Components in the registry
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2512
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding D03CD781570F9134DC1517A1474D5E05
  2⤵
  - Loads dropped DLL
  PID:2036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2448
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2196
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1664
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2984
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2504
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "CustomMarshalers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2588
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:696
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2084
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualC, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:3032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2364
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:1264
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    PID:704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1252
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2468
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.SqlXml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2228
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2152
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1940
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:1328
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1796
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:3068
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:1952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2852
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1760
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 104 -Pipe 16c -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2388
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Forms.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2824
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:2584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:1696
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      Executes dropped EXE
      PID:2740
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.AddIn.Contract, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:2176
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1488
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.AddIn, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:1576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ComponentModel.Composition, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ComponentModel.Composition.Registration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:576
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:408
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Reflection.Context, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:3004
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ComponentModel.DataAnnotations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Executes dropped EXE
    PID:1796
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:292
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1916
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1280
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2276
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Services.Client, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2704
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Management.Instrumentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Executes dropped EXE
      PID:1488
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1304
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:876
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Net.Http.WebRequest, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2332
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2080
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Internal.Tasks.Dataflow, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2928
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2600
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Device, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.ApplicationServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:484
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Compatibility.Data, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Compatibility, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2828
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Activities.Compiler, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:788
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1924
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2324
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2932
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Runtime.Serialization.Formatters.Soap, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2984
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1324
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2744
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2764
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Transactions.Bridge, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Transactions.Bridge.Dtc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2504
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2284
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2016
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe" /NoDependencies
    3⤵
    PID:584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1524
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Activities.Core.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2792
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2372
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Activities.DurableInstancing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2836
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2040
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:776
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IdentityModel.Selectors, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:848
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1988
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IO.Log, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2280
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Runtime.DurableInstancing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1520
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2272
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1676
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1732
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1808
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Channels, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Discovery, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:292
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2836
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2492
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2736
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Xml.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1280
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1304
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:632
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Printing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:268
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1256
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:400
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess fc -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:548
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework.Aero, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2604
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2712
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework.Classic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2184
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework.Luna, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2472
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:3016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework.Royale, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2352
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework.AeroLite, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:848
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1516
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationUI, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2652
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1300
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2192
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:892
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1596
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemDrawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2212
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemXml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:3004
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2848
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemXmlLinq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "UIAutomationClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:3016
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "UIAutomationClientsideProviders, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:536
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "UIAutomationProvider, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:676
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "UIAutomationTypes, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "ReachFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2360
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Input.Manipulations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1288
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2008
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess fc -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "WindowsFormsIntegration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2920
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Controls.Ribbon, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2396
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "AspNetMMCExt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2152
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Mobile, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:3036
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.RegularExpressions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2096
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2244
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Runtime.Caching, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1232
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Entity.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1872
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2208
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:908
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1920
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 104 -Pipe 16c -Comment "NGen Worker Process"
      4⤵
      PID:2656
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Services.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2080
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1396
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2688
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1860
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Drawing.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2152
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2780
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1700
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2052
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.DynamicData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2240
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 0 -NGENProcess fc -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.DynamicData.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1948
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Entity.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1384
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:952
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1952
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2976
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2384
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.DataVisualization.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1760
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:888
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:848
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1032
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2244
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 0 -NGENProcess fc -Pipe 104 -Comment "NGen Worker Process"
      4⤵
      PID:2744
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Windows.Forms.DataVisualization.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2828
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe" /NoDependencies
    3⤵
    PID:2868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:444
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2156
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.ServiceMoniker40, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2844
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:3004
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1424
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2716
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Workflow.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2832
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2756
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Workflow.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1472
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.WorkflowServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2528
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2192
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "System.Xaml.Hosting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:496
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2576
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe" /NoDependencies
    3⤵
    PID:2060
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2568
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "XsdBuildTask, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1496
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "XamlBuildTask, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1808
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:1160
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "Microsoft.Activities.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2856
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f8 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:2768
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe uninstall "PresentationBuildTasks, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 104 -InterruptEvent 0 -NGENProcess f4 -Pipe 100 -Comment "NGen Worker Process"
      4⤵
      PID:804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 0 -NGENProcess 104 -Pipe 16c -Comment "NGen Worker Process"
      4⤵
      PID:2480
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 170 -InterruptEvent 0 -NGENProcess 174 -Pipe 168 -Comment "NGen Worker Process"
      4⤵
      PID:2748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 17c -InterruptEvent 0 -NGENProcess 170 -Pipe 15c -Comment "NGen Worker Process"
      4⤵
      PID:2348
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe" -u
    3⤵
    - Drops file in System32 directory
    PID:2600
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof.uninstall
      4⤵
      PID:568
  - - C:\Windows\system32\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.Net\Framework64\v2.0.50727\aspnet.mof
      4⤵
      Drops file in System32 directory
      PID:2856
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:676
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:1032
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" "SMSvcHost 4.0.0.0"
    3⤵
    - Drops file in System32 directory
    PID:2780
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" ".NET Memory Cache 4.0"
    3⤵
    - Drops file in System32 directory
    PID:1676
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" "MSDTC Bridge 4.0.0.0"
    3⤵
    - Drops file in System32 directory
    PID:1264
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" "Windows Workflow Foundation 4.0.0.0"
    3⤵
    - Drops file in System32 directory
    PID:2572
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.exe update /queue
    3⤵
    PID:2168
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" ".NET CLR Networking 4.7.0.0"
    3⤵
    PID:1500
- - C:\Windows\system32\unlodctr.exe
    "C:\Windows\system32\unlodctr.exe" ".NET Data Provider for Oracle"
    3⤵
    - Drops file in System32 directory
    PID:2316
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding F8B2B64E56C25C18DE54038E49D05227
  2⤵
  - Loads dropped DLL
  PID:2484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "mscorlib, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:848
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.EnterpriseServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1508
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:876
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.CSharp, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2316
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Dynamic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Accessibility, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2008
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "CustomMarshalers, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2844
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework\v4.0.30319\dfsvc.exe" /NoDependencies
    3⤵
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1536
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2468
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:852
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualC, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1916
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2756
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Configuration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Configuration.Install, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2752
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2244
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.SqlXml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2308
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Deployment, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2208
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.DirectoryServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2644
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.DirectoryServices.AccountManagement, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2628
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.DirectoryServices.Protocols, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Drawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1780
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Management, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2948
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2492
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Security, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2808
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceProcess, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Forms, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:3008
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 120 -Pipe 188 -Comment "NGen Worker Process"
      4⤵
      PID:1972
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Forms.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:3044
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Xml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1596
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1728
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.AddIn.Contract, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.AddIn, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2276
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ComponentModel.Composition, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1808
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ComponentModel.Composition.Registration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Reflection.Context, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2352
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ComponentModel.DataAnnotations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:3016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Core, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.DataSetExtensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1472
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2200
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1948
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Services.Client, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2060
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Management.Instrumentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1612
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1496
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Net, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Net.Http, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Net.Http.WebRequest, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2396
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Numerics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Internal.Tasks.Dataflow, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1996
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2580
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IO.Compression, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1964
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1056
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IO.Compression.FileSystem, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1956
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2528
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Device, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:992
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.ApplicationServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Xml.Linq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2384
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Compatibility.Data, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2332
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Compatibility, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.VisualBasic.Activities.Compiler, Version=10.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1652
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Messaging, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1132
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Transactions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1304
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:572
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1288
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Runtime.Serialization.Formatters.Soap, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2360
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2568
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2548
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Transactions.Bridge, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1648
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Transactions.Bridge.Dtc, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2604
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "SMDiagnostics, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe" /NoDependencies
    3⤵
    PID:1396
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1624
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Activities.Core.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1652
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Activities.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2820
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1988
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Activities.DurableInstancing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2988
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IdentityModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IdentityModel.Selectors, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2788
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:908
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IO.Log, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2656
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1648
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Runtime.DurableInstancing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1608
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Runtime.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2556
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1252
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Channels, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:832
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Discovery, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:936
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Internals, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2644
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1964
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2776
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2156
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Xml.Serialization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1960
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Xaml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2976
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2104
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Speech, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2612
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Printing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2476
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1032
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 0 -NGENProcess 120 -Pipe 18c -Comment "NGen Worker Process"
      4⤵
      PID:1792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework.Aero, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2744
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework.Classic, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2604
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2200
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework.Luna, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:496
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2772
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework.Royale, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2372
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework.AeroLite, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationUI, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2748
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "WindowsBase, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2480
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemCore, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1152
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:1396
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2260
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemDrawing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2540
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1712
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemXml, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationFramework-SystemXmlLinq, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2364
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2280
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "UIAutomationClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2664
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "UIAutomationClientsideProviders, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2060
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "UIAutomationProvider, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2400
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "UIAutomationTypes, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2296
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1760
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "ReachFramework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1488
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2736
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Input.Manipulations, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:696
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Presentation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1516
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 118 -Pipe 120 -Comment "NGen Worker Process"
      4⤵
      PID:1524
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "WindowsFormsIntegration, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:804
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2192
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Controls.Ribbon, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2408
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2272
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "AspNetMMCExt, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1796
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1952
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1956
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Mobile, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:3004
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2228
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.RegularExpressions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2276
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2920
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build.Conversion.v4.0, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3016
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:888
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2348
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2312
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build.Engine, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build.Framework, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2764
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2560
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build.Tasks.v4.0, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1328
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2792
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Build.Utilities.v4.0, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:896
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe" /NoDependencies
    3⤵
    PID:1732
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Runtime.Caching, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:1728
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Entity.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2232
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2656
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.OracleClient, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1324
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 118 -Pipe 120 -Comment "NGen Worker Process"
      4⤵
      PID:2292
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Services.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2104
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2480
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Data.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:1568
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2564
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1088
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Drawing.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a" /NoDependencies
    3⤵
    PID:2388
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1484
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.IdentityModel.Services, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2588
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:572
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.DynamicData, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1704
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 194 -InterruptEvent 0 -NGENProcess 120 -Pipe 18c -Comment "NGen Worker Process"
      4⤵
      PID:2488
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.DynamicData.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2196
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:704
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Entity.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2840
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Entity, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2460
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2740
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2836
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.DataVisualization.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1860
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Extensions.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:2560
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2052
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2316
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1596
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Web.Extensions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:768
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1952
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 118 -Pipe 120 -Comment "NGen Worker Process"
      4⤵
      PID:788
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Windows.Forms.DataVisualization.Design, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2688
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:408
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ComSvcConfig.exe" /NoDependencies
    3⤵
    PID:1972
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1924
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Workflow.Compiler, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    - Drops file in Windows directory
    PID:3056
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:868
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.ServiceMoniker40, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089" /NoDependencies
    3⤵
    PID:2000
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2300
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Activation, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:848
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2348
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.ServiceModel.Web, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2556
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1232
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Workflow.Activities, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1524
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2132
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Workflow.ComponentModel, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2476
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1996
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Workflow.Runtime, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:852
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1012
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.WorkflowServices, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:3064
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1420
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "System.Xaml.Hosting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1920
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1732
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "C:\Windows\Microsoft.NET\Framework\v4.0.30319\WsatConfig.exe" /NoDependencies
    3⤵
    PID:2632
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1960
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "XsdBuildTask, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:1536
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1940
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "XamlBuildTask, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2088
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      Drops file in Windows directory
      PID:2328
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "Microsoft.Activities.Build, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2404
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 114 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:2152
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe uninstall "PresentationBuildTasks, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" /NoDependencies
    3⤵
    PID:2492
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 120 -InterruptEvent 0 -NGENProcess 110 -Pipe 11c -Comment "NGen Worker Process"
      4⤵
      PID:1864
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 190 -InterruptEvent 0 -NGENProcess 120 -Pipe 188 -Comment "NGen Worker Process"
      4⤵
      PID:484
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 18c -InterruptEvent 0 -NGENProcess 190 -Pipe 184 -Comment "NGen Worker Process"
      4⤵
      PID:576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 198 -InterruptEvent 0 -NGENProcess 18c -Pipe 178 -Comment "NGen Worker Process"
      4⤵
      PID:1860
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regiis.exe" -u
    3⤵
    PID:1604
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet.mof.uninstall
      4⤵
      PID:1648
  - - C:\Windows\SysWOW64\wbem\mofcomp.exe
      mofcomp C:\Windows\Microsoft.Net\Framework\v2.0.50727\aspnet.mof
      4⤵
      PID:2176
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelPerformanceCounters.man"
    3⤵
    PID:2004
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" /m:"C:\Windows\Microsoft.NET\Framework\v4.0.30319\WorkflowServiceHostPerformanceCounters.man"
    3⤵
    PID:1596
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" "SMSvcHost 4.0.0.0"
    3⤵
    PID:1636
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" ".NET Memory Cache 4.0"
    3⤵
    PID:2844
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" "MSDTC Bridge 4.0.0.0"
    3⤵
    PID:536
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" "Windows Workflow Foundation 4.0.0.0"
    3⤵
    PID:1324
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe update /queue
    3⤵
    - Drops file in Windows directory
    PID:1496
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" ".NET CLR Networking 4.7.0.0"
    3⤵
    PID:2272
- - C:\Windows\SysWOW64\unlodctr.exe
    "C:\Windows\SysWOW64\unlodctr.exe" ".NET Data Provider for Oracle"
    3⤵
    PID:1600
- C:\Windows\system32\MsiExec.exe
  C:\Windows\system32\MsiExec.exe -Embedding B1290E24123C81DCF47A2E8BA8E2514B M Global\MSI0000
  2⤵
  PID:1996
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe" -msi -ua -u -c:wmi -v
    3⤵
    PID:936
  - - C:\Windows\system32\sc.exe
      sidtype NetTcpPortSharing restricted
      4⤵
      Launches sc.exe
      PID:444
  - - C:\Windows\system32\sc.exe
      privs NetTcpPortSharing SeCreateGlobalPrivilege
      4⤵
      Launches sc.exe
      PID:1948
  - - C:\Windows\system32\sc.exe
      sidtype NetTcpActivator restricted
      4⤵
      Launches sc.exe
      PID:632
  - - C:\Windows\system32\sc.exe
      privs NetTcpActivator SeCreateGlobalPrivilege
      4⤵
      Launches sc.exe
      PID:896
  - - C:\Windows\system32\sc.exe
      sidtype NetPipeActivator restricted
      4⤵
      Launches sc.exe
      PID:1932
  - - C:\Windows\system32\sc.exe
      privs NetPipeActivator SeCreateGlobalPrivilege
      4⤵
      Launches sc.exe
      PID:2664
  - - C:\Windows\system32\sc.exe
      sidtype NetMsmqActivator restricted
      4⤵
      Launches sc.exe
      PID:1600
  - - C:\Windows\system32\sc.exe
      privs NetMsmqActivator SeCreateGlobalPrivilege
      4⤵
      Launches sc.exe
      PID:1012
  - - C:\Windows\system32\wevtutil.exe
      um C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man
      4⤵
      PID:852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A7B731153A24F29F2BE9272AD9DB3685 M Global\MSI0000
  2⤵
  PID:2588
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ServiceModelReg.exe" -msi -ua -u -c:wmi -v
    3⤵
    PID:320

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1019562211-2042651913121546-1494457885-12951938789214693009644189561015343487"
1⤵
- Executes dropped EXE
PID:2280

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1660720360312446515140451901983835158-9444963642089077597-1839667914-721055011"
1⤵
PID:2828

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:1972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log
1⤵
- Opens file in notepad (likely ransom note)
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Browser Extensions

T1176

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\f767c54.rbs

Filesize
113KB

MD5
2360809ea1c77821dc6b88029e21a837

SHA1
998e47b97073d65da38f7f63718c4f57ac1e3c61

SHA256
9c0dfbb1228e4d2590bbacf85d66e7395f66831c094ff40eaf7c627011593efa

SHA512
373ca5c83236267f0958db730efd4a3a26c61456f36656025708da051f7bff654b422050c645be82b54fbb355495aed61134f09c0f7821e30bcd18b27c62aaf1

Download Submit
C:\Config.Msi\f76cd70.rbs

Filesize
81.1MB

MD5
24cbaaa7a8800707f65c94d47570802f

SHA1
24022e60a74613dd64e3ad4f2d68a534ba15df17

SHA256
d69bd841323168d3e2bb6973a26c7a7e091e1ad9f7ab955f748a6d972aaa420e

SHA512
9a723652d46e4126d61e428c5a4c03c405d4dfc52b2d5e431bbb68766003fb2bcbff5e89d5e928ca94986f168d8885c1356f54554e7a983fcd35cf4ef9c2082a

Download Submit
C:\Config.Msi\f76d458.rbf

Filesize
3B

MD5
21438ef4b9ad4fc266b6129a2f60de29

SHA1
5eb8e2242eeb4f5432beeec8b873f1ab0a6b71fd

SHA256
13bf7b3039c63bf5a50491fa3cfd8eb4e699d1ba1436315aef9cbe5711530354

SHA512
37436ced85e5cd638973e716d6713257d692f9dd2e1975d5511ae3856a7b3b9f0d9e497315a058b516ab31d652ea9950938c77c1ad435ea8d4b49d73427d1237

Download Submit
C:\Config.Msi\f76d459.rbs

Filesize
576B

MD5
75cdcc43c4e10d1d83bb8ae1a74639dd

SHA1
cde50c613af90fa90f2d076fdca7312059b887ae

SHA256
ece1732973641cdba812bff944a58153be453c064e82dfaebea165ce3feb4ee8

SHA512
574dacfc6fa0ab38ecb0ddce6268e67c07d3ea585a9d6966bbee00d7d4c62b8b6ee239e8c086e3337a53fdd497b907087776606e98b36e1470b831ee2db437d6

Download Submit
C:\Program Files (x86)\Skillbrains\Updater\info.xml

Filesize
276B

MD5
466b19bc0b21fe6667778a0c114a9d25

SHA1
3b930a9a836f39467b7bfce4a35499fef7803c36

SHA256
efce940e2e2504326dce91e1112dc19c31a9de49f0fc34886389d36997594ef0

SHA512
1d995818bed8c356aa691ef19a6ce3df54c2fa08c086304f32b0f963934ca6402f1890bdd376d2cb411c58561e3740b73125a4cf0187ff49172d57b3b712028a

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.dll

Filesize
490KB

MD5
f256a9c7e68a249fe760019d19c022ce

SHA1
5a6279ef4f82270b756053cd34bba96d7fe0ce05

SHA256
04a27f0d1e89341722461119e00a10e00ec2a52f5e305961161ec4378e610e93

SHA512
a97f1cd4554d59ee0d69df6ebfc234e025c5e6e64c057f28c62f3743c8ccf8b502ce3eafc437a34a492b6b590fe62591293e551d0e7db5b6036890a64e6d8de9

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\Lightshot.exe

Filesize
487KB

MD5
1e1c83b9680029ad4a9f8d3b3ac93197

SHA1
fa7b69793454131a5b21b32867533305651e2dd4

SHA256
0b899508777d7ed5159e2a99a5eff60c54d0724493df3d630525b837fa43aa51

SHA512
fe6f8df3dbbcc7535ead60028ec3e45801a33ccc81c9137b2288bc0d18be42379564c907eb406ce9491f46930690efa9a86a9f6506414992b5dba75adb3d1136

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\locales\EN.txt

Filesize
10KB

MD5
4d195562c84403dd347bd2c45403efc5

SHA1
4203bd1c9f0c0a2133ba7dc5ff1f9c86c942d131

SHA256
4a57246bd4ce9d387ec10f0ab2084c3d91e8463d03c1412f3665aee3885a85a5

SHA512
3de1ba358834c7d238e35f533a192c6e6e41fdf276a29b6714cf02636cad123eff571614a1185025757bec3e9f9f351d612598496600684e4ac676e576e8c601

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\5.5.0.7\uploader.dll

Filesize
215KB

MD5
08cf9e363d79c9379cabd75382131315

SHA1
22ce1f3506fc46976f2d5dcc5a5735ce8ede63bf

SHA256
037ee2f3243918fffa71b9e3fe0541245f75f89abcac0ccf2ea6a57020ddaad7

SHA512
cab0c8a5b8596054315c69f1ff858da1fad89ea1e3c28d4c90411c293b6b40438e2be67e029a51279637f2704e30903d0d4751e31fa1d1b2af0393af90c8907b

Download Submit
C:\Program Files (x86)\Skillbrains\lightshot\info.xml

Filesize
362B

MD5
105b94bb4070848b67cc3c23ab32afbf

SHA1
4ff607984309dd4b9c0ebc03a610d0022fd565c2

SHA256
f2cbf4e10f5f71841842c75ab97d2dc59a902a095e4ab54a25ad692c1d3aa1f0

SHA512
9007822bb83f56518570a8acb3b42a1ec79be26fc0dabc22ec40f569a725cbb4bff9b0801ec5e51af8753bce54474107582b72fc8f37e8e305e22255a0793041

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
1KB

MD5
2e4daf4548add4c7de477e6cd9cdfc81

SHA1
fee7057e35102744908e5d59e2c6368d43179e6c

SHA256
feca052a779d097b43d7591375970de7e805fd315e112216b54267f377e3453d

SHA512
3bfd1c319f8f72dd21f2ef141c98d76e46169a1fcebb9dcdbca298f5afc117fe241551c48a7bce7c2833a929fade1585ab4a63d3ff452f2125abba9b799c47e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
1KB

MD5
1013bd7c6c9a2dbf6944054e3a962441

SHA1
e307a005f9ffa1b139233d5ea84acfb29eb65486

SHA256
ace39ab215357d0f4f0755e670f5f2d5b6c2fa57af47c6bc56d6c271cedc5837

SHA512
1bd3eba3bd0e75744ec374749ac78dc1637740c6a35fa00cf60aecc85d0675b4b821bfbb545380cee1f1e2338a9231f7b9cdef4a165c2a91237a6feccc6281b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D391C1D03A63B66863342F8A4B64298F

Filesize
939B

MD5
050457968161a0815dbfb52a28685937

SHA1
a01dbcdc1faabc559a0b7efc795a4144fc26dbcd

SHA256
4da3c34b9ac15155144eb0b834f833ea3810e5caf83b6b8b5fa31ee7ae8c2de7

SHA512
2490153c8d625b5e15619093d95c9bcd3664bbb12e832220ac56b75d1fdb94e582cb075337c7d5d01653bf241b3480ce7448f5439aa216c01af92c2017fae481

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\81B9B36F9ABC4DA631A4713EE66FAEC6_D391C1D03A63B66863342F8A4B64298F

Filesize
939B

MD5
a0e63b46875c318e91a3d274af82703d

SHA1
3bcdc685a33b7253a6ee6da28fa3e0fc89813b2b

SHA256
a9d8eed253ca2f4dd88ce249247b86a047a659100bd7ef19449a9d60d9ac435c

SHA512
2917fee5970a15fcb429eb4f9078c85a323c3275303d94ba6de2e9021f2cdf25ce6c9bda736f1e44903be1de5831b3bbe4bfdf0920547907494510f26be3166b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
512B

MD5
fe53eabef081d29965bae378a81dc78c

SHA1
9cd925d448aab14f8aeb6b6739ff51e8f625c8f5

SHA256
80fdecc0565217ae7613a8d65c19112eafbcf93d13039a4a3a14614464ccc440

SHA512
94b388ec7296e122f084a8277707b13d5495332d6b8b6a40e8827d3c1e6b9ae57055beefcface43dfdf22b27e521fa924eeeeb01957a0323d7c9d013b73c0861

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_7DAD5545724AA2C98C55095F428499FB

Filesize
512B

MD5
e0c8073adac6f1841a0cd9f686de47bf

SHA1
4fea3ebf60945605cb308b262e6b36e35746d525

SHA256
18ad70bd48b68bbb2e6360b6b9bb1b48e8420dd94329732c95fd0af066bf01fe

SHA512
6a21ae6c1615726e8bddc9ef25ab1cd22e013b62e3da2eb7c5db418dfa52169a5d046cbcdd79895e36690e91eab9115aa83cf591be3d2f4012e63a81e9ebdefb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
65243aa05de42b1ef29a4e3f42dca673

SHA1
693aeb838d9e3192d625ca4ff3f74899e37787e0

SHA256
bbc73efc05c91ac9e2d8c97acc51155ec2fbc6688557cd6a9f7fc86aec2d9523

SHA512
52366b0e2e029a92f3107ab5477fd86a0d75899b04c4f890f0c43b889e285730dc8f3d454a56142d2a1d1d9f0480939ca95a5984bfc70972ab79c6900aac2d59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\66F835E41EC6A985EB9271E4A70169D7_CF44E3C99F7F4AC558EEB35244F7E046

Filesize
502B

MD5
b52e0c84b4adbe049a7f4cc11e125eb1

SHA1
c69bfcf41f8fa186c5d0aa581fcb4915525d2724

SHA256
e11d6178d6fda3a976ff9f1628e2d801bc4b1f68a7e7460dff3c4383ef45ade8

SHA512
f45a1de0230993d53d7cd216fa15a2b2783d5a2b78bf11156361a2a5381f53e1b6b773cccd377d41f0d127e91229f1be64c8e0d3097be8561716989b5a059b95

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D391C1D03A63B66863342F8A4B64298F

Filesize
524B

MD5
4340a78a57a993d04ab239aadd51a24e

SHA1
c06dbb941ca3d10698b49e22cf1c8dab44817799

SHA256
050bc4f7d9bb0c168366fafd2b915defea399d01b80b299e92644b7d8d19a78f

SHA512
5824c52b3fe0be0376af46a9d3eb3e969ba6b804083fd1d6135694343b17f91059e51acc258159215e67b2c0104c2db0907ae7582af48ce16a70b837c06358ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\81B9B36F9ABC4DA631A4713EE66FAEC6_D391C1D03A63B66863342F8A4B64298F

Filesize
524B

MD5
32921964c69e82f2f863d1af8eeed13c

SHA1
d8d4fa80176604fc38f90830e94bbef14ea8d1af

SHA256
d121d1bc7f683fa63fa323b50ccc450400514fc814444d5f921f6b37a0704f5c

SHA512
26cd16cb52954751b47bbb3661a338fdf99f18ba0d457a39d1e91401ea275743f57ef18d59d48c7e9ce76be642e7eae851ca5b1af905690fba99cdeb0cc45793

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
792b1d4efe0fb5551228f927cffed426

SHA1
ae0b924fee1d52e22182016a36fe093262b08128

SHA256
ef8d2f24a7fb63e21ae10e2b607bf536d42a40bc3c00481a72a2f03bcecba6e7

SHA512
5d4b2d0cce518cb76d20a16f73a1a3bed1d80bcd1b7d39a5cc025f931b278738de2677a28f81c56a2bfebe2c5f460fac67bc647bc253883b9e9aabb6710aadda

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6bcefd4f0eaf894ed72a82e59a0e5768

SHA1
f0982817dd9549db9cfb6be51e0686d6b40a9abc

SHA256
4fd844672b3ee9010c455b26a366ab10e3a4d2197ca55ce0d9e017288f541dfd

SHA512
0c36e599aafd8e009322060f1a9faf2cdbe4277091bb6c92aa2aac35fc18a0cb2d5668846343c207ef30ac198f2ef748f5bafa1383dc76829366fa763ca03180

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8c7f2cff54f93717fbbe3b8b6f2b0499

SHA1
41556060803b83c22d449b78d0522e9f2d5442c6

SHA256
4bc5eddf340de4573e13943af2221645fd26f4ec7a6667f1e19b351b4dec951a

SHA512
bcf6c4e558455252fde1f22d3a622baa35d3d439d88747c4adcb5cc643e6b70990e2a29d126305fc6a657ebb79869af8209ce277b046d2d9e9aca5f55624d190

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
97bad043b8326cf1d0f22f590d22c9c9

SHA1
a18eb3f870b1e3bb017c36999583d7710c20b68f

SHA256
edfced302d343f046ac67c6adb781bfad121efbf6e40a9ec6bc9a95ac6e346ba

SHA512
89f1c23155e779f63aab0021e0e3cc51223528595b88bfc8d049de9c09f9d7f0201f181618e8f6884134a236738850675cb99e5f7599dd7956a04954d3124ff9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c0a8645ee2878c1f9fdf5cffc472db16

SHA1
8c436065009bca493b926cc1522d0c31b5ff529b

SHA256
32b2b3ace81381b0ac56312e28b1049def3ebca6c8ba4053d21acf494f258cc9

SHA512
6c7aac6f0eb66e6ccdf602c962b126da44f5bf07e22784d8d90eddfd7be1e972d4d2932d1466f6b2d700f69a7a66b0a084b442540d87169b381ab6e252aece1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bb5aeafeabaabacda1d072da8d4ece5f

SHA1
e0370bd2f720ec3d5c493bce7ddb42152cbbbba2

SHA256
8b6f276205b1b9413a01db3d64fcb9dd8668ac1dff74d991d774b3ed3890dd17

SHA512
e9d04bee9ee65da67645ee701579cf4c0c666dd9d07d044f4d948c3e60de87c268315ae3c2db5f498f64d13ebcb41806bc8a61cca44a4ebb5ae22a77fda40e34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c542c6603ea4ea9d504503bfb9c72d06

SHA1
bd3407837b4607bc4f8ce126b4dc49011ccc42cf

SHA256
a17e5ee72cbb4ce3127dae20e1048673f763828cd9a02d46a1ec01a3f868e13d

SHA512
d7e11f784304a83ca11ba5347d7e8f25860d35ea2d18cab25b4b452fc258d06f360aad33991a7d83ad0fd5a4593e8c7acbcbf55e85a2d6a0821917939a839a10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
80df0e25edc4c94232f24eb5eaa4d4a8

SHA1
5c3f721ceb74f6b29bffd1fd7fa891684a9837e8

SHA256
0bc8a689c4b68a23f3e0544fcd771b6ca515e94e447ceb175b7f34ed7fce93bc

SHA512
a3fa9d48cab6c930ac25d008d6856095be7d1d3e6151bdc82a37b168c355ad30c1ca38570092a1789450ea4aa686f51f86d125088967dd93fff866926742ad27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c2724c8ad61019c895f23c148d9dcd5a

SHA1
bad090adb3d74ca1e484a7f647370694b9c98e62

SHA256
3ecad2f76226176c7f9fe8a77359b5efc53de2755f0228334727d17da7d33b17

SHA512
1b9b843fe449284230209826fd273ce19095a3e5e415eaf3dc10aa3803119f21a91b5aa29aa40cff12b4332ce4eefed359c7d4d781f13f026b84028ecdd1f00b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b941e0be0c3e88a086a297578783996e

SHA1
ea53cc989ff44f27d2549351b9e0d111ab6b6c42

SHA256
5d95cbfaee9c6b0ce4710323ead4f5f90f7f2d4dba11a0693811405c34d6c2bd

SHA512
d4e09eba82ce5d2fa86fb763dab1b0d32d49d95c062088ce6a0ef03d6cff970711d9427e03fca8b9c2ac63b15847cb1b6f816e8d5fda56f6612eb6db6408c24e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat

Filesize
5KB

MD5
76da50d3094c5f79a06343cfeb07451c

SHA1
db56cce3dda0991324d3650ab07d8e59cc4f4b3c

SHA256
b24999025ed6e87b7d2870277377b85bf1db968bb312b73ce773d6d6833831d7

SHA512
93b23d133c72db844bc71fdb2164d751b1038d0e70373476220f01a8d5240256e62b0929a2f0460dc5dc2b923ef087af899f2750666836a875ba780e9e807804

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\MPR7YYBV\favicon[1].ico

Filesize
5KB

MD5
feb7ca0515d4660fc15fc4f42c8904ef

SHA1
4cf8b8a1bff5df3e74a7461913b502eaee0a4937

SHA256
b50109bb17a40d032cb6ee83163e10d220e0d19a19192cb71950063070888570

SHA512
a6d02aef62f841795a1f7ee6567072f625c31f6bf61dd73d2ffbd022ce429864b5c94e9c1b7a1d20110adccb0fa496898c186cebbf529c69dd9e6cc5d1a4a036

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UA1HZF3D\js[1].js

Filesize
226KB

MD5
156de7006f3cf267b033cbc8674a7917

SHA1
5e1116b21984f975251ad16be5746361c52fca7b

SHA256
f45595b918fea080013c21e1b670b7b4dcbcc7f94980b4ad881a9a5d3d33229c

SHA512
f08de844b1778a409e6649387ddf78f2605ead46caa64aafd8dc8d533cb58b0b2d53eb4621ab960a13fb52da4de172fa806a8e8de45479ea9eefe6c1bfa6cb39

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\1[1].gif

Filesize
43B

MD5
df3e567d6f16d040326c7a0ea29a4f41

SHA1
ea7df583983133b62712b5e73bffbcd45cc53736

SHA256
548f2d6f4d0d820c6c5ffbeffcbd7f0e73193e2932eefe542accc84762deec87

SHA512
b2ca25a3311dc42942e046eb1a27038b71d689925b7d6b3ebb4d7cd2c7b9a0c7de3d10175790ac060dc3f8acf3c1708c336626be06879097f4d0ecaa7f567041

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VIF0OH2A\__utm[1].gif

Filesize
35B

MD5
28d6814f309ea289f847c69cf91194c6

SHA1
0f4e929dd5bb2564f7ab9c76338e04e292a42ace

SHA256
8337212354871836e6763a41e615916c89bac5b3f1f0adf60ba43c7c806e1015

SHA512
1d68b92e8d822fe82dc7563edd7b37f3418a02a89f1a9f0454cca664c2fc2565235e0d85540ff9be0b20175be3f5b7b4eae1175067465d5cca13486aab4c582c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8E1C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIBAA8.tmp

Filesize
10KB

MD5
dbef78447120e830587017c581f994f1

SHA1
ea5214b9503e9a3b5335053b9f2e85c1bd26f3ce

SHA256
a380116d80066949811b29c5b53c20488c1ca6b05a955c1698aff58fc18ebf94

SHA512
eda079a1c4e25d18099accf11860b7c78c9c303c855d87ddfd1750a41e47571db6acf929921a20be693a18d948799279c3f7be47574a2004810021271d735b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIC34F.tmp-tmp

Filesize
8KB

MD5
4aae089d3731c3f9dca27587e61cc4a2

SHA1
97b570c80cce9d68fbdd728f8524d92bce4a5c35

SHA256
ed8f2f1786d5c57aee9c8228286f41b1665f46b88b882557675350d5108b438c

SHA512
6ec755dc7f6531bf0ecec25f8fbf5f712ccf46f93b954f8acf522b33b4bd13f3781e73f1122a81bd5165c507b0a58222a3cafe6fbd25f5d606b4414a9a4009fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RGIC7C3.tmp

Filesize
10KB

MD5
82d2bae754892aea0a43211f69ab71e1

SHA1
e456facc40546eab4c28a4fd69865aefa5d3e08a

SHA256
b7ca1d7e0f6a4ec51e8eacde03f4ae1db7f6cd13a3c534d16ab44dd74a8ccd35

SHA512
deeaa81f8cd0bdf52ff83ca1521ad09ad9fcd0fb6f4a82d5d8ab6a99aacbca976d2d36c40fd4c582617b58cf70d4ddf40df39f471d7e483334b9570f6b0ede07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup_20240222_164619759.html

Filesize
16KB

MD5
9d7f07d2eed3cc4ee2d5681b42e80583

SHA1
83a2876efa0ce3c4de2618394ceafc85c57795c3

SHA256
3468b12a673d7561279c5d0289778915a3d61a879dfb84abe781c2b7ecae0064

SHA512
e94d128a8e31c933449ec8885a5ec4a97b82d0c69bdbd7941b559e811122ec69a78e29439e07db3d1714c5daa81ba1b888a816723aa43fcbd62538bd372ea2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8E2D.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\java_install_reg.log

Filesize
5KB

MD5
515c45d9da4c615f7aa931fe67941121

SHA1
71582470022487dc37cbcae8395bf9614ee8b365

SHA256
251c6dcbaff7129aba535ab84bba4e4828f2eacee8172d6b07acb4db2714c6c9

SHA512
587c416a401848ee7306a26c8a3100f778e71ccf1cbccdb04be9b405f85201120c2a1aac7551d6d119153d52b464eace7bf78fd4b0a81b8952700d30cb44f06f

Download Submit
C:\Users\Admin\AppData\Local\Temp\~DF889A42123440805C.TMP

Filesize
16KB

MD5
94ef82e1cf4be552a45c7d6e4c18e3f5

SHA1
1065f40543d392b60aa0d89848bf3dbca616f891

SHA256
087d6d8b8c46cc214c757cd23547db7891f39006893d7bd15f2e9d5c4cc5c647

SHA512
59cd5823215b8c9aec46d46afe66c7d943c3a29bff07f6f9583604699cf5bdfbbc299ea521e23a9bdd96e414e3b7adfe69d22996de31383cad3bbd7bc78debc2

Download Submit
C:\Users\Admin\AppData\Local\updater.log

Filesize
3B

MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9ALIDPCK.txt

Filesize
358B

MD5
5085684b0e25f9b64786aabae282bb37

SHA1
3d5e5e59540fa52c95a771f48ab39a4e81fe33b7

SHA256
f10e4e22a339eba21a965921600b7ccb07fde62c4ef0a9d770e8db7d0a2ebc13

SHA512
aa566d383426f20dbf173cc66f149c7868d24925b5a5cc6883deeb354de63803c7cc060d9937be476218d0276c63fa6129e7163e215bf2f6d4e4ff4708ded2f4

Download Submit
C:\Windows\Installer\MSI7D6B.tmp

Filesize
235KB

MD5
16cae7c3dce97c9ab1c1519383109141

SHA1
10e29384e2df609caea7a3ce9f63724b1c248479

SHA256
8acd0117c92da6b67baf5c1ae8a81adf47e5db4c2f58d3e197850a81a555d2c2

SHA512
5b8b803ddabbb46a8ae5f012f3b5adbbd8eb7d7edbd324095011e385e1e94b2c5e20a28f6c0b8dd89b8789106c02d41916e70e090fbc63edd845d75c6f210e69

Download Submit
C:\Windows\Installer\MSIF4A1.tmp

Filesize
291KB

MD5
75fb9a8745aca61b2e5331458977dfdc

SHA1
4bdc9382030781a0cedfdbea06bd6bf0ef3cf61f

SHA256
e3dee969908f521936fd327b83aec0f0d0930845546aa221f18cbebfd122327e

SHA512
8c56f906b2add736f28c2a6236aed2ecebd7978c9c19f6ee300737f3664df85e66a57c55a29ec7a9befb0575e843898e677d91fa9403ea6a7ee3d0cb8fb71b15

Download Submit
C:\Windows\Installer\MSIF6E3.tmp

Filesize
255KB

MD5
9593870e12c484ef7f943cb7752717dc

SHA1
e750d6776abfebc955af8b16689e414bc86ba988

SHA256
caf3f71c11b10bece30705b2aa32b975ef9f52f519490af6deebee668194ee89

SHA512
6fe4d73961df36a6af203a3eec7b3c3682c13065f5cdad8690c43c861cec11b5271e82efb4437869ba8bab2178d97410f5aaece5d7bceff05d386cce0a6e9af1

Download Submit
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log

Filesize
108KB

MD5
56094a4e9a771a2dd94b212552149284

SHA1
3f856c867bb7e9eccce1ae85afc255b63765ee3e

SHA256
665277698677c88550a578cea37a7b7779e4b1e772fd6f75184d32c93e0af7d6

SHA512
70a0474ea1de8264e95f76c95c59e25b7ad1b3bcc70e9df1498cb8c55c93d230d49ee1f47da53281469b745a823a2b147ac29461bff1de140b8a854737e17210

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log

Filesize
117KB

MD5
80b3a0864cc9a6d5a9e4381b8baba361

SHA1
e8f710118c733b66e216fa25fecbbc7cc5d5e681

SHA256
1d37a2246952ca891de3326e29b99e661efe030ee06e1a1cc17f7744daaf91bb

SHA512
0ee3d968c414728e1b23eaab19f2482e881cb4b6800857acf9fd6189e5b8cab8d4144b4378470bcc029148486045491a270f545cb98fb74be40cb40741112a4b

Download Submit
C:\Windows\System32\perfc007.dat

Filesize
128KB

MD5
dec79ffa7641a3d9eee9e56a5d2420b6

SHA1
76969f101cb8b893434686cefee99077b19b7dc7

SHA256
1643d14b1973b4efe8b196be3ac0cd670c6b5ea74d24248b6bcc1be37a2a6bd1

SHA512
12dcab47b9ee1135ba8663dbced931e710454711488d816d7f93a7a30ecb032603db31f1af682a45b0fe2d098b8f483264b6d4511341d690993138dbc7a4deea

Download Submit
C:\Windows\System32\perfc009.dat

Filesize
105KB

MD5
163cc8e92ea550613e896ef05f6eced0

SHA1
d87d9a7bbd790e7e5c1bbdd10cc2846a243016de

SHA256
6e58be7e1c5163c2243d8f2df35328d1ba59f8e3609de5d33120f76f778fe809

SHA512
c7cf5fbab0e2e17a578c34ba3844db5412723d8c87ace445cdae99a820db64c3aac288b57b6b2ea034bab7d47ae67c21d6d491d3a5e6d9ff55a24d2774b8e450

Download Submit
C:\Windows\System32\perfc00A.dat

Filesize
135KB

MD5
7ed0e37ec15ae9f112289816135dd658

SHA1
68e8e4956b9eca2838b9d9e42c04f4ef54eff4cf

SHA256
f9219a7bdd860cc871ef8d010bb46077d973d404447124843d453b34ff94b8b2

SHA512
56e552ada3e1d2c79bc22d4553d59769f0d866b03aa527b1fb2250c377aaa4037feb1b4515d0b9615402e97adb811a9af301f0af1dba25c6e2023fc9e7f7cf62

Download Submit
C:\Windows\System32\perfc00C.dat

Filesize
128KB

MD5
0aea735d5ee9531c16f625d249ccf8eb

SHA1
ec80408dd525ee460c0498128c9a2081e5959124

SHA256
38498253895aa01a9322aba89473d05389661410d54b1c84161258e1733bc705

SHA512
6ffb36d05f64e76eebad3e2a49f9e0558672f3d0e7c49460ff7aec26c3389d74760d5c7b3afff22653af8aa21d16b1e45446a4198a5aeba845be680d803d6a8a

Download Submit
C:\Windows\System32\perfc010.dat

Filesize
125KB

MD5
0c1fcb3a967bc21eb57adb1f3e4e9241

SHA1
ce6bffd29e93cd309d5ead07be66b7f9e91f1f9f

SHA256
352e7602d7662091b7714e23c9173f21c15772131fbbd379cadd4eb9c7467b5f

SHA512
8a6af65a6de3c87a2782a924985ee63125428852e6dd85bbd05698e0edf9a9e99fdd27ed53793c62ece19d13de6e2c74ce19bbd7edc81b1378bce67eb19bb855

Download Submit
C:\Windows\System32\perfh007.dat

Filesize
639KB

MD5
f51ed777e287992fb1be919ad1bdb506

SHA1
5cc2c049be13ccaf41a533ca0c4e749bb1c91b2f

SHA256
5b9531c0ea676fdc2c8478da19a2904543c90d7f917f0adf2d9fb05c0ac481ed

SHA512
cb2edc7aed004817e5ead8cf19d5c0dcddd8e5c64cebf36cad79ad56fb86af0d01c5eb6aa475c92cf745ac595694fd28d52b5c5dc4ca3747faccacf6d764fce6

Download Submit
C:\Windows\System32\perfh009.dat

Filesize
612KB

MD5
61ed8eadb7eef1cfefbcd5298c16653f

SHA1
2d69c4a6a7ac4d4f95fc8dbde70b8fe501cb12bf

SHA256
a6c69b569e22172c75aaf02d32a301840e367e91460804dcc9ea4ca1af7c5f17

SHA512
d562af95d1b21b5c04b93dd0b3a41518d182decb2cdcf79585f29f8df30618a1fcbd96fa2de5d27a16f748550a53bf4a0e678f6b1a1d5acaf3d22794d58d8d54

Download Submit
C:\Windows\System32\perfh00A.dat

Filesize
688KB

MD5
d0d3c904360f7db7eb9422c76364253b

SHA1
e1e14b2c3cdbd23586d6eaf1c7f2cea1cf484c23

SHA256
aae46374d66b45e0032da1c3eae695a9bc6526914fe7e92402349ae164b1c06f

SHA512
576f486aec07261d542c6413519dfbfab0908819df4a9df014eec0f2958883f6d3df7a863104141039038c107ab7ec931ed26e29f97c4aec68270620753fe034

Download Submit
C:\Windows\System32\perfh00C.dat

Filesize
688KB

MD5
2db5dd7800622be226b6b4c5d5112c64

SHA1
5f5d320940ae7ef80e4d4bc841e23d273345b50f

SHA256
d9dd7228a789bdf87dd01c0a4537b2114be92e88b8353706d5dabd52c1747c43

SHA512
1d1ed4b23ab45b37b5954614bbbdf38745769caf2ccf512776dbd13ec888d00c0f419b4f5b4f0940d1b33a5150bd47a45cc84862fa14c37754fcce3f311218bd

Download Submit
C:\Windows\System32\perfh010.dat

Filesize
683KB

MD5
ca94d809bd7a596a3efa6e56a8334397

SHA1
dc6f21fabbead7632641448646526fb78e900993

SHA256
665c28fd4f65584e4ac1d11df050b7d50889c1367d0e2c261e14b988780309ae

SHA512
66a96574dacf3fe5882ab956c066bebe8ff16e98cf9d58570bd36a8c95913baf988564c8ebd6074e8350ad91b89373e2e588a7faf8ee10d99d4c9b8c1fd9c536

Download Submit
C:\Windows\System32\perfh011.dat

Filesize
389KB

MD5
6058a8ac2ea836a5d507c4399d3761ec

SHA1
2ef7d5ffb87ed184ceb77f0e7c70992afbce72dd

SHA256
79ae45ba4eb17368212510f8c56999524aa17f9e60ad6a4e26b2ed134ff11380

SHA512
5207e23895248027582022556040a2201613b407b54ba250690251a3ad2fb30fbe16aeb56c8db2e4a9e9fb61061e9b3a407a3f0f45f682a6703d7dbe214fd423

Download Submit
\Program Files (x86)\Skillbrains\Updater\1.8.0.0\Updater.exe

Filesize
854KB

MD5
fbe0664e1c333e36e3ce73d8bd5cc8a1

SHA1
d7f284e9a8d3a3b5a832c37b58382000b583fbc1

SHA256
c4ce15b1bc8adecbf20a655256aab267c1d72e7a33947598af48ea287cca5670

SHA512
7b7e34aa69e2e92590b79d2b9c9fd095d15fc5a2943335d0f59cdee15083a8bb1a66b669615ce716bb714a59a1be54e8fea88a5889bfa8e0371e7eb8902fa555

Download Submit
\Program Files (x86)\Skillbrains\Updater\Updater.exe

Filesize
405KB

MD5
3ec8f4bd54ef439a8fab6467122da0c4

SHA1
ee2e65cbbaa22db70d89b85db28ee955d4db12f9

SHA256
a5e3bdc3b0b0bd6455892e23008161b5478b24f4fe1801f43a8a01cfff1bcba7

SHA512
0f50ce35241d5d55f0f3bae6fb38de39213a48d356478efac76c0292b286b58ddb855e130fd03bdf3cd63e141aa14ffd5318671e9885b2c17411f8ba3aba6189

Download Submit
\Program Files (x86)\Skillbrains\lightshot\Lightshot.exe

Filesize
221KB

MD5
62eb961457df016fa3949e9601a1a845

SHA1
0c0a5fa4f6cb9e18c0e3431d5e1bf45fd2e05352

SHA256
8d4c4bcf7d7aedf0480e3eaac52138e63724ae83c419de8a98d6ab32d1c93645

SHA512
fb4fcb6a3f5b7a3eb35a1689a0d15e3d8f9f520180d6cc57857b90b8af3d576da179c30c18019da5500f58d6f86c07645090e0c75accbd87257e1b73d291ae81

Download Submit
\Users\Admin\AppData\Local\Temp\is-4VRM0.tmp\setup-lightshot.tmp

Filesize
1.5MB

MD5
c6bffd4da620b07cb214f1bd8e7f21d2

SHA1
054221dc0c8a686e0d17edd6e02c06458b1395c3

SHA256
55dbb288d5df6df375487bae50661dbf530fd43a7e96017b7183a54db8fc376a

SHA512
91e50df87a6e42b01e24accead25726047a641c3960fa3336f560168ed68356e6992d289a0a71b629d74ad7b00bbdbf7e6e909a4c8b5b1616fbf3b0cc63210ab

Download Submit
\Users\Admin\AppData\Local\Temp\is-AHVGO.tmp\setupupdater.exe

Filesize
865KB

MD5
843d23f6aab075a3c032b06d30ce9c5d

SHA1
8e9f98e609db50ee6167a76b6ae1ca7886e6c866

SHA256
088f048ee972ef80bd527e301431c1ad7e46d0c994ad8a2b586c4fa6d86ac399

SHA512
101cc5a0a5c927adac497cf901ebfcb73bd92eec0b8855c8fa0aab0bb0411dcb5cc3271b6f73c0fdf6238a21df30871afcddf5bd8f0164ddaf8acd72d14a7db4

Download Submit
\Users\Admin\AppData\Local\Temp\is-CDQCR.tmp\setupupdater.tmp

Filesize
1.1MB

MD5
3613e29d2a7b90c1012ec676819cc1cd

SHA1
a18f7ab9710eefa0678981b0be9a429dc6f98d28

SHA256
fb5761640bb6d375345b780df0f1811f6ae6a1ddeae7c948299379f8bca822c8

SHA512
837f3aedcfd81cfc0fcebc9e135f72a55c0cac10860ca78d57cd910d6f039afd500bbbff1481637f21912e5eacbdbebfdc3a3bb8133db2cb37f444ef87e6347b

Download Submit
\Windows\Installer\MSI95DC.tmp

Filesize
309KB

MD5
8b285b5164ac3dbd6f6c97c81c77fb59

SHA1
2d846f00f4a1533d93d9f7fcf797cf406b7a79e5

SHA256
7c932b844dd505281a0eb1e3cb3c1b27be9ca47866655cc3bfd6ae660d4f6b2c

SHA512
2669938f68238a5e68accdd2c3f7dcdbafacd58e00418f32769bd452580e4a4fa0169b001652801ec3ec0ec67f093997a87f1bb80bd83c20cbf1145d3249e2b8

Download Submit
memory/496-204-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/496-242-0x0000000000400000-0x000000000052D000-memory.dmp

Filesize
1.2MB

Download
memory/656-1009-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/656-1075-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1132-1-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-9-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1132-1042-0x0000000000400000-0x0000000000481000-memory.dmp

Filesize
516KB

Download
memory/1304-23-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-10-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1304-8-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1304-1011-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1304-552-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1304-1041-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/1604-2700-0x0000000009750000-0x0000000009CB2000-memory.dmp

Filesize
5.4MB

Download
memory/1604-2708-0x0000000009420000-0x0000000009440000-memory.dmp

Filesize
128KB

Download
memory/1604-244-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1604-196-0x0000000000400000-0x0000000000427000-memory.dmp

Filesize
156KB

Download
memory/1604-2759-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-2711-0x000000000A9B0000-0x000000000AD00000-memory.dmp

Filesize
3.3MB

Download
memory/1604-2710-0x000000000A720000-0x000000000A9AC000-memory.dmp

Filesize
2.5MB

Download
memory/1604-2709-0x00000000094F0000-0x0000000009522000-memory.dmp

Filesize
200KB

Download
memory/1604-2707-0x00000000030F0000-0x0000000003102000-memory.dmp

Filesize
72KB

Download
memory/1604-2706-0x000000000A030000-0x000000000A0C2000-memory.dmp

Filesize
584KB

Download
memory/1604-2705-0x0000000002FF0000-0x0000000003054000-memory.dmp

Filesize
400KB

Download
memory/1604-2703-0x0000000003090000-0x00000000030D0000-memory.dmp

Filesize
256KB

Download
memory/1604-2704-0x0000000009CC0000-0x000000000A024000-memory.dmp

Filesize
3.4MB

Download
memory/1604-2702-0x000000000A1F0000-0x000000000A71C000-memory.dmp

Filesize
5.2MB

Download
memory/1604-2699-0x0000000072250000-0x000000007293E000-memory.dmp

Filesize
6.9MB

Download
memory/1604-2701-0x0000000009CC0000-0x000000000A1EC000-memory.dmp

Filesize
5.2MB

Download
memory/2368-218-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2600-2533-0x00000000078C0000-0x0000000007C25000-memory.dmp

Filesize
3.4MB

Download
memory/2600-2528-0x0000000005DF0000-0x0000000005E82000-memory.dmp

Filesize
584KB

Download
memory/2600-2678-0x000007FEF41C0000-0x000007FEF4BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-2525-0x00000000069C0000-0x0000000006A40000-memory.dmp

Filesize
512KB

Download
memory/2600-2526-0x00000000072C0000-0x0000000007624000-memory.dmp

Filesize
3.4MB

Download
memory/2600-2522-0x000007FEF41C0000-0x000007FEF4BAC000-memory.dmp

Filesize
9.9MB

Download
memory/2600-2527-0x00000000025F0000-0x0000000002654000-memory.dmp

Filesize
400KB

Download
memory/2600-2524-0x0000000006D90000-0x00000000072B6000-memory.dmp

Filesize
5.1MB

Download
memory/2600-2529-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Filesize
72KB

Download
memory/2600-2521-0x0000000006330000-0x000000000685A000-memory.dmp

Filesize
5.2MB

Download
memory/2600-2530-0x0000000002BE0000-0x0000000002C00000-memory.dmp

Filesize
128KB

Download
memory/2600-2531-0x0000000002D40000-0x0000000002D72000-memory.dmp

Filesize
200KB

Download
memory/2600-2523-0x0000000006860000-0x0000000006D86000-memory.dmp

Filesize
5.1MB

Download
memory/2600-2532-0x0000000007630000-0x00000000078BC000-memory.dmp

Filesize
2.5MB

Download