Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    15/10/2024, 18:32 UTC

General

  • Target

    039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe

  • Size

    1.8MB

  • MD5

    06c3b75deae102144ec995312d6d208a

  • SHA1

    9d7386202e4012460553e792beaa4c1820cf7d17

  • SHA256

    039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2

  • SHA512

    75c6b6c541d078e6374f0212929b20a57b0c9e6772f002dfb3d6eb86f7611bec36b115b3932d8b826c06e0183c77f5980ffe0dcbe7067f4208d91dd8aa3ada0f

  • SSDEEP

    49152:SiDHNvsmt3qmLC26/59I+HV7CjfM6ZAMZnWMsKoIyW5hbh9CQEEOUwnZvAks:/HZ/Cd5u+HVh

Malware Config

Signatures

  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 64 IoCs
  • Loads dropped DLL 54 IoCs
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 47 IoCs
  • Drops file in Program Files directory 19 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
    "C:\Users\Admin\AppData\Local\Temp\039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:2168
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2636
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1968
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2844
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 174 -InterruptEvent 160 -NGENProcess 164 -Pipe 170 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2340
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 234 -NGENProcess 240 -Pipe 228 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2544
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 1e8 -NGENProcess 1d0 -Pipe 1d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2368
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1e8 -InterruptEvent 25c -NGENProcess 250 -Pipe 258 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1600
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 260 -InterruptEvent 150 -NGENProcess 264 -Pipe 1e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1512
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 268 -InterruptEvent 150 -NGENProcess 260 -Pipe 250 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2112
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 150 -InterruptEvent 254 -NGENProcess 264 -Pipe 238 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:3044
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 1b8 -NGENProcess 264 -Pipe 138 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1620
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 1b8 -InterruptEvent 278 -NGENProcess 244 -Pipe 274 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2784
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 254 -NGENProcess 244 -Pipe 1d0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1824
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 280 -NGENProcess 264 -Pipe 26c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2156
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 280 -InterruptEvent 264 -NGENProcess 278 -Pipe 27c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2260
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 288 -NGENProcess 244 -Pipe 1b8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2060
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 288 -InterruptEvent 244 -NGENProcess 280 -Pipe 284 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 28c -NGENProcess 248 -Pipe 268 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 28c -InterruptEvent 248 -NGENProcess 288 -Pipe 270 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2648
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 298 -NGENProcess 278 -Pipe 260 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:848
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 290 -NGENProcess 278 -Pipe 29c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:944
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 290 -InterruptEvent 254 -NGENProcess 2a0 -Pipe 244 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      PID:1780
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2a0 -NGENProcess 294 -Pipe 298 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1412
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2a0 -InterruptEvent 248 -NGENProcess 278 -Pipe 28c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1076
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 278 -NGENProcess 254 -Pipe 290 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2264
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 278 -InterruptEvent 2b0 -NGENProcess 294 -Pipe 2ac -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:996
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b0 -InterruptEvent 294 -NGENProcess 248 -Pipe 2a4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1208
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 294 -InterruptEvent 2b8 -NGENProcess 254 -Pipe 2a8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:684
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 254 -NGENProcess 2b0 -Pipe 2b4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:976
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 254 -InterruptEvent 2c0 -NGENProcess 248 -Pipe 278 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1788
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 248 -NGENProcess 2b8 -Pipe 2bc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2488
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c8 -NGENProcess 2b0 -Pipe 294 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2392
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 2b0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2756
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 2d0 -NGENProcess 2b8 -Pipe 254 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1080
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2d0 -InterruptEvent 2b8 -NGENProcess 2cc -Pipe 288 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2168
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 2d8 -NGENProcess 2c0 -Pipe 280 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2952
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e0 -InterruptEvent 264 -NGENProcess 2c0 -Pipe 2dc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2628
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e4 -InterruptEvent 2d8 -NGENProcess 2e8 -Pipe 2e0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2624
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 2d8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2268
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2cc -InterruptEvent 2f0 -NGENProcess 264 -Pipe 2d0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2104
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2f0 -InterruptEvent 264 -NGENProcess 2ec -Pipe 2c8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Modifies data under HKEY_USERS
      PID:444
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 264 -InterruptEvent 2f8 -NGENProcess 2c4 -Pipe 2e4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1988
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 2c0 -NGENProcess 2f0 -Pipe 2f8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1612
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 2cc -NGENProcess 2c4 -Pipe 2a0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2484
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 2e8 -NGENProcess 2ec -Pipe 2cc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1620
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 30c -NGENProcess 2f4 -Pipe 308 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2348
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 2f4 -NGENProcess 300 -Pipe 2fc -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:1580
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 30c -NGENProcess 314 -Pipe 304 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1588
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 300 -InterruptEvent 248 -NGENProcess 2c4 -Pipe 2f4 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Drops file in Windows directory
      PID:2392
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 2c4 -NGENProcess 2c0 -Pipe 314 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2512
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 31c -NGENProcess 2ec -Pipe 2e8 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:556
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 320 -NGENProcess 318 -Pipe 30c -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1796
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 324 -NGENProcess 2c0 -Pipe 300 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2632
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 328 -NGENProcess 2ec -Pipe 310 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2332
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 32c -InterruptEvent 320 -NGENProcess 330 -Pipe 324 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1904
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 2c4 -NGENProcess 2ec -Pipe 264 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2660
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 2c4 -InterruptEvent 248 -NGENProcess 2f0 -Pipe 2c0 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2204
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 248 -InterruptEvent 338 -NGENProcess 330 -Pipe 334 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2884
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 33c -NGENProcess 31c -Pipe 248 -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:2652
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 340 -NGENProcess 2f0 -Pipe 2ec -Comment "NGen Worker Process"
      2⤵
      • Executes dropped EXE
      PID:1484
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 340 -InterruptEvent 344 -NGENProcess 330 -Pipe 320 -Comment "NGen Worker Process"
      2⤵
        PID:2616
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 348 -NGENProcess 31c -Pipe 2c4 -Comment "NGen Worker Process"
        2⤵
          PID:852
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 34c -NGENProcess 2f0 -Pipe 328 -Comment "NGen Worker Process"
          2⤵
            PID:784
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 338 -NGENProcess 330 -Pipe 33c -Comment "NGen Worker Process"
            2⤵
              PID:2656
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 338 -NGENProcess 344 -Pipe 318 -Comment "NGen Worker Process"
              2⤵
                PID:844
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 338 -InterruptEvent 354 -NGENProcess 2f0 -Pipe 340 -Comment "NGen Worker Process"
                2⤵
                  PID:2940
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 358 -NGENProcess 330 -Pipe 2d4 -Comment "NGen Worker Process"
                  2⤵
                  • Modifies data under HKEY_USERS
                  PID:1644
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 358 -InterruptEvent 35c -NGENProcess 344 -Pipe 350 -Comment "NGen Worker Process"
                  2⤵
                    PID:2432
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 360 -NGENProcess 2f0 -Pipe 32c -Comment "NGen Worker Process"
                    2⤵
                      PID:3048
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 364 -NGENProcess 330 -Pipe 348 -Comment "NGen Worker Process"
                      2⤵
                        PID:3000
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 338 -NGENProcess 344 -Pipe 354 -Comment "NGen Worker Process"
                        2⤵
                          PID:1704
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 344 -InterruptEvent 34c -NGENProcess 364 -Pipe 338 -Comment "NGen Worker Process"
                          2⤵
                            PID:340
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 370 -NGENProcess 35c -Pipe 36c -Comment "NGen Worker Process"
                            2⤵
                            • Loads dropped DLL
                            • Drops file in Windows directory
                            PID:1148
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 344 -Pipe 330 -Comment "NGen Worker Process"
                            2⤵
                              PID:2584
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 378 -NGENProcess 364 -Pipe 368 -Comment "NGen Worker Process"
                              2⤵
                                PID:2664
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 378 -InterruptEvent 37c -NGENProcess 374 -Pipe 31c -Comment "NGen Worker Process"
                                2⤵
                                  PID:1836
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 37c -InterruptEvent 380 -NGENProcess 344 -Pipe 34c -Comment "NGen Worker Process"
                                  2⤵
                                    PID:1816
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 380 -InterruptEvent 384 -NGENProcess 364 -Pipe 2f0 -Comment "NGen Worker Process"
                                    2⤵
                                      PID:2340
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 384 -InterruptEvent 370 -NGENProcess 380 -Pipe 378 -Comment "NGen Worker Process"
                                      2⤵
                                        PID:1580
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 370 -InterruptEvent 35c -NGENProcess 364 -Pipe 358 -Comment "NGen Worker Process"
                                        2⤵
                                          PID:1856
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 35c -InterruptEvent 390 -NGENProcess 374 -Pipe 38c -Comment "NGen Worker Process"
                                          2⤵
                                            PID:2820
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 390 -InterruptEvent 394 -NGENProcess 360 -Pipe 344 -Comment "NGen Worker Process"
                                            2⤵
                                              PID:1812
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 398 -NGENProcess 364 -Pipe 380 -Comment "NGen Worker Process"
                                              2⤵
                                                PID:2428
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 398 -InterruptEvent 39c -NGENProcess 374 -Pipe 384 -Comment "NGen Worker Process"
                                                2⤵
                                                  PID:2792
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 39c -InterruptEvent 3a0 -NGENProcess 360 -Pipe 370 -Comment "NGen Worker Process"
                                                  2⤵
                                                    PID:2448
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3a4 -NGENProcess 364 -Pipe 35c -Comment "NGen Worker Process"
                                                    2⤵
                                                      PID:2972
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3a8 -NGENProcess 374 -Pipe 390 -Comment "NGen Worker Process"
                                                      2⤵
                                                        PID:1628
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a8 -InterruptEvent 394 -NGENProcess 360 -Pipe 398 -Comment "NGen Worker Process"
                                                        2⤵
                                                          PID:2604
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 388 -InterruptEvent 3a4 -NGENProcess 3a8 -Pipe 3ac -Comment "NGen Worker Process"
                                                          2⤵
                                                            PID:2676
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a4 -InterruptEvent 3b4 -NGENProcess 3a0 -Pipe 3b0 -Comment "NGen Worker Process"
                                                            2⤵
                                                              PID:2076
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b8 -InterruptEvent 3b4 -NGENProcess 3a4 -Pipe 374 -Comment "NGen Worker Process"
                                                              2⤵
                                                                PID:1348
                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3b4 -InterruptEvent 364 -NGENProcess 3a0 -Pipe 39c -Comment "NGen Worker Process"
                                                                2⤵
                                                                  PID:2276
                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c0 -NGENProcess 388 -Pipe 37c -Comment "NGen Worker Process"
                                                                  2⤵
                                                                    PID:2588
                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 3c4 -NGENProcess 3a4 -Pipe 3bc -Comment "NGen Worker Process"
                                                                    2⤵
                                                                      PID:904
                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c4 -InterruptEvent 360 -NGENProcess 3a0 -Pipe 3b8 -Comment "NGen Worker Process"
                                                                      2⤵
                                                                        PID:852
                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 394 -NGENProcess 3c4 -Pipe 360 -Comment "NGen Worker Process"
                                                                        2⤵
                                                                          PID:1496
                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 394 -InterruptEvent 3d0 -NGENProcess 364 -Pipe 3cc -Comment "NGen Worker Process"
                                                                          2⤵
                                                                            PID:2704
                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d0 -InterruptEvent 3d4 -NGENProcess 3a4 -Pipe 388 -Comment "NGen Worker Process"
                                                                            2⤵
                                                                              PID:2208
                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d4 -InterruptEvent 3c8 -NGENProcess 3c4 -Pipe 3a8 -Comment "NGen Worker Process"
                                                                              2⤵
                                                                                PID:1896
                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d8 -NGENProcess 2b8 -Pipe 3b4 -Comment "NGen Worker Process"
                                                                                2⤵
                                                                                  PID:1204
                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3d8 -InterruptEvent 3a0 -NGENProcess 3a4 -Pipe 394 -Comment "NGen Worker Process"
                                                                                  2⤵
                                                                                    PID:2272
                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c8 -NGENProcess 3dc -Pipe 3d8 -Comment "NGen Worker Process"
                                                                                    2⤵
                                                                                      PID:572
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3c0 -NGENProcess 3a4 -Pipe 3e0 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:2376
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c0 -InterruptEvent 364 -NGENProcess 3c8 -Pipe 3c4 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:592
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3c8 -NGENProcess 3a4 -Pipe 25c -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:2784
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3c8 -InterruptEvent 3d0 -NGENProcess 3dc -Pipe 3d4 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:2408
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 364 -NGENProcess 3ec -Pipe 3c8 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:2392
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 3e8 -NGENProcess 3dc -Pipe 1c8 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                      • Loads dropped DLL
                                                                                      • Drops file in Windows directory
                                                                                      • Modifies data under HKEY_USERS
                                                                                      PID:2240
                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3e8 -InterruptEvent 3dc -NGENProcess 3a0 -Pipe 3d0 -Comment "NGen Worker Process"
                                                                                      2⤵
                                                                                        PID:2640
                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3dc -InterruptEvent 3f4 -NGENProcess 3ec -Pipe 3e4 -Comment "NGen Worker Process"
                                                                                        2⤵
                                                                                        • Modifies data under HKEY_USERS
                                                                                        PID:2332
                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f4 -InterruptEvent 1c4 -NGENProcess 3f0 -Pipe 364 -Comment "NGen Worker Process"
                                                                                        2⤵
                                                                                        • Loads dropped DLL
                                                                                        • Drops file in Windows directory
                                                                                        • Modifies data under HKEY_USERS
                                                                                        PID:932
                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3f8 -InterruptEvent 3ec -NGENProcess 3f0 -Pipe 3a4 -Comment "NGen Worker Process"
                                                                                        2⤵
                                                                                          PID:1140
                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 3ec -NGENProcess 3f8 -Pipe 3e8 -Comment "NGen Worker Process"
                                                                                          2⤵
                                                                                            PID:2004
                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3ec -InterruptEvent 3a0 -NGENProcess 3f0 -Pipe 3c0 -Comment "NGen Worker Process"
                                                                                            2⤵
                                                                                              PID:1780
                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3a0 -InterruptEvent 3fc -NGENProcess 408 -Pipe 3dc -Comment "NGen Worker Process"
                                                                                              2⤵
                                                                                                PID:2088
                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 23c -InterruptEvent 3ec -NGENProcess 40c -Pipe 3a0 -Comment "NGen Worker Process"
                                                                                                2⤵
                                                                                                  PID:1968
                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 408 -NGENProcess 23c -Pipe 3ec -Comment "NGen Worker Process"
                                                                                                  2⤵
                                                                                                    PID:2704
                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 408 -InterruptEvent 414 -NGENProcess 3f4 -Pipe 410 -Comment "NGen Worker Process"
                                                                                                    2⤵
                                                                                                      PID:2208
                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 418 -InterruptEvent 40c -NGENProcess 41c -Pipe 408 -Comment "NGen Worker Process"
                                                                                                      2⤵
                                                                                                        PID:1896
                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 40c -InterruptEvent 404 -NGENProcess 3f4 -Pipe 2b8 -Comment "NGen Worker Process"
                                                                                                        2⤵
                                                                                                          PID:2936
                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 420 -NGENProcess 414 -Pipe 3f0 -Comment "NGen Worker Process"
                                                                                                          2⤵
                                                                                                            PID:2636
                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 420 -InterruptEvent 424 -NGENProcess 41c -Pipe 1c4 -Comment "NGen Worker Process"
                                                                                                            2⤵
                                                                                                              PID:1364
                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 3fc -InterruptEvent 404 -NGENProcess 428 -Pipe 420 -Comment "NGen Worker Process"
                                                                                                              2⤵
                                                                                                                PID:1748
                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 404 -InterruptEvent 430 -NGENProcess 41c -Pipe 42c -Comment "NGen Worker Process"
                                                                                                                2⤵
                                                                                                                  PID:1704
                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 430 -InterruptEvent 434 -NGENProcess 414 -Pipe 418 -Comment "NGen Worker Process"
                                                                                                                  2⤵
                                                                                                                    PID:924
                                                                                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 434 -InterruptEvent 43c -NGENProcess 428 -Pipe 438 -Comment "NGen Worker Process"
                                                                                                                    2⤵
                                                                                                                      PID:2180
                                                                                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 43c -InterruptEvent 440 -NGENProcess 23c -Pipe 3f8 -Comment "NGen Worker Process"
                                                                                                                      2⤵
                                                                                                                        PID:2196
                                                                                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 440 -InterruptEvent 444 -NGENProcess 414 -Pipe 41c -Comment "NGen Worker Process"
                                                                                                                        2⤵
                                                                                                                          PID:2484
                                                                                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 444 -InterruptEvent 448 -NGENProcess 428 -Pipe 404 -Comment "NGen Worker Process"
                                                                                                                          2⤵
                                                                                                                            PID:2228
                                                                                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                            C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 448 -InterruptEvent 44c -NGENProcess 23c -Pipe 430 -Comment "NGen Worker Process"
                                                                                                                            2⤵
                                                                                                                              PID:1952
                                                                                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                              C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 44c -InterruptEvent 450 -NGENProcess 414 -Pipe 434 -Comment "NGen Worker Process"
                                                                                                                              2⤵
                                                                                                                                PID:2296
                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 450 -InterruptEvent 414 -NGENProcess 448 -Pipe 428 -Comment "NGen Worker Process"
                                                                                                                                2⤵
                                                                                                                                  PID:2116
                                                                                                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                                                                                                                                  C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe -StartupEvent 414 -InterruptEvent 458 -NGENProcess 23c -Pipe 440 -Comment "NGen Worker Process"
                                                                                                                                  2⤵
                                                                                                                                  • Loads dropped DLL
                                                                                                                                  • Drops file in Windows directory
                                                                                                                                  PID:2988
                                                                                                                              • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
                                                                                                                                "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2700
                                                                                                                              • C:\Windows\system32\IEEtwCollector.exe
                                                                                                                                C:\Windows\system32\IEEtwCollector.exe /V
                                                                                                                                1⤵
                                                                                                                                • Executes dropped EXE
                                                                                                                                PID:2000

                                                                                                                              Network

                                                                                                                              • flag-us
                                                                                                                                DNS
                                                                                                                                flingtrainer.com
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                8.8.8.8:53
                                                                                                                                Request
                                                                                                                                flingtrainer.com
                                                                                                                                IN A
                                                                                                                                Response
                                                                                                                                flingtrainer.com
                                                                                                                                IN A
                                                                                                                                104.26.15.72
                                                                                                                                flingtrainer.com
                                                                                                                                IN A
                                                                                                                                104.26.14.72
                                                                                                                                flingtrainer.com
                                                                                                                                IN A
                                                                                                                                172.67.73.26
                                                                                                                              • flag-us
                                                                                                                                GET
                                                                                                                                https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                104.26.15.72:443
                                                                                                                                Request
                                                                                                                                GET /wp-content/check-for-trainer-update/get-trainer-update HTTP/1.1
                                                                                                                                User-Agent: FLiNGTrainer
                                                                                                                                Host: flingtrainer.com
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Date: Tue, 15 Oct 2024 18:32:23 GMT
                                                                                                                                Content-Length: 6
                                                                                                                                Connection: keep-alive
                                                                                                                                vary: User-Agent
                                                                                                                                last-modified: Tue, 09 May 2023 12:34:22 GMT
                                                                                                                                etag: "6-5fb41f9908f80"
                                                                                                                                accept-ranges: bytes
                                                                                                                                Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                pragma: no-cache
                                                                                                                                expires: 0
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=OxUYCUd3M0aBTvKqIJ%2Fv6vSfWAg28s9Fwx0%2BNIe%2FcMG2jJdkuc1rRtw1N%2BnFvFa%2BmNGALTgtw1njc9M0kzC30okI2fKLeXnuo96sqveB3VThLmmkdEYKt4oXv7ANogZtoLI%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8d31e43b4e9371a5-LHR
                                                                                                                              • flag-us
                                                                                                                                GET
                                                                                                                                https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-2-trainer
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                104.26.15.72:443
                                                                                                                                Request
                                                                                                                                GET /wp-content/check-for-trainer-update/resident-evil-2-trainer HTTP/1.1
                                                                                                                                User-Agent: FLiNGTrainer
                                                                                                                                Host: flingtrainer.com
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Date: Tue, 15 Oct 2024 18:32:23 GMT
                                                                                                                                Content-Length: 12
                                                                                                                                Connection: keep-alive
                                                                                                                                vary: User-Agent
                                                                                                                                last-modified: Wed, 22 Jun 2022 06:38:33 GMT
                                                                                                                                etag: "c-5e20396014c40"
                                                                                                                                accept-ranges: bytes
                                                                                                                                Cache-Control: no-cache, no-store, must-revalidate
                                                                                                                                pragma: no-cache
                                                                                                                                expires: 0
                                                                                                                                x-frame-options: SAMEORIGIN
                                                                                                                                x-xss-protection: 1; mode=block
                                                                                                                                x-content-type-options: nosniff
                                                                                                                                CF-Cache-Status: DYNAMIC
                                                                                                                                Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=5sfi6MXBSRv%2F4xysuw66zofBKRI2Xg27CM%2FRo0V3lzbI509GDzYCfky9yu1bl7dUSqsH5RLEsCHNRSn3ovuElGKyC%2BtsP3p4lYzWs6tk2kEvWV%2BqHztFcR6L08Dyegw2nIk%3D"}],"group":"cf-nel","max_age":604800}
                                                                                                                                NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
                                                                                                                                Server: cloudflare
                                                                                                                                CF-RAY: 8d31e43b7f12cdb2-LHR
                                                                                                                              • flag-us
                                                                                                                                DNS
                                                                                                                                c.pki.goog
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                8.8.8.8:53
                                                                                                                                Request
                                                                                                                                c.pki.goog
                                                                                                                                IN A
                                                                                                                                Response
                                                                                                                                c.pki.goog
                                                                                                                                IN CNAME
                                                                                                                                pki-goog.l.google.com
                                                                                                                                pki-goog.l.google.com
                                                                                                                                IN A
                                                                                                                                142.250.178.3
                                                                                                                              • flag-us
                                                                                                                                DNS
                                                                                                                                c.pki.goog
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                8.8.8.8:53
                                                                                                                                Request
                                                                                                                                c.pki.goog
                                                                                                                                IN A
                                                                                                                                Response
                                                                                                                                c.pki.goog
                                                                                                                                IN CNAME
                                                                                                                                pki-goog.l.google.com
                                                                                                                                pki-goog.l.google.com
                                                                                                                                IN A
                                                                                                                                142.250.178.3
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://c.pki.goog/r/gsr1.crl
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                142.250.178.3:80
                                                                                                                                Request
                                                                                                                                GET /r/gsr1.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: c.pki.goog
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                Content-Length: 1739
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                Server: sffe
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                Date: Tue, 15 Oct 2024 17:47:43 GMT
                                                                                                                                Expires: Tue, 15 Oct 2024 18:37:43 GMT
                                                                                                                                Cache-Control: public, max-age=3000
                                                                                                                                Age: 2680
                                                                                                                                Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
                                                                                                                                Content-Type: application/pkix-crl
                                                                                                                                Vary: Accept-Encoding
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://c.pki.goog/r/r4.crl
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                142.250.178.3:80
                                                                                                                                Request
                                                                                                                                GET /r/r4.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: c.pki.goog
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                Content-Length: 436
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                Server: sffe
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                Date: Tue, 15 Oct 2024 17:47:44 GMT
                                                                                                                                Expires: Tue, 15 Oct 2024 18:37:44 GMT
                                                                                                                                Cache-Control: public, max-age=3000
                                                                                                                                Age: 2679
                                                                                                                                Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                                                Content-Type: application/pkix-crl
                                                                                                                                Vary: Accept-Encoding
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://c.pki.goog/r/gsr1.crl
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                142.250.178.3:80
                                                                                                                                Request
                                                                                                                                GET /r/gsr1.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: c.pki.goog
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                Content-Length: 1739
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                Server: sffe
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                Date: Tue, 15 Oct 2024 17:47:43 GMT
                                                                                                                                Expires: Tue, 15 Oct 2024 18:37:43 GMT
                                                                                                                                Cache-Control: public, max-age=3000
                                                                                                                                Age: 2680
                                                                                                                                Last-Modified: Mon, 07 Oct 2024 07:18:00 GMT
                                                                                                                                Content-Type: application/pkix-crl
                                                                                                                                Vary: Accept-Encoding
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://c.pki.goog/r/r4.crl
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                Remote address:
                                                                                                                                142.250.178.3:80
                                                                                                                                Request
                                                                                                                                GET /r/r4.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: c.pki.goog
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Accept-Ranges: bytes
                                                                                                                                Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
                                                                                                                                Cross-Origin-Resource-Policy: cross-origin
                                                                                                                                Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
                                                                                                                                Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
                                                                                                                                Content-Length: 436
                                                                                                                                X-Content-Type-Options: nosniff
                                                                                                                                Server: sffe
                                                                                                                                X-XSS-Protection: 0
                                                                                                                                Date: Tue, 15 Oct 2024 17:47:44 GMT
                                                                                                                                Expires: Tue, 15 Oct 2024 18:37:44 GMT
                                                                                                                                Cache-Control: public, max-age=3000
                                                                                                                                Age: 2679
                                                                                                                                Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
                                                                                                                                Content-Type: application/pkix-crl
                                                                                                                                Vary: Accept-Encoding
                                                                                                                              • flag-us
                                                                                                                                DNS
                                                                                                                                crl.microsoft.com
                                                                                                                                mscorsvw.exe
                                                                                                                                Remote address:
                                                                                                                                8.8.8.8:53
                                                                                                                                Request
                                                                                                                                crl.microsoft.com
                                                                                                                                IN A
                                                                                                                                Response
                                                                                                                                crl.microsoft.com
                                                                                                                                IN CNAME
                                                                                                                                crl.www.ms.akadns.net
                                                                                                                                crl.www.ms.akadns.net
                                                                                                                                IN CNAME
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                IN A
                                                                                                                                2.19.117.18
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                IN A
                                                                                                                                2.19.117.22
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
                                                                                                                                Remote address:
                                                                                                                                2.19.117.18:80
                                                                                                                                Request
                                                                                                                                GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                If-Modified-Since: Thu, 11 Jul 2024 01:45:51 GMT
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: crl.microsoft.com
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Content-Length: 1036
                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                Content-MD5: 8M9bF5Tsp81z+cAg2quO8g==
                                                                                                                                Last-Modified: Thu, 26 Sep 2024 02:21:11 GMT
                                                                                                                                ETag: 0x8DCDDD1E3AF2C76
                                                                                                                                Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                x-ms-request-id: b28c4ea1-d01e-0016-0ebc-0fa13d000000
                                                                                                                                x-ms-version: 2009-09-19
                                                                                                                                x-ms-lease-status: unlocked
                                                                                                                                x-ms-blob-type: BlockBlob
                                                                                                                                Date: Tue, 15 Oct 2024 18:32:53 GMT
                                                                                                                                Connection: keep-alive
                                                                                                                              • flag-us
                                                                                                                                DNS
                                                                                                                                crl.microsoft.com
                                                                                                                                mscorsvw.exe
                                                                                                                                Remote address:
                                                                                                                                8.8.8.8:53
                                                                                                                                Request
                                                                                                                                crl.microsoft.com
                                                                                                                                IN A
                                                                                                                                Response
                                                                                                                                crl.microsoft.com
                                                                                                                                IN CNAME
                                                                                                                                crl.www.ms.akadns.net
                                                                                                                                crl.www.ms.akadns.net
                                                                                                                                IN CNAME
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                IN A
                                                                                                                                2.19.117.18
                                                                                                                                a1363.dscg.akamai.net
                                                                                                                                IN A
                                                                                                                                2.19.117.22
                                                                                                                              • flag-gb
                                                                                                                                GET
                                                                                                                                http://crl.microsoft.com/pki/crl/products/CSPCA.crl
                                                                                                                                mscorsvw.exe
                                                                                                                                Remote address:
                                                                                                                                2.19.117.18:80
                                                                                                                                Request
                                                                                                                                GET /pki/crl/products/CSPCA.crl HTTP/1.1
                                                                                                                                Connection: Keep-Alive
                                                                                                                                Accept: */*
                                                                                                                                If-Modified-Since: Sat, 28 Feb 2009 02:01:22 GMT
                                                                                                                                If-None-Match: "0c55744899c91:0"
                                                                                                                                User-Agent: Microsoft-CryptoAPI/6.1
                                                                                                                                Host: crl.microsoft.com
                                                                                                                                Response
                                                                                                                                HTTP/1.1 200 OK
                                                                                                                                Content-Length: 506
                                                                                                                                Content-Type: application/octet-stream
                                                                                                                                Content-MD5: om3LuUjaBeyK+XiF29FJsA==
                                                                                                                                Last-Modified: Thu, 02 Aug 2018 21:09:09 GMT
                                                                                                                                ETag: 0x8D5F8BC3066B2E2
                                                                                                                                Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
                                                                                                                                x-ms-request-id: 391e2ae6-a01e-000d-31a7-088f64000000
                                                                                                                                x-ms-version: 2009-09-19
                                                                                                                                x-ms-lease-status: unlocked
                                                                                                                                x-ms-blob-type: BlockBlob
                                                                                                                                Date: Tue, 15 Oct 2024 18:34:16 GMT
                                                                                                                                Connection: keep-alive
                                                                                                                              • 104.26.15.72:443
                                                                                                                                https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update
                                                                                                                                tls, http
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                904 B
                                                                                                                                5.3kB
                                                                                                                                10
                                                                                                                                10

                                                                                                                                HTTP Request

                                                                                                                                GET https://flingtrainer.com/wp-content/check-for-trainer-update/get-trainer-update

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 104.26.15.72:443
                                                                                                                                https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-2-trainer
                                                                                                                                tls, http
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                909 B
                                                                                                                                5.3kB
                                                                                                                                10
                                                                                                                                10

                                                                                                                                HTTP Request

                                                                                                                                GET https://flingtrainer.com/wp-content/check-for-trainer-update/resident-evil-2-trainer

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 142.250.178.3:80
                                                                                                                                http://c.pki.goog/r/r4.crl
                                                                                                                                http
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                560 B
                                                                                                                                5.0kB
                                                                                                                                7
                                                                                                                                6

                                                                                                                                HTTP Request

                                                                                                                                GET http://c.pki.goog/r/gsr1.crl

                                                                                                                                HTTP Response

                                                                                                                                200

                                                                                                                                HTTP Request

                                                                                                                                GET http://c.pki.goog/r/r4.crl

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 142.250.178.3:80
                                                                                                                                http://c.pki.goog/r/r4.crl
                                                                                                                                http
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                606 B
                                                                                                                                5.0kB
                                                                                                                                8
                                                                                                                                6

                                                                                                                                HTTP Request

                                                                                                                                GET http://c.pki.goog/r/gsr1.crl

                                                                                                                                HTTP Response

                                                                                                                                200

                                                                                                                                HTTP Request

                                                                                                                                GET http://c.pki.goog/r/r4.crl

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 2.19.117.18:80
                                                                                                                                http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
                                                                                                                                http
                                                                                                                                399 B
                                                                                                                                1.7kB
                                                                                                                                4
                                                                                                                                4

                                                                                                                                HTTP Request

                                                                                                                                GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 2.19.117.18:80
                                                                                                                                http://crl.microsoft.com/pki/crl/products/CSPCA.crl
                                                                                                                                http
                                                                                                                                mscorsvw.exe
                                                                                                                                463 B
                                                                                                                                2.1kB
                                                                                                                                5
                                                                                                                                4

                                                                                                                                HTTP Request

                                                                                                                                GET http://crl.microsoft.com/pki/crl/products/CSPCA.crl

                                                                                                                                HTTP Response

                                                                                                                                200
                                                                                                                              • 8.8.8.8:53
                                                                                                                                flingtrainer.com
                                                                                                                                dns
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                62 B
                                                                                                                                110 B
                                                                                                                                1
                                                                                                                                1

                                                                                                                                DNS Request

                                                                                                                                flingtrainer.com

                                                                                                                                DNS Response

                                                                                                                                104.26.15.72
                                                                                                                                104.26.14.72
                                                                                                                                172.67.73.26

                                                                                                                              • 8.8.8.8:53
                                                                                                                                c.pki.goog
                                                                                                                                dns
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                56 B
                                                                                                                                107 B
                                                                                                                                1
                                                                                                                                1

                                                                                                                                DNS Request

                                                                                                                                c.pki.goog

                                                                                                                                DNS Response

                                                                                                                                142.250.178.3

                                                                                                                              • 8.8.8.8:53
                                                                                                                                c.pki.goog
                                                                                                                                dns
                                                                                                                                039d48320a3edaf1db8a2a8b2d5b9ef5097959fedeb8b904267fc32b1c0061e2.exe
                                                                                                                                56 B
                                                                                                                                107 B
                                                                                                                                1
                                                                                                                                1

                                                                                                                                DNS Request

                                                                                                                                c.pki.goog

                                                                                                                                DNS Response

                                                                                                                                142.250.178.3

                                                                                                                              • 8.8.8.8:53
                                                                                                                                crl.microsoft.com
                                                                                                                                dns
                                                                                                                                mscorsvw.exe
                                                                                                                                63 B
                                                                                                                                162 B
                                                                                                                                1
                                                                                                                                1

                                                                                                                                DNS Request

                                                                                                                                crl.microsoft.com

                                                                                                                                DNS Response

                                                                                                                                2.19.117.18
                                                                                                                                2.19.117.22

                                                                                                                              • 8.8.8.8:53
                                                                                                                                crl.microsoft.com
                                                                                                                                dns
                                                                                                                                mscorsvw.exe
                                                                                                                                63 B
                                                                                                                                162 B
                                                                                                                                1
                                                                                                                                1

                                                                                                                                DNS Request

                                                                                                                                crl.microsoft.com

                                                                                                                                DNS Response

                                                                                                                                2.19.117.18
                                                                                                                                2.19.117.22

                                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                                              Replay Monitor

                                                                                                                              Loading Replay Monitor...

                                                                                                                              Downloads

                                                                                                                              • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp

                                                                                                                                Filesize

                                                                                                                                694KB

                                                                                                                                MD5

                                                                                                                                0f937b539be67504857d6cc754f478a3

                                                                                                                                SHA1

                                                                                                                                669cbf596ffec2cd75422bde2ac4c333b3f23556

                                                                                                                                SHA256

                                                                                                                                60a1ff5224e847ec29ef45401537ae8925ba2c36d5798df69ea718911502975d

                                                                                                                                SHA512

                                                                                                                                690fa99eb2a7d2518de1a17f002d5e5dafd10bc953c4e3e094c35a7518d724e3b8a28588d9a4409dca7cb73cb44a85687fa2b1a82a6ad65ca4585bd8187bf69e

                                                                                                                              • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

                                                                                                                                Filesize

                                                                                                                                1.6MB

                                                                                                                                MD5

                                                                                                                                06a91123c0b1090e9eac0d02dfbb21c4

                                                                                                                                SHA1

                                                                                                                                1fa2305ace4f054d3e0a8e0315195bddb0f22f59

                                                                                                                                SHA256

                                                                                                                                f67a0b9072b63e86f4b0baa0a8ce2a9b4f5641646ac75936840d923b7f34ff3b

                                                                                                                                SHA512

                                                                                                                                c8ea7a6f7639b38ffdc6d583affcda495186f224c37393e14942db064adb8d48c8aae1074dbfa06f4414df5b35339328f9c0091896d5df2a8cce581dbb9f8fc5

                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

                                                                                                                                Filesize

                                                                                                                                872KB

                                                                                                                                MD5

                                                                                                                                161fb760448a5f72eb5b523f3c7461ca

                                                                                                                                SHA1

                                                                                                                                bd157fe75a31380ee7e7f643a3c56d77b86c5313

                                                                                                                                SHA256

                                                                                                                                9b661bd300d4c4223c59631050e2a8f298f13a1483fb26baca88ea437d743162

                                                                                                                                SHA512

                                                                                                                                eef123998987bb3faac5b6eb018699ab34e6e4b9d411c9a01a4841766cb85c561810d0945ab58797e9775be8e2f652b1bf80367e9fb330b5db601d1028e2609d

                                                                                                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                                MD5

                                                                                                                                47c99b7aaea59a90ab329075ab47d6d1

                                                                                                                                SHA1

                                                                                                                                745df1462e4af2d8133c6767f6c337e4189b5185

                                                                                                                                SHA256

                                                                                                                                13659b110337cdb56665b5b1954e92b9a905dcfcd1c96c2176bf7c0a760e4ac8

                                                                                                                                SHA512

                                                                                                                                98907f26eea74d147a52563252c9e8aabeca5271bef57cc5e599a9b04fe18fd67c623292e0981422c3d5245a32b15b2926bd91b61c8cec9c1619ca6cd6cd289c

                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

                                                                                                                                Filesize

                                                                                                                                613KB

                                                                                                                                MD5

                                                                                                                                f6607a4bea464cf578407a535352a225

                                                                                                                                SHA1

                                                                                                                                e58f6e55fa885b634719f2467199467a514355ed

                                                                                                                                SHA256

                                                                                                                                b160a64334bd214bece4146389c898bda4492aab6bbb0c7e949efe6065284b8e

                                                                                                                                SHA512

                                                                                                                                8bf1694ddfd6d866199ec5e17ecab226f72942d77664cab212d0152713b2d3969990b26cd8b6d33f301642d6d33f9919be21a23b441811080acb8dfffb631b51

                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

                                                                                                                                Filesize

                                                                                                                                1003KB

                                                                                                                                MD5

                                                                                                                                4afe278aba4f6112e21efccdae543bdc

                                                                                                                                SHA1

                                                                                                                                99c90f3aacadb0d1d0074ec5a8143a164366c4e9

                                                                                                                                SHA256

                                                                                                                                f9154d98c34ea6646e5ec7d84e7962a4126265db6fa62139d034c51f5cfacf31

                                                                                                                                SHA512

                                                                                                                                dc00dcbfb1934f2fe5f3ab200abedab914caeaa3b8f7a0724625c53750e9e9f28a82940026103a8b678f59d9d8e7efa4f6267c56e177aba7cc56cea481108ecc

                                                                                                                              • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

                                                                                                                                Filesize

                                                                                                                                644KB

                                                                                                                                MD5

                                                                                                                                dae5b0ef3fdc8ae9fd7679a4800d604e

                                                                                                                                SHA1

                                                                                                                                300214c7f6a01d2ca1d2c5553ae310e3249f673c

                                                                                                                                SHA256

                                                                                                                                f02cb06570dd9e6ba6d3016799e386c658cd0c43697dedbdd42b578a07b6a088

                                                                                                                                SHA512

                                                                                                                                0c3e5963155b76e33c4cdc88c98611f08dd39ede7b060ae998050be3e732badf3c19c5626be604821a04e105928850a3436c498d11f52b81b5b830055a5a2ff4

                                                                                                                              • C:\Windows\System32\ieetwcollector.exe

                                                                                                                                Filesize

                                                                                                                                666KB

                                                                                                                                MD5

                                                                                                                                804241cc880259e44d44c37f20d63725

                                                                                                                                SHA1

                                                                                                                                b45980f8047a2562922e5a157271ae760ed565a2

                                                                                                                                SHA256

                                                                                                                                76c0cd29c9bfc761c4c6a8fcfdfe5775ac231f57e1c7aee708f3cbbfc08aa4de

                                                                                                                                SHA512

                                                                                                                                3c5cb7bf19c757b9b17f5a95ed72f94a51ec6127c4f06b3a97ac4f326403de348ddf1e192c00d7170614a12cc6ab73ecc3c60ec65bbce2c12dea4a2476801397

                                                                                                                              • C:\Windows\Temp\CabBEEC.tmp

                                                                                                                                Filesize

                                                                                                                                29KB

                                                                                                                                MD5

                                                                                                                                d59a6b36c5a94916241a3ead50222b6f

                                                                                                                                SHA1

                                                                                                                                e274e9486d318c383bc4b9812844ba56f0cff3c6

                                                                                                                                SHA256

                                                                                                                                a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53

                                                                                                                                SHA512

                                                                                                                                17012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489

                                                                                                                              • C:\Windows\Temp\TarBFF7.tmp

                                                                                                                                Filesize

                                                                                                                                81KB

                                                                                                                                MD5

                                                                                                                                b13f51572f55a2d31ed9f266d581e9ea

                                                                                                                                SHA1

                                                                                                                                7eef3111b878e159e520f34410ad87adecf0ca92

                                                                                                                                SHA256

                                                                                                                                725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15

                                                                                                                                SHA512

                                                                                                                                f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft-Windows-H#\a46df77acafec60e31859608625e6354\Microsoft-Windows-HomeGroupDiagnostic.NetListMgr.Interop.ni.dll

                                                                                                                                Filesize

                                                                                                                                105KB

                                                                                                                                MD5

                                                                                                                                d9c0055c0c93a681947027f5282d5dcd

                                                                                                                                SHA1

                                                                                                                                9bd104f4d6bd68d09ae2a55b1ffc30673850780f

                                                                                                                                SHA256

                                                                                                                                dc7eb30a161a2f747238c8621adb963b50227a596d802b5f9110650357f7f7ed

                                                                                                                                SHA512

                                                                                                                                5404050caa320cdb48a6ccd34282c12788ee8db4e00397dde936cee00e297e9e438dcaa5fcb4e92525f167637b500db074ac91971d4730d222ac4713a3e7b930

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\11940d5133d63001fa4499c315655e15\Microsoft.Office.Tools.Word.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                1.1MB

                                                                                                                                MD5

                                                                                                                                7835e60e560a49049ae728698da3d301

                                                                                                                                SHA1

                                                                                                                                87b357b1b3c9a2ad2f3b89b10a42af021ab76afe

                                                                                                                                SHA256

                                                                                                                                df34cbc18c66aa387324c45196d71ebe7c91a83fbbdc91766f9f47330a0cb2fa

                                                                                                                                SHA512

                                                                                                                                b95c33a2746a331e4416f7449c8ab613ba16c716a449e446d825f34dfaf754ea7562bf77cf5a73a78599e0b67a3a697437baa9aa516e40e06981693c8ea5b993

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\6337d25ea4dd40045a047cb662ee4394\Microsoft.Office.Tools.Outlook.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                238KB

                                                                                                                                MD5

                                                                                                                                0a4ed78b7995d94fa42379f84cd5f8e9

                                                                                                                                SHA1

                                                                                                                                90ba188fe0ebd38ad225e7ce3a24dd9b6b68056b

                                                                                                                                SHA256

                                                                                                                                0a75d0d332692cc36d539abdd36f3ff5ef2ab786a9404548ca6c98fd566c4d86

                                                                                                                                SHA512

                                                                                                                                86ac346de836aa6dd7e017ff4329803c9165758dcfe3aa1881e46ca73e15e6cdb269fcc5b082d717774666f9bc40051a47b5261bfe73901804eb4b0bfacd1184

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dc8ba97b4a8deefeb1efac60e1bdb693\Microsoft.Office.Tools.Excel.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                                MD5

                                                                                                                                9958f23efa2a86f8195f11054f94189a

                                                                                                                                SHA1

                                                                                                                                78ec93b44569ea7ebce452765568da5c73511931

                                                                                                                                SHA256

                                                                                                                                3235e629454949220524dd976bec494f7cc4c9abeaf3ee63fc430cbe4fbcf7b6

                                                                                                                                SHA512

                                                                                                                                3061f8de0abf4b2b37fbc5b930663414499fb6127e2892fe0a0f3dfba6da3927e6caa7bcba31d05faee717d271ecf277607070452701a140dc7d3d4b8d0bfeb1

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.Office.To#\dd4deeafd891c39e6eb4a2daaafa9124\Microsoft.Office.Tools.Common.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                1.0MB

                                                                                                                                MD5

                                                                                                                                598a06ea8f1611a24f86bc0bef0f547e

                                                                                                                                SHA1

                                                                                                                                5a4401a54aa6cd5d8fd883702467879fb5823e37

                                                                                                                                SHA256

                                                                                                                                e55484d4fe504e02cc49fde33622d1a00cdae29266775dcb7c850203d5ed2512

                                                                                                                                SHA512

                                                                                                                                774e6facd3c56d1c700d9f97ee2e678d06b17e0493e8dc347be22bcba361bd6225caef702e53f0b08cacc9e6a4c4556280b43d96c928642266286f4dec8b5570

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\077a55be734d6ef6e2de59fa7325dac5\Microsoft.VisualStudio.Tools.Office.Contract.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                205KB

                                                                                                                                MD5

                                                                                                                                0a41e63195a60814fe770be368b4992f

                                                                                                                                SHA1

                                                                                                                                d826fd4e4d1c9256abd6c59ce8adb6074958a3e7

                                                                                                                                SHA256

                                                                                                                                4a8ccb522a4076bcd5f217437c195b43914ea26da18096695ee689355e2740e1

                                                                                                                                SHA512

                                                                                                                                1c916165eb5a2e30d4c6a67f2023ab5df4e393e22d9d8123aa5b9b8522fdb5dfe539bcb772a6e55219b23d865ee1438d066e78f0cb138a4a61cc2a1cecf54728

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\2951791a1aa22719b6fdcb816f7e6c04\Microsoft.VisualStudio.Tools.Office.Contract.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                43KB

                                                                                                                                MD5

                                                                                                                                68c51bcdc03e97a119431061273f045a

                                                                                                                                SHA1

                                                                                                                                6ecba97b7be73bf465adf3aa1d6798fedcc1e435

                                                                                                                                SHA256

                                                                                                                                4a3aa6bd2a02778759886aaa884d1e8e4a089a1e0578c973fcb4fc885901ebaf

                                                                                                                                SHA512

                                                                                                                                d71d6275c6f389f6b7becb54cb489da149f614454ae739e95c33a32ed805820bef14c98724882c4ebb51b4705f41b3cdb5a8ed134411011087774cac6e9d23e8

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\369a81b278211f8d96a305e918172713\Microsoft.VisualStudio.Tools.Applications.Runtime.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                198KB

                                                                                                                                MD5

                                                                                                                                9d9305a1998234e5a8f7047e1d8c0efe

                                                                                                                                SHA1

                                                                                                                                ba7e589d4943cd4fc9f26c55e83c77559e7337a8

                                                                                                                                SHA256

                                                                                                                                469ff9727392795925c7fe5625afcf508ba07e145c7940e4a12dbd6f14afc268

                                                                                                                                SHA512

                                                                                                                                58b8cc718ae1a72a9d596f7779aeb0d5492a19e5d668828fd6cff1aa37181cc62878799b4c97beec9c71c67a0c215162ff544b2417f6017cd892a1ce64f7878c

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\4b363c5e4c1eae1701bf45d167f8658f\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                91KB

                                                                                                                                MD5

                                                                                                                                adc5887e89bc56694a193d92898d3518

                                                                                                                                SHA1

                                                                                                                                267f14c45a86d50ad627c6cb00626049e9c1ee20

                                                                                                                                SHA256

                                                                                                                                edc77665afe4901d4370c6a4fe7427b235a8b4bbcd58ac41ee72440cf414bb5b

                                                                                                                                SHA512

                                                                                                                                bdea1e13b655e62b74f908f1012a746992245ffcebe21bad624e6e051429e8cccf531fc03fa1fc7319bc5c9c6367c261174394f9623a1968c6381d674b341a37

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\6e100177db1ef25970ca4a9eba03c352\Microsoft.VisualStudio.Tools.Applications.Contract.v9.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                70KB

                                                                                                                                MD5

                                                                                                                                57b601497b76f8cd4f0486d8c8bf918e

                                                                                                                                SHA1

                                                                                                                                da797c446d4ca5a328f6322219f14efe90a5be54

                                                                                                                                SHA256

                                                                                                                                1380d349abb6d461254118591637c8198859d8aadfdb098b8d532fdc4d776e2d

                                                                                                                                SHA512

                                                                                                                                1347793a9dbff305975f4717afa9ee56443bc48586d35a64e8a375535fa9e0f6333e13c2267d5dbb7fe868aa863b23034a2e655dcd68b59dca75f17a4cbc1850

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\76b549af81e6f61157e9e4d62310c93d\Microsoft.VisualStudio.Tools.Office.Outlook.HostAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                122KB

                                                                                                                                MD5

                                                                                                                                11b1180c2fe37f7a65e5298689a3cd7b

                                                                                                                                SHA1

                                                                                                                                10e94b646ba9450583731e6d14cd96db7c14261c

                                                                                                                                SHA256

                                                                                                                                7bdecdfd47ae51e58b71f99bb032921a009917c847a8bed917d8ea854167200a

                                                                                                                                SHA512

                                                                                                                                1c21338a0bbf21f69cd409b816487d20421c4995f3c16c4eeabf7098481275877eedc022b2cd159359cd63fe20e6eb8c314524f63f8b2dbf025672ccdbb1a876

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\77f00d3b4d847c1dd38a1c69e4ef5cb1\Microsoft.VisualStudio.Tools.Applications.Runtime.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                87KB

                                                                                                                                MD5

                                                                                                                                ed5c3f3402e320a8b4c6a33245a687d1

                                                                                                                                SHA1

                                                                                                                                4da11c966616583a817e98f7ee6fce6cde381dae

                                                                                                                                SHA256

                                                                                                                                b58d8890d884e60af0124555472e23dee55905e678ec9506a3fbe00fffab0a88

                                                                                                                                SHA512

                                                                                                                                d664b1f9f37c50d0e730a25ff7b79618f1ca99a0f1df0b32a4c82c95b2d15b6ef04ce5560db7407c6c3d2dff70514dac77cb0598f6d32b25362ae83fedb2bc2a

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9e076728e51ab285a8bc0f0b0a226e2c\Microsoft.VisualStudio.Tools.Applications.HostAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                82KB

                                                                                                                                MD5

                                                                                                                                2eeeff61d87428ae7a2e651822adfdc4

                                                                                                                                SHA1

                                                                                                                                66f3811045a785626e6e1ea7bab7e42262f4c4c1

                                                                                                                                SHA256

                                                                                                                                37f2ee9f8794df6d51a678c62b4838463a724fdf1bd65277cd41feaf2e6c9047

                                                                                                                                SHA512

                                                                                                                                cadf3a04aa6dc2b6b781c292d73e195be5032b755616f4b49c6bdde8b3ae297519fc255b0a46280b60aaf45d4dedb9b828d33f1400792b87074f01bbab19e41a

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\9f6aa22f0006f171692dd268020237dc\Microsoft.VisualStudio.Tools.Office.Excel.HostAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                271KB

                                                                                                                                MD5

                                                                                                                                c8f9b0dc33d7dde3bd1832a1f873820d

                                                                                                                                SHA1

                                                                                                                                26f922126aee9493fd0a4aa8e930ee65c9b54740

                                                                                                                                SHA256

                                                                                                                                52cfc3aaff7bdea9bbb730fbd61ab09a026c9acf38663545a4623b596fbf805e

                                                                                                                                SHA512

                                                                                                                                d07f1eb7fe2144c6336478e5d51f6620a19d15a09fd99bb0252b92b5601602c06d516fda6410c7ab078eea1c798fa6c461e4b270f034a1576929538d59d7a6f1

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\ddcbce37296c413d8d125b3938f2defa\Microsoft.VisualStudio.Tools.Office.Word.HostAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                305KB

                                                                                                                                MD5

                                                                                                                                ed5feb1609be3fd75d59c88ea4294151

                                                                                                                                SHA1

                                                                                                                                64a067a27b9c818332c0fefe66e0b0492d665877

                                                                                                                                SHA256

                                                                                                                                2ed066b06f1d71345fc356276b4146fee7eb655486766fe26dc68ef5bde86200

                                                                                                                                SHA512

                                                                                                                                3fadbaa47dfafbbb998e8d05fb1db3960657beba4fdf227ca53cb8db21747de5c149be01d26782f2cef9562e4302bb9c114a39b3f0571d4df732c2ae57e093ac

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\e2fbc61ee4836ca67319e07c50f6b85e\Microsoft.VisualStudio.Tools.Office.HostAdapter.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                221KB

                                                                                                                                MD5

                                                                                                                                1df300968beabe04990dca2b164cd8aa

                                                                                                                                SHA1

                                                                                                                                ddb399729ab7d27d8c517fc28fc93741c5622949

                                                                                                                                SHA256

                                                                                                                                ad54b87709608df4c0b2bc5a5af209f0517aea9e22a05ac203d8d5c437d13a60

                                                                                                                                SHA512

                                                                                                                                78c099a57da74bf9507f9c067d59cd292375bee8084d583d24c353e4008e03157aa5ae3d35406a8c9696e212a8bcf67ed35d8bf6e4feb3e8e17760f67ddaeeaf

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\Microsoft.VisualStu#\fe8d06712eb58d0150803744020b072a\Microsoft.VisualStudio.Tools.Applications.Contract.v10.0.ni.dll

                                                                                                                                Filesize

                                                                                                                                43KB

                                                                                                                                MD5

                                                                                                                                dd1dfa421035fdfb6fd96d301a8c3d96

                                                                                                                                SHA1

                                                                                                                                d535030ad8d53d57f45bc14c7c7b69efd929efb3

                                                                                                                                SHA256

                                                                                                                                f71293fe6cf29af54d61bd2070df0a5ff17a661baf1b0b6c1d3393fd23ccd30c

                                                                                                                                SHA512

                                                                                                                                8e0f2bee9801a4eba974132811d7274e52e6e17ccd60e8b3f74959994f007bdb0c60eb9facb6321c0fdfbcc44e9a77d8c5c776d998ccce256fa864338a6f63b1

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiActivScp\ee22f412f6314443add3ca412afd6569\ehiActivScp.ni.dll

                                                                                                                                Filesize

                                                                                                                                124KB

                                                                                                                                MD5

                                                                                                                                929653b5b019b4555b25d55e6bf9987b

                                                                                                                                SHA1

                                                                                                                                993844805819ee445ff8136ee38c1aee70de3180

                                                                                                                                SHA256

                                                                                                                                2766353ca5c6a87169474692562282005905f1ca82eaa08e08223fc084dbb9a2

                                                                                                                                SHA512

                                                                                                                                effc809cca6170575efa7b4b23af9c49712ee9a7aaffd8f3a954c2d293be5be2cf3c388df4af2043f82b9b2ea041acdbb9d7ddd99a2fc744cce95cf4d820d013

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\ehiVidCtl\11d57f5c033326954c0bc4f0b2680812\ehiVidCtl.ni.dll

                                                                                                                                Filesize

                                                                                                                                2.1MB

                                                                                                                                MD5

                                                                                                                                10b5a285eafccdd35390bb49861657e7

                                                                                                                                SHA1

                                                                                                                                62c05a4380e68418463529298058f3d2de19660d

                                                                                                                                SHA256

                                                                                                                                5f3bb3296ab50050e6b4ea7e95caa937720689db735c70309e5603a778be3a9a

                                                                                                                                SHA512

                                                                                                                                19ff9ac75f80814ed5124adc25fc2a6d1d7b825c770e1edb8f5b6990e44f9d2d0c1c0ed75b984e729709d603350055e5a543993a80033367810c417864df1452

                                                                                                                              • C:\Windows\assembly\NativeImages_v2.0.50727_64\stdole\70f1aed4a280583cbd09e0f5d9bbc1f5\stdole.ni.dll

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                                MD5

                                                                                                                                1f394b5ca6924de6d9dbfb0e90ea50ef

                                                                                                                                SHA1

                                                                                                                                4e2caa5e98531c6fbf5728f4ae4d90a1ad150920

                                                                                                                                SHA256

                                                                                                                                9db0e4933b95ad289129c91cd9e14a0c530f42b55e8c92dc8c881bc3dd40b998

                                                                                                                                SHA512

                                                                                                                                e27ea0f7b59d41a85547d607ae3c05f32ce19fa5d008c8eaf11d0c253a73af3cfa6df25e3ee7f3920cd775e1a3a2db934e5891b4aafd4270d65a727b439f7476

                                                                                                                              • \??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe

                                                                                                                                Filesize

                                                                                                                                694KB

                                                                                                                                MD5

                                                                                                                                aefa682374380ce26f4b1ffc86d54683

                                                                                                                                SHA1

                                                                                                                                216d7ca3f665ba2d1fcbe9a944a4a3ba321e034b

                                                                                                                                SHA256

                                                                                                                                56ef9b6579b07a0abf50860ffe4dd9bb4cb86caebd296d3578d1fa8ce790bc12

                                                                                                                                SHA512

                                                                                                                                d54f8bd9f9b978cdaaaef5d7e70316b298c643d140b00d63275332fdeada8d0dc053fe4f695ce369557354488ae5d15421cba1d2fb1555c82c08620bc1078b72

                                                                                                                              • \??\c:\program files (x86)\microsoft office\office14\groove.exe

                                                                                                                                Filesize

                                                                                                                                30.1MB

                                                                                                                                MD5

                                                                                                                                42d533a706599e575fbedfe2d19685b2

                                                                                                                                SHA1

                                                                                                                                61019cf6d834424035e83606806f2b9ccbd6e8aa

                                                                                                                                SHA256

                                                                                                                                e8f69641aba98ea95d20a5db4f8b804a02acc1ffeba9f629a1232bbe5f66c06d

                                                                                                                                SHA512

                                                                                                                                d1be246d2835a7a21c77cf8cd596565a6f0750b506ff930d2eb9704a7aaf0b9c0fe3fd92c1b3e5be4cbb171d71b6c8414dbc7eb44619ff028b7553be09321e77

                                                                                                                              • \??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe

                                                                                                                                Filesize

                                                                                                                                769KB

                                                                                                                                MD5

                                                                                                                                f48d636d7b10d6d588aa88fd2832b42e

                                                                                                                                SHA1

                                                                                                                                efa94ee598a04a7b081bd4b179b70fae1f8a5915

                                                                                                                                SHA256

                                                                                                                                460879524185432d761143ce4c0624cbbdfa62069d08ebbd7059fa207cfbd632

                                                                                                                                SHA512

                                                                                                                                9defd2f700b294db8bdf64a97cc071b2108bf5eb837fa6f4f0ed1bc3ba794a698ff62a5c60803017dbc12849b488aa13c179fc70b7076cb2561e75d5a6395751

                                                                                                                              • \??\c:\program files\windows media player\wmpnetwk.exe

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                MD5

                                                                                                                                b6b8c76a3e321c0e3ac4b3f933772af2

                                                                                                                                SHA1

                                                                                                                                0fb664241b09f573fc19af530c31aeddd4e9e659

                                                                                                                                SHA256

                                                                                                                                233e3b12677545c86dca9899fb9cc71c2ff18e431d03897095dd5fbd85726b44

                                                                                                                                SHA512

                                                                                                                                149142b4b413dd4b5fb52c16101ca2458fd891da0353b6bfbfa79a44a848a62084ea44286de35ab9398961a0e417cbb428cdac66e3b293f67d5203656de2610e

                                                                                                                              • \??\c:\windows\ehome\ehrecvr.exe

                                                                                                                                Filesize

                                                                                                                                1.2MB

                                                                                                                                MD5

                                                                                                                                17e152b6d0d8bdcdedeff40148025130

                                                                                                                                SHA1

                                                                                                                                b263ee565daa0128330576934bcc9821ab511721

                                                                                                                                SHA256

                                                                                                                                54f8dfb0de8e8c253630abf2f8c88cd6aeb51fb3e6bc980ba459e145ff2e4ba0

                                                                                                                                SHA512

                                                                                                                                eb9e05469e133a54c6368bbe350bd62cee3d10f9b84a0d88753889a903a9af8a72ac4ed890e2dc393b4ee810dd24ac10afbbda17200cc46e287682568f3a651f

                                                                                                                              • \??\c:\windows\ehome\ehsched.exe

                                                                                                                                Filesize

                                                                                                                                679KB

                                                                                                                                MD5

                                                                                                                                13e4d4a31dc6b35b75ee298165658ebe

                                                                                                                                SHA1

                                                                                                                                f8e62b70c01062ee39b59da2f2924954a7e75354

                                                                                                                                SHA256

                                                                                                                                de60af1ee7a5213e5c0cccb810f8de4b01a3fdc51a6184a4b47f878306a7ab5b

                                                                                                                                SHA512

                                                                                                                                591c0834399fc4d5a0d70c081102a24eb4cd75e4a0cea0f2fc6e998c10c25c91a5edc1acf9605b52c47ae651249c072df4b81579303d879b7d6a63ed17d397ae

                                                                                                                              • \??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe

                                                                                                                                Filesize

                                                                                                                                591KB

                                                                                                                                MD5

                                                                                                                                e1ea0325ea9ce762e4e35fb84ef5cb24

                                                                                                                                SHA1

                                                                                                                                17f4de26de688458ae6b3892254541709637ec19

                                                                                                                                SHA256

                                                                                                                                511a633f08fcb3175c898544bed7cf6b676ac67261c16513746d0c11f1ca33b3

                                                                                                                                SHA512

                                                                                                                                a0328b03e7863e23ed3e11c3d9b5bcb761d22f9592b1d06120281f7f17cb7b4e636c264f4c10ce053f44a38dd4a7fb694757251b80012230503d117ac7b5854d

                                                                                                                              • \??\c:\windows\system32\alg.exe

                                                                                                                                Filesize

                                                                                                                                632KB

                                                                                                                                MD5

                                                                                                                                30a2b68b5613f448f9c2c3bfcaca8cde

                                                                                                                                SHA1

                                                                                                                                c4e3ee45345d00c5ce4583688e5f4e3250594531

                                                                                                                                SHA256

                                                                                                                                e8bb3bdf244a2e79339b33babab5fb49b95c437012b9820543ae04d27e7bf6f1

                                                                                                                                SHA512

                                                                                                                                72c3aabb04900b27a9d5b5a715cfeb7b6c30c2370118baecadd6e504327d9aebc9c87d134e2327fdb58c86ba652f4153682275d6d4689b36c6b885f7fbddba1d

                                                                                                                              • \??\c:\windows\system32\fxssvc.exe

                                                                                                                                Filesize

                                                                                                                                1.2MB

                                                                                                                                MD5

                                                                                                                                7c39faf5aaae6ca906323e5e40cc2aa2

                                                                                                                                SHA1

                                                                                                                                9652c1c21d55da2c5edf47f9f42364a6bb717da8

                                                                                                                                SHA256

                                                                                                                                ce460e0fb5bb58ac1564f841ec8f21ca46a10cb432af8599c2ab36c554a99f7e

                                                                                                                                SHA512

                                                                                                                                a85436de1592f634bae71523961af8bfcc335a734ee42a5658b441658d690a6e6e77ab259cf7d944b9991ce58501ae7bcccbd26358d424797cb0314008d251fc

                                                                                                                              • \??\c:\windows\system32\msdtc.exe

                                                                                                                                Filesize

                                                                                                                                693KB

                                                                                                                                MD5

                                                                                                                                a1cdd69653897c2c3d5eca0fba7763b3

                                                                                                                                SHA1

                                                                                                                                a66d1e57777cb8f9e457d59bdec862eb69bc5d09

                                                                                                                                SHA256

                                                                                                                                debe59f337f0b04d3b50ff7117ec0c3584980669941aa1370091a68eeeb9150b

                                                                                                                                SHA512

                                                                                                                                b04309bd3fd3169f96b774a308b9df08e7d6fc7b8d7b65004aed5f553150f9e4220803bf663ae122ab6c2e3a446d1284e66db46100b670cc023590dea78919bd

                                                                                                                              • \??\c:\windows\system32\msiexec.exe

                                                                                                                                Filesize

                                                                                                                                679KB

                                                                                                                                MD5

                                                                                                                                b2e52c2a7e787d3a5c945008231d83ae

                                                                                                                                SHA1

                                                                                                                                704d864dcf0ea048808407d7b6222dd17c2f178b

                                                                                                                                SHA256

                                                                                                                                1042ce50ba535ce49f67acc482b44faf04266e4e2cbbe963ea5048cdf01c78ac

                                                                                                                                SHA512

                                                                                                                                eb13936fb63dc6b6c4ac605d95fa45f96f7f0624307c894cb29423f43d42ae1ea4281fcaeabfd84670d3aadc2c29ff1b17e4d2738976b200ab0942b90f38cc89

                                                                                                                              • \??\c:\windows\system32\searchindexer.exe

                                                                                                                                Filesize

                                                                                                                                1.1MB

                                                                                                                                MD5

                                                                                                                                23038b3b398640714ef2b06281ec3f29

                                                                                                                                SHA1

                                                                                                                                2a5c2feddec0cf1990f564b4bd127f194a3c81d2

                                                                                                                                SHA256

                                                                                                                                5e0d54fe28caa8d1a706582ec02467adb2cf5a2024f8d8f26227f0e4a8b616ae

                                                                                                                                SHA512

                                                                                                                                f90db334154fce50252dbba82c302cb5e982673a6ca204661fe1764be4a20675cf85456c3b137a9140a4dd528d2add5fb9cd546334dbcca8b66330a14dfc6734

                                                                                                                              • \??\c:\windows\system32\snmptrap.exe

                                                                                                                                Filesize

                                                                                                                                569KB

                                                                                                                                MD5

                                                                                                                                06c9dc3592661f80b5ed571369b618d1

                                                                                                                                SHA1

                                                                                                                                5940bcb2483e06fb4a43dc0e157a78cb2522ff84

                                                                                                                                SHA256

                                                                                                                                5e50aa344c684ba2560c9827dcbd79b1a06163ead30efaa09f3bb22874e684dc

                                                                                                                                SHA512

                                                                                                                                52e2784a6459753d28e35ca5b0d55af1dc1dd4068659d38e00453afec41e9721a24cb04a285dbb4054341f706ba1f4bf4dc9b29ed83eabfea2f1318cf5466da7

                                                                                                                              • \??\c:\windows\system32\ui0detect.exe

                                                                                                                                Filesize

                                                                                                                                595KB

                                                                                                                                MD5

                                                                                                                                e271f020ab49b1ce94d969b8d3a01fd6

                                                                                                                                SHA1

                                                                                                                                531eddb7b77ff900a0acff6150bd51a2481f5ee6

                                                                                                                                SHA256

                                                                                                                                a5f82488e70985ddb735f3f63314203474eb3777ae82ae3c870f3dd395625a07

                                                                                                                                SHA512

                                                                                                                                783b2dc570341bf626d6bb1daae30960c35068ff6ce0e3f7d627fd2f7d85b70fb6b2ad0c27b5a3617c8956c10c49730d51e2aed5653d825a07cfb91242c92e74

                                                                                                                              • \??\c:\windows\system32\vds.exe

                                                                                                                                Filesize

                                                                                                                                1.1MB

                                                                                                                                MD5

                                                                                                                                bdfc9355d70aeb2dcb506d5ac031e9a7

                                                                                                                                SHA1

                                                                                                                                ac5c5290367748f0185e9956a0aa9226c593ba5b

                                                                                                                                SHA256

                                                                                                                                9a61dcd286432f7f4ea33a836f5f153c74ce30cbae2aa962538fa8947ab820fd

                                                                                                                                SHA512

                                                                                                                                e65f5d065d7ee5fbfb2c4a72072fa99be2e1447c47fde778148f5184582b56be7ea87330d3a12d0a3b48154224f8fc9d8ddab8b024abd398a76cdf481e02761d

                                                                                                                              • \??\c:\windows\system32\vssvc.exe

                                                                                                                                Filesize

                                                                                                                                2.1MB

                                                                                                                                MD5

                                                                                                                                b2cb8be72cd7fa1f3690d3abb3de47b2

                                                                                                                                SHA1

                                                                                                                                64bad9679af98e57f2ef12d6c6012f6273bb89bd

                                                                                                                                SHA256

                                                                                                                                1c8bc4da69b2135e20833ea415b02d51fcfbc00b0c05ec39e89033e5f871e1e9

                                                                                                                                SHA512

                                                                                                                                98f3ab10099d2289c795eedc09deae24cbd3dc15f1e79683ea2e4806187aec7017a9c42312a2984c832760e82140e2902eaba20015e4069c4df6b7c6a5349887

                                                                                                                              • \??\c:\windows\system32\wbem\wmiApsrv.exe

                                                                                                                                Filesize

                                                                                                                                753KB

                                                                                                                                MD5

                                                                                                                                892a173a92dd07c09150c7d158830490

                                                                                                                                SHA1

                                                                                                                                ac547ea96a016e697bb2dac9d6ae8d35f9f80deb

                                                                                                                                SHA256

                                                                                                                                d2f529b78f0a282a4d95ef9c465048db9ebd878fbb7d21f66472de92f81f623d

                                                                                                                                SHA512

                                                                                                                                10a2198ea544ba2e4e392a0ad5e175aba2b20b0a27be33a77202747f3663c739943ae1fa3134f65745816913ed453d55b70343c30f7b7cd0c42456792b679e13

                                                                                                                              • \??\c:\windows\system32\wbengine.exe

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                                MD5

                                                                                                                                27eafb9b1121d092a9e73e7d3c89ade4

                                                                                                                                SHA1

                                                                                                                                a3388393da62f985e9bbaeb9c72eda3da2f630c9

                                                                                                                                SHA256

                                                                                                                                f914dd9327eb35a0e29a5e42a5664f055fd7c88ff35ac51f38fb3d15c9c9922b

                                                                                                                                SHA512

                                                                                                                                f2471905a7a3dc09e4d8d6d07216bfbd1a0449065a37a02a53afaebb4e6462c1e85bad5271412ed22573bfc4543b662b56fe181ee6b6cb7981ce5521d7ab9e53

                                                                                                                              • \Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

                                                                                                                                Filesize

                                                                                                                                2.1MB

                                                                                                                                MD5

                                                                                                                                5739ca33b4b783da20ae97c08d0ed80b

                                                                                                                                SHA1

                                                                                                                                2cd298a2679b5a1640da911182c55c2ffd9c6f63

                                                                                                                                SHA256

                                                                                                                                7beb0f551f822fc55af1c5f96d598447be0471528f099471087da54b9bd00a57

                                                                                                                                SHA512

                                                                                                                                653cd08434a8f2a7719b36bdfd23e0c1254ecdf27d36aa7dbc8c174b7a3b97bba1fd9505fc3d4d785bb83e26f42533d989dc510e0e576493b2b9e8499d577f00

                                                                                                                              • \Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

                                                                                                                                Filesize

                                                                                                                                636KB

                                                                                                                                MD5

                                                                                                                                c9fae5dbc0bfa8c0a99e7916e7ee8837

                                                                                                                                SHA1

                                                                                                                                a9d8a3e933b8126a9c1bc026c6d9bb38bd5c4750

                                                                                                                                SHA256

                                                                                                                                a13e599078a8a578ed93ff5b088c794955b7c88c1a62ebc7ad6136ff3c8ab874

                                                                                                                                SHA512

                                                                                                                                e07dd3e84ee9b213cec046f4fa5cb7d2b9bb87fc63745ad7acab98fdb8607af484e1721834c39627651d176fd199ad1c60e4f11e04290bec4e1acec69fbf7775

                                                                                                                              • \Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

                                                                                                                                Filesize

                                                                                                                                666KB

                                                                                                                                MD5

                                                                                                                                e057dbf2f99771cf6fda534528a39e4d

                                                                                                                                SHA1

                                                                                                                                e1589e62cc1c9c6c4cc19e7c17af947963b58e4b

                                                                                                                                SHA256

                                                                                                                                c67bcdcf1c73de23981a75684b9189fc019c18b8fcf8ab1a7b396cfe4311f306

                                                                                                                                SHA512

                                                                                                                                21a2703b3adbb938c566753e1b00a9b3446a2c471224b4a82c42606a55c8cf3b8f2e9e5c9d1a1f5990fb85504c4187c9c6034ec6e7a412bbb80fe4114ce46d93

                                                                                                                              • \Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4412.tmp\Microsoft.VisualStudio.Tools.Applications.AddInAdapter.v9.0.dll

                                                                                                                                Filesize

                                                                                                                                85KB

                                                                                                                                MD5

                                                                                                                                5180107f98e16bdca63e67e7e3169d22

                                                                                                                                SHA1

                                                                                                                                dd2e82756dcda2f5a82125c4d743b4349955068d

                                                                                                                                SHA256

                                                                                                                                d0658cbf473ef3666c758d28a1c4bcdcb25b2e515ad5251127d0906e65938f01

                                                                                                                                SHA512

                                                                                                                                27d785971c28181cf9115ab14de066931c4d81f8d357ea8b9eabfe0f70bd5848023b69948ac6a586989e892bcde40999f8895a0bd2e7a28bac7f2fa64bb22363

                                                                                                                              • \Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP471E.tmp\Microsoft.VisualStudio.Tools.Office.AddInAdapter.v9.0.dll

                                                                                                                                Filesize

                                                                                                                                298KB

                                                                                                                                MD5

                                                                                                                                5fd34a21f44ccbeda1bf502aa162a96a

                                                                                                                                SHA1

                                                                                                                                1f3b1286c01dea47be5e65cb72956a2355e1ae5e

                                                                                                                                SHA256

                                                                                                                                5d88539a1b7be77e11fe33572606c1093c54a80eea8bd3662f2ef5078a35ce01

                                                                                                                                SHA512

                                                                                                                                58c3904cd1a06fbd3a432b3b927e189a744282cc105eda6f0d7f406971ccbc942c7403c2dcbb2d042981cf53419ca5e2cf4d9f57175e45cc5c484b0c121bb125

                                                                                                                              • \Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4A88.tmp\Microsoft.VisualStudio.Tools.Office.Excel.AddInAdapter.v9.0.dll

                                                                                                                                Filesize

                                                                                                                                58KB

                                                                                                                                MD5

                                                                                                                                3d6987fc36386537669f2450761cdd9d

                                                                                                                                SHA1

                                                                                                                                7a35de593dce75d1cb6a50c68c96f200a93eb0c9

                                                                                                                                SHA256

                                                                                                                                34c0302fcf7d2237f914aaa484b24f5a222745f21f5b5806b9c519538665d9cb

                                                                                                                                SHA512

                                                                                                                                1d74371f0b6c68ead18b083c08b7e44fcaf930a16e0641ad6cd8d8defb4bde838377741e5b827f7f05d4f0ad4550b509ba6dff787f51fc6830d8f2c88dbf0e11

                                                                                                                              • \Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4D65.tmp\Microsoft.VisualStudio.Tools.Office.Word.AddInAdapter.v9.0.dll

                                                                                                                                Filesize

                                                                                                                                58KB

                                                                                                                                MD5

                                                                                                                                a8b651d9ae89d5e790ab8357edebbffe

                                                                                                                                SHA1

                                                                                                                                500cff2ba14e4c86c25c045a51aec8aa6e62d796

                                                                                                                                SHA256

                                                                                                                                1c8239c49fb10c715b52e60afd0e6668592806ef447ad0c52599231f995a95d7

                                                                                                                                SHA512

                                                                                                                                b4d87ee520353113bb5cf242a855057627fde9f79b74031ba11d5feee1a371612154940037954cd1e411da0c102f616be72617a583512420fd1fc743541a10ce

                                                                                                                              • \Windows\assembly\NativeImages_v2.0.50727_64\Temp\ZAP4FB6.tmp\Microsoft.Office.Tools.v9.0.dll

                                                                                                                                Filesize

                                                                                                                                248KB

                                                                                                                                MD5

                                                                                                                                4bbf44ea6ee52d7af8e58ea9c0caa120

                                                                                                                                SHA1

                                                                                                                                f7dcafcf850b4081b61ec7d313d7ec35d6ac66d2

                                                                                                                                SHA256

                                                                                                                                c89c478c2d7134cd28b3d28d4216ad6aa41de3edd9d87a227ec19cf1cbf3fb08

                                                                                                                                SHA512

                                                                                                                                c82356750a03bd6f92f03c67acdd5e1085fbd70533a8b314ae54676f37762d9ca5fa91574529b147d3e1c983bf042106b75f41206f5ddc37094a5e1c327c0fd3

                                                                                                                              • memory/588-191-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/588-97-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1512-240-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1512-243-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1600-241-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1620-271-0x00000000006B0000-0x00000000006C8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                96KB

                                                                                                                              • memory/1620-278-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1620-275-0x0000000003050000-0x000000000306E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                120KB

                                                                                                                              • memory/1620-269-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1620-274-0x0000000000870000-0x000000000088A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                104KB

                                                                                                                              • memory/1620-273-0x00000000006E0000-0x00000000006EE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/1824-304-0x00000000007C0000-0x00000000007D8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                96KB

                                                                                                                              • memory/1824-305-0x0000000000800000-0x000000000081A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                104KB

                                                                                                                              • memory/1824-307-0x0000000002FE0000-0x0000000002FF6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/1824-308-0x00000000031B0000-0x00000000031C0000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                              • memory/1824-309-0x00000000031D0000-0x00000000031DE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/1824-311-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1824-306-0x0000000002F90000-0x0000000002FD8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/1824-303-0x0000000000790000-0x000000000079C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/1968-70-0x0000000010000000-0x0000000010200000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1968-69-0x0000000010000000-0x0000000010200000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/1968-115-0x0000000010000000-0x0000000010200000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2000-217-0x0000000140000000-0x0000000140208000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2000-232-0x0000000140000000-0x0000000140208000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2000-129-0x0000000140000000-0x0000000140208000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2112-247-0x0000000000980000-0x0000000000996000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/2112-246-0x00000000030E0000-0x0000000003128000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/2112-250-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2112-245-0x00000000006C0000-0x00000000006CC000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2112-244-0x00000000006B0000-0x00000000006BE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/2156-324-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2156-319-0x0000000000A20000-0x0000000000A30000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                64KB

                                                                                                                              • memory/2156-332-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2156-313-0x0000000000720000-0x000000000072C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2156-314-0x0000000000770000-0x000000000077C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2156-315-0x00000000008C0000-0x00000000008CE000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/2156-316-0x00000000008D0000-0x00000000008E6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/2156-317-0x00000000031A0000-0x00000000031E8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/2156-318-0x0000000000A00000-0x0000000000A1A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                104KB

                                                                                                                              • memory/2156-323-0x000000001C5D0000-0x000000001C5DC000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2168-0-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-6-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-14-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-37-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-38-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-39-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-40-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-41-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-57-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-1-0x0000000140031000-0x0000000140032000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2168-5-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-4-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-229-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-3-0x00000000029B0000-0x00000000029F8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/2168-2-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-13-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-7-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-11-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2168-12-0x0000000140000000-0x000000014032E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.2MB

                                                                                                                              • memory/2260-335-0x000000001C520000-0x000000001C52E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/2260-334-0x00000000030A0000-0x00000000030B6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/2260-336-0x000000001C530000-0x000000001C544000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                80KB

                                                                                                                              • memory/2260-333-0x0000000003040000-0x000000000304C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2340-192-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2340-219-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2368-236-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2368-238-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2544-218-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2544-220-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2636-58-0x000000001000C000-0x000000001000D000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/2636-56-0x0000000010000000-0x00000000101CD000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                              • memory/2636-92-0x0000000010000000-0x00000000101CD000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                              • memory/2700-122-0x0000000140000000-0x0000000140391000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                3.6MB

                                                                                                                              • memory/2784-283-0x0000000000840000-0x0000000000856000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/2784-284-0x00000000008A0000-0x00000000008E8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/2784-277-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2784-285-0x0000000000860000-0x000000000087A000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                104KB

                                                                                                                              • memory/2784-302-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/2784-282-0x0000000000830000-0x000000000083E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/2784-281-0x0000000000820000-0x000000000082C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/2784-280-0x00000000005A0000-0x00000000005B8000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                96KB

                                                                                                                              • memory/2784-293-0x0000000003210000-0x0000000003228000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                96KB

                                                                                                                              • memory/2784-294-0x0000000003210000-0x0000000003228000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                96KB

                                                                                                                              • memory/2784-286-0x00000000008F0000-0x000000000090E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                120KB

                                                                                                                              • memory/2844-196-0x0000000000400000-0x00000000005D6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                              • memory/2844-187-0x0000000000400000-0x00000000005D6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                              • memory/2844-82-0x0000000000400000-0x00000000005D6000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                1.8MB

                                                                                                                              • memory/2844-90-0x0000000000402000-0x0000000000403000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                4KB

                                                                                                                              • memory/3044-255-0x0000000003160000-0x0000000003176000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                88KB

                                                                                                                              • memory/3044-252-0x0000000002F30000-0x0000000002F3E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/3044-249-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/3044-270-0x0000000140000000-0x0000000140207000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                2.0MB

                                                                                                                              • memory/3044-254-0x0000000003110000-0x0000000003158000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                288KB

                                                                                                                              • memory/3044-253-0x0000000003100000-0x000000000310C000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                48KB

                                                                                                                              • memory/3044-259-0x000000001C580000-0x000000001C58E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              • memory/3044-260-0x000000001C580000-0x000000001C58E000-memory.dmp

                                                                                                                                Filesize

                                                                                                                                56KB

                                                                                                                              We care about your privacy.

                                                                                                                              This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.