remcos | bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cotización.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

2.58.56.182:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GM05WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 2408 set thread context of 2912	2408	Cotización.exe	43
PID 2408 set thread context of 2504	2408	Cotización.exe	53
PID 2408 set thread context of 812	2408	Cotización.exe	63
PID 2408 set thread context of 1452	2408	Cotización.exe	73
PID 2408 set thread context of 900	2408	Cotización.exe	83
PID 2408 set thread context of 2904	2408	Cotización.exe	93
PID 2408 set thread context of 1704	2408	Cotización.exe	103
PID 2408 set thread context of 1728	2408	Cotización.exe	113
PID 2408 set thread context of 2592	2408	Cotización.exe	123
PID 2408 set thread context of 1164	2408	Cotización.exe	133
PID 2408 set thread context of 2876	2408	Cotización.exe	143
PID 2408 set thread context of 1532	2408	Cotización.exe	153
PID 2408 set thread context of 3380	2408	Cotización.exe	163
PID 2408 set thread context of 3964	2408	Cotización.exe	173
PID 2408 set thread context of 936	2408	Cotización.exe	183
PID 2408 set thread context of 3644	2408	Cotización.exe	193
PID 2408 set thread context of 1212	2408	Cotización.exe	205
PID 2408 set thread context of 1648	2408	Cotización.exe	215
PID 2408 set thread context of 1216	2408	Cotización.exe	225
PID 2408 set thread context of 3080	2408	Cotización.exe	235
PID 2408 set thread context of 1780	2408	Cotización.exe	245
PID 2408 set thread context of 1960	2408	Cotización.exe	255
PID 2408 set thread context of 4168	2408	Cotización.exe	265
PID 2408 set thread context of 4708	2408	Cotización.exe	275
PID 2408 set thread context of 3608	2408	Cotización.exe	285
PID 2408 set thread context of 4232	2408	Cotización.exe	295

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20240708_153054_896.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154725-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\1008fba4-e12e-4fb6-b030-9ef025751633.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F15.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F15.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137.html	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154019-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Kno77CD.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154019-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\FXSAPIDebugLogFile.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install_reg.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Kno77CD.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154528-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154335-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154528-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F5D.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F5D.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F5D.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F5D.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F15.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F15.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\1008fba4-e12e-4fb6-b030-9ef025751633.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Kno6E10.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\FXSAPIDebugLogFile.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154206-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137-MSI_netfx_Full_x64.msi.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137-MSI_netfx_Full_x64.msi.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Kno6E10.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154725-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20240708_153055_583.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\de2794d7-234b-41a8-bb47-48c478696e49.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ose00000.exe	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RGI5E28.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RD48A3.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RGI5E28.tmp-tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20240708_153055_583.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	Cotización.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	Cotización.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2764	2408	Cotización.exe	30
PID 2408 wrote to memory of 2764	2408	Cotización.exe	30
PID 2408 wrote to memory of 2764	2408	Cotización.exe	30
PID 2764 wrote to memory of 2864	2764	cmd.exe	32
PID 2764 wrote to memory of 2864	2764	cmd.exe	32
PID 2764 wrote to memory of 2864	2764	cmd.exe	32
PID 2864 wrote to memory of 2880	2864	cmd.exe	33
PID 2864 wrote to memory of 2880	2864	cmd.exe	33
PID 2864 wrote to memory of 2880	2864	cmd.exe	33
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2884	2408	Cotización.exe	34
PID 2408 wrote to memory of 2620	2408	Cotización.exe	35
PID 2408 wrote to memory of 2620	2408	Cotización.exe	35
PID 2408 wrote to memory of 2620	2408	Cotización.exe	35
PID 2408 wrote to memory of 2620	2408	Cotización.exe	35
PID 2408 wrote to memory of 2804	2408	Cotización.exe	36
PID 2408 wrote to memory of 2804	2408	Cotización.exe	36
PID 2408 wrote to memory of 2804	2408	Cotización.exe	36
PID 2408 wrote to memory of 2804	2408	Cotización.exe	36
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 3004	2408	Cotización.exe	37
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2640	2408	Cotización.exe	38
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2612	2408	Cotización.exe	39
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40
PID 2408 wrote to memory of 2256	2408	Cotización.exe	40

C:\Users\Admin\AppData\Local\Temp\Cotización.exe
"C:\Users\Admin\AppData\Local\Temp\Cotización.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2804
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2640
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2612
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:672
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1404
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1976
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1440
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2964
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2420
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:408
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3016
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3056
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1288
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1948
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1504
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1644
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:584
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2836
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2676
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1916
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3036
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1536
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:596
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1980
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2856
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2808
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2648
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:636
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1268
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1908
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2972
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1684
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1408
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:952
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2660
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2792
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2336
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1744
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:400
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2428
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1784
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2100
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1120
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1728
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1448
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1100
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1904
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2848
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2592
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2832
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2624
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2664
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2992
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1716
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:860
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1164
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2280
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1464
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2436
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2728
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2052
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1484
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2724
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2268
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2308
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2440
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1532
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2784
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3100
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3156
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3268
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3324
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3620
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3628
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3684
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3740
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3796
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3852
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3908
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1428
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3220
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3344
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3568
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2772
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3192
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3312
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3320
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3940
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3112
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3540
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3996
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4060
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4068
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2800
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1792
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2860
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2672
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1212
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3304
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3120
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3668
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3564
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3188
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3600
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1708
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3932
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3516
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3532
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1216
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1096
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4036
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3208
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3416
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2400
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2768
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3656
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2820
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3696
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3936
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3864
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1272
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3736
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3460
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2544
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3284
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1604
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3692
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4028
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3252
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3956
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1516
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3716
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4112
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4352
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4360
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:4428
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:4484
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4596
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4652
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:4708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4888
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4948
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:5012
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:5068
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3388
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3020
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3528
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3608
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3676
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4452
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:4076
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1868
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4660
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4176
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:4232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\1008fba4-e12e-4fb6-b030-9ef025751633.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log

Filesize
4KB

MD5
7430f6882bc559117eaeab93eae0863e

SHA1
aac50a7983db51a646f280b55845a7b79ec28650

SHA256
f5234b9df1c5254c2733e741695bc55b0c359688c1cc971089a0b25359abe0f2

SHA512
817bfd416685487d19b0e2b293d2abca4374d005ae0eb67ae621373fa47ac0a2dab5f3781abc4f0072523586e92f9be40456e1d0049ccc8d916d619da1e54d6f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log

Filesize
2KB

MD5
5f92ace48d41fe6e3f2c47c592077df5

SHA1
9ecd972f280d1640aa7ab07f5c7b393de2283194

SHA256
0fb017d05d70cb17358a99e12b65ffa91923121c732920dc0e115aa34695a2c2

SHA512
7711e0a5da5e79e41b05452b0fc857678a65fee29483ca084e260389a9a7e369f9adf46f05814d737a912e87fb1134797697a9fe6d9b1b707d4dc9425c0168c2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp

Filesize
48KB

MD5
343fa15c150a516b20cc9f787cfd530e

SHA1
369e8ac39d762e531d961c58b8c5dc84d19ba989

SHA256
d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524

SHA512
7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe

Filesize
633KB

MD5
a3d33d33f8b10595c252ee8e61a8892c

SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log

Filesize
4KB

MD5
612a650d1c773ee52d62546e66ff5918

SHA1
a7479722bea44f8719b651ba69aa337d60da4290

SHA256
9e0774deea09130ce23833cc3f0118e8dd06750e3570a230b199c87cdf354c00

SHA512
5882a9d5340d0197c660d0774f22a82f03a0fc73d14476c47d3ab86dfea8f80850bfb8af7a9433b120f4728da4889083086666145b3e2390966e6816ad981483

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137-MSI_netfx_Full_x64.msi.txt

Filesize
12.4MB

MD5
0fdc9a757021f4dd42ae8301ff4bc1c7

SHA1
548775e8c672dc3023ca1bce981a58be26efe33b

SHA256
437528e0cdbb1567a855d4fe15c24dd949f5924d8de38cdddd8be21caff3a17c

SHA512
0f5c90d400b333ed8bcbc6a4b86106b3ad907af14e50fd64571cc988277ef98332aa0cbd6f0462aa91533618c4d9ef509537d9c53b342f321b7cdf7d6f7f732c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20240708_153041137.html

Filesize
1.1MB

MD5
b9727a3394f7234f444a7235e793683f

SHA1
ba8d886c1c40f268d8a72bee3392b2660d5856a5

SHA256
232a69a77b033f9071aee476885bdbe7d31e454d7a203d8da405742de08ee6da

SHA512
791443a591836182c0d242cefdf069e58fb7bc241555da5e28140b2fff48d772fee02faa69b74607c6fc73d6607193ba4b7f66a6aa1c43cf2433372d2bd4f1f2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log

Filesize
4KB

MD5
dfd88a8db6c1ac608b9e614e78baf2d0

SHA1
60a73aa32979d8d78bd4eacb5358cd0733e7787a

SHA256
626e29df7a60dc58782637c78969b667e7f1e1529edc6dd62b7023c9866068e5

SHA512
7a6e1f04515e086665e3561669e52742b371bace6c58035c9dc19d57e6cfa051759c180b30ca03a2f2ecf7b351f2bbc6e795a10f13e63a0a3299cf2ac56b0a9d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
b5aa8dc8e8031ffc6cae71a75f3e6a6e

SHA1
cd2614c5593d6bbcadda171639b41097a05b3f4c

SHA256
32d85b86a71d39095bf37fb766d11a09f86df1ce91e126b4607be35c013df2b9

SHA512
a25d2c1969650121a20fbe5ce6c208d3ba1ff536604da3369e516d6763ba3094b57ac856379258b8c6bc61e3e1e8597b62dce4ae606ce1d4d7864f650dc503f6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt

Filesize
2KB

MD5
4a785c694410c688c95befa8df7a7bc2

SHA1
6c61f7a135e17db635cebabe7c931704da3fcb34

SHA256
402b7c847d6755efb60dcf6c46ce745baa271e64dffee687f87b16777ef70aad

SHA512
57ab829e04abc0001dcdbe179d04818dad6cbb1940ad2cb0cd32f253b43feb6e38b6f54c41d11f94f02dcb53efbfe7d42f58341a5a8e21b6a5973b886132e915

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F15.txt

Filesize
423KB

MD5
080ef5af9c893905abe9aeb4b28f4288

SHA1
4fa760bd2936b66f9fe854bdfdfbc8fd815e792a

SHA256
22804ffa6a6a918e368696836772ab16660b5d91c9e5bc85ff9c8711dca7a3b2

SHA512
6334d6775783b31f5e92bd3d8b5d3f15da1c58b16d8bdf57e8f51845f71c6d89e8b761a1d039f47aff097395a503bec5437338752f991173d709346f5b82c34c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0F5D.txt

Filesize
411KB

MD5
ea638bf042bdd19983d1f833499d6261

SHA1
c3ce8579623670fbf5c1799d991d39b939b3dbb1

SHA256
6a0c0ae27b4dcf6fcd35e4be235e7931bcb70b3a626264c942cc9514d201636d

SHA512
ea76699ace62488bec51785076ab706f0ea789fb9f8a4065113cad15ec68309230d60366229fc21400da22cfa4e9365d318e2521e2913b430f225e474ba69945

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F15.txt

Filesize
11KB

MD5
515d0ba89cfed7f4407d78c3de4f8c15

SHA1
c7c68a3b0d310ff6b61d4816f537991763444640

SHA256
9192510da8eb52ec474db19369bbebfcbc0c66e1447675b4212b4075a8b31170

SHA512
d5284ef329bd45a77bef1bdd99de72a4e541ef93e8918f725db8568816426da4422474ac1798ea9e575b7987ba4cbac82c1bb7d9268cec55621ee268510c3356

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0F5D.txt

Filesize
11KB

MD5
686c58a072059bc7342f84a2489c0787

SHA1
450d9210d897ada9f5adc3a564bea809528627fa

SHA256
c08d372cb8a6001641a87f88d1596509f1ece45451c78278de0eb9f0b971d24b

SHA512
0f0f8d4077dc8edb838749b98ceb1437268114938be1110f9c917ff0a1e45ce759c42e573b8c613e1b61b2f8e1308d61f3639b442b49c0da2e6948b1b9caca58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20240708_153054_896.txt

Filesize
7KB

MD5
320472813b8ab5662287732d384fbfca

SHA1
9a0a8b6691d97dce2a77e61e56e6b8872f267e81

SHA256
574231e6aae45b6bdee5f28205ddccbb3e9fd5abcf17126da35f1d46a044e099

SHA512
6a59d28fb6aeec52b2e87531755c9cd5a85aa050827f79a675c289646cfe4941dcae4c8d441b4a9ef8f32f82223d0c069f0528d7c4e50c4e5cac0fbdebe9bfdf

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20240708_153055_583.txt

Filesize
2KB

MD5
e47e4178dd340dc75fdff8d5f002cc78

SHA1
e8c5d798ce4d6af3f6caba2f003338b76d01d00d

SHA256
6878ea285c5a09384bae2587ffa312b14aa0f9dae39d7e1767b8c45903e5c323

SHA512
4898ed028b9ae8634245e1f4e17d8c17421a6f9245f16b8f635d8d8d9bc47bc718827833252f053b9b2369c3077422a21dfb7e6752211026bffc1012d79c33c7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\de2794d7-234b-41a8-bb47-48c478696e49.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log

Filesize
170KB

MD5
61698f2ba07bda2ba323140f20b28e28

SHA1
d3e46602b6e042abdfb6a8630ccaff23801cd104

SHA256
51c06f89c259219fd364b1a36991964e772e968873496a4d61532d488b2cb8c0

SHA512
eb7f3dc17e49d2c2191fd6eb235e22ef3aa63157f90da42af3e6653e174e129e663b9c1eac8798d770a99ecdad4230754f07c84a96a73d85e6c8ef14aeb1cfeb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install_reg.log

Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log

Filesize
347B

MD5
50036860c1dd82790eb0d9f68d76206f

SHA1
0ff3810e51bce258d706d1f1e40a27633e2435bc

SHA256
d33ef93b64410efe81b012c759fa17de9d7fae8afdf1e28a3a83ce7b23beffe9

SHA512
62db57d62ddf1e98d1e4202480bbc46fe08b7b963027d786884225933cfec5de662954430e964340317c6ed9956ed8c096326f54d1899825c413c0c5bf807578

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154019-0.log

Filesize
33KB

MD5
aff320f0dc9b7aac001ee3668507feae

SHA1
2b025accbc652a02e4ae531a53c6a8a899924b94

SHA256
dd57da646cb481dbefb7de79c8d35c489b8c3260fff6b6409e1fe03759275405

SHA512
42c121db2c5e1dd71f4285808d4ca49d37fd850583342ebbeebe519ce45011f622a291532c392cdfa8b2596e95a67ceb274e5667486a7a766d624ebc3bc57df6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154206-0.log

Filesize
34KB

MD5
61b50f7375e49c6e8c4abefc60f78f9f

SHA1
96f0822311881d3b509468c766d1977d9e09ec8d

SHA256
a6936238e06e28a351004671973c690f1f5527ab79375500310c31233c50b845

SHA512
115a1e58aac9b86e925726e815e7a9f546f65b07d3c6d3d03dac3086d0b22d1f821e31d64f9a4e88ff5dd9124a3a66a153f4a5725e4f7503ca0d0bbfa3f54bef

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154335-0.log

Filesize
44KB

MD5
c3cb5f7a109e33179a45a3f9e68e1187

SHA1
df661ad83d46d9b25e5fd4a677889efea6cfeb6e

SHA256
075bf32fabdf9d9a369d4737390b2dce5359d73305663c8e9461323f61ca412d

SHA512
4b49bc2469656bd633410e3f76c394c62d35c699723693378084bf8b80fc43d27d140372c8ea2b0e6fa940616c47c691bc56752e9b8e7d041cdcfe9b075446c8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154528-0.log

Filesize
35KB

MD5
06c4fc51229fc30a33b969d8295abd27

SHA1
ab5a19226acc46e5e0774834651478c6d6446039

SHA256
d16682e48fd2e22362f2c3e6adc51c924af4c5e2332895b24be76f311e0b8ca2

SHA512
7f17d0e44bd37dc4a48cc3a92caac6d382ee4fbb9b5ab85ae4376a44632b027780c0d0f9bfefe7553fd407f917cb241eee5770bd2bd540d562a9f932e8ee3199

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20240708-154725-0.log

Filesize
36KB

MD5
62c0fc23833f54aa48b9579cc47a5fd5

SHA1
549c7233a494717129de01822b78eeecac98d006

SHA256
fa3c447254bcc50b5a3a4e689fae4ba638772e90f589317b38ba3c64cbc8bfc6

SHA512
876c1eadfcaa2e73c0ab071278006c75e59320435384fb4bf0cd70539f8e1ce6eca8e41ae9bdf1025a6abeb065fa128563babcc8e3463d732c7519ba71cd3d8b

Download Submit
memory/2408-0-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2884-46-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2884-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2884-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2884-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2884-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2884-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2912-166-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2912-2831-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads