remcos | bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad

Analysis

max time kernel
152s
max time network
156s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
31-01-2025 16:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cotización.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

2.58.56.182:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GM05WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 2148 set thread context of 1780	2148	Cotización.exe	42
PID 2148 set thread context of 840	2148	Cotización.exe	52
PID 2148 set thread context of 2144	2148	Cotización.exe	62
PID 2148 set thread context of 2248	2148	Cotización.exe	72
PID 2148 set thread context of 2920	2148	Cotización.exe	82
PID 2148 set thread context of 1680	2148	Cotización.exe	92
PID 2148 set thread context of 912	2148	Cotización.exe	102
PID 2148 set thread context of 2412	2148	Cotización.exe	112
PID 2148 set thread context of 1664	2148	Cotización.exe	122
PID 2148 set thread context of 1064	2148	Cotización.exe	132
PID 2148 set thread context of 1612	2148	Cotización.exe	142
PID 2148 set thread context of 2640	2148	Cotización.exe	152
PID 2148 set thread context of 1716	2148	Cotización.exe	162
PID 2148 set thread context of 3596	2148	Cotización.exe	172
PID 2148 set thread context of 2940	2148	Cotización.exe	182
PID 2148 set thread context of 3564	2148	Cotización.exe	192
PID 2148 set thread context of 1052	2148	Cotización.exe	203
PID 2148 set thread context of 3536	2148	Cotización.exe	213
PID 2148 set thread context of 3892	2148	Cotización.exe	223
PID 2148 set thread context of 3248	2148	Cotización.exe	233
PID 2148 set thread context of 2348	2148	Cotización.exe	243
PID 2148 set thread context of 3168	2148	Cotización.exe	253
PID 2148 set thread context of 3496	2148	Cotización.exe	263
PID 2148 set thread context of 4472	2148	Cotización.exe	273
PID 2148 set thread context of 5008	2148	Cotización.exe	283
PID 2148 set thread context of 3928	2148	Cotización.exe	293

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084504_367.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0838.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI08A0.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084502_994.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\FXSAPIDebugLogFile.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0838.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090059-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI08A0.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI08A0.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ose00000.exe	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937-MSI_netfx_Full_x64.msi.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0838.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091105-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090732-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\SetupExe(202410100853024A8).log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Kno30EE.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090430-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091105-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install_reg.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091411-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091411-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0838.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090059-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RD4671.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084502_994.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RGI21B4.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\b57cea75-775c-491d-a857-e9d93995dfc5.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install_reg.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\KnoA0C4.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090430-0.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084504_367.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\9be9d947-0802-4fc8-85f3-7e644d563d98.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090732-0.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\RGI21B4.tmp-tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI08A0.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\FXSAPIDebugLogFile.txt	Cotización.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2148	Cotización.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 2840	2148	Cotización.exe	29
PID 2148 wrote to memory of 2840	2148	Cotización.exe	29
PID 2148 wrote to memory of 2840	2148	Cotización.exe	29
PID 2840 wrote to memory of 2688	2840	cmd.exe	31
PID 2840 wrote to memory of 2688	2840	cmd.exe	31
PID 2840 wrote to memory of 2688	2840	cmd.exe	31
PID 2688 wrote to memory of 2524	2688	cmd.exe	32
PID 2688 wrote to memory of 2524	2688	cmd.exe	32
PID 2688 wrote to memory of 2524	2688	cmd.exe	32
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2956	2148	Cotización.exe	33
PID 2148 wrote to memory of 2768	2148	Cotización.exe	34
PID 2148 wrote to memory of 2768	2148	Cotización.exe	34
PID 2148 wrote to memory of 2768	2148	Cotización.exe	34
PID 2148 wrote to memory of 2768	2148	Cotización.exe	34
PID 2148 wrote to memory of 2704	2148	Cotización.exe	35
PID 2148 wrote to memory of 2704	2148	Cotización.exe	35
PID 2148 wrote to memory of 2704	2148	Cotización.exe	35
PID 2148 wrote to memory of 2704	2148	Cotización.exe	35
PID 2148 wrote to memory of 2708	2148	Cotización.exe	36
PID 2148 wrote to memory of 2708	2148	Cotización.exe	36
PID 2148 wrote to memory of 2708	2148	Cotización.exe	36
PID 2148 wrote to memory of 2708	2148	Cotización.exe	36
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2720	2148	Cotización.exe	37
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2864	2148	Cotización.exe	38
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2724	2148	Cotización.exe	39
PID 2148 wrote to memory of 2100	2148	Cotización.exe	40
PID 2148 wrote to memory of 2100	2148	Cotización.exe	40
PID 2148 wrote to memory of 2100	2148	Cotización.exe	40
PID 2148 wrote to memory of 2100	2148	Cotización.exe	40
PID 2148 wrote to memory of 2100	2148	Cotización.exe	40

C:\Users\Admin\AppData\Local\Temp\Cotización.exe
"C:\Users\Admin\AppData\Local\Temp\Cotización.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Windows\system32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2840
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2720
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2864
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2724
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2100
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2660
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1780
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:956
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1140
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2476
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2116
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2488
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:976
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:764
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:548
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:840
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2416
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1988
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2644
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1668
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1972
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3056
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2760
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2816
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2848
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2796
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2732
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2132
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1876
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3036
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:760
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2500
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2092
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1424
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1964
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:872
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1948
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2516
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2292
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3040
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:948
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2688
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2616
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2628
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:2740
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:828
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2032
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:912
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2632
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2904
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1456
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3024
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1600
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2508
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:668
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2368
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2000
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1968
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:336
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1512
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1236
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2040
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2820
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:776
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2480
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1532
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:688
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:276
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1684
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2264
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2788
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:692
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1228
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2948
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1744
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2012
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2856
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:1432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2776
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1292
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2188
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2792
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2900
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2640
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2980
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2960
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:1560
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:1592
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:964
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2876
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1492
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3236
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3300
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3316
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3372
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3484
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3540
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3596
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3772
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3828
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3836
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3900
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3956
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4012
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4068
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1656
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2940
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3252
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3268
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3276
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3120
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3328
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3440
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3760
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3768
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3948
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:856
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3864
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3972
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:1944
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:1052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3412
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3456
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3160
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3132
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3384
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:2060
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3536
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4032
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3984
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:704
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:2392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1720
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3204
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3892
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3700
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3724
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3740
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3512
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3896
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4076
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3248
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3572
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3824
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3388
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2836
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3936
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:1608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:2028
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3452
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:2348
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1672
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3224
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2800
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2320
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3524
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:836
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3156
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3348
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3220
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3556
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2844
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:2608
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3004
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3612
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:1048
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:3664
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4112
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4168
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4176
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4184
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:4192
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:4248
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4304
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4360
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4416
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:4472
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4648
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4704
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4712
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:4720
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:4728
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:4784
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:4840
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:4896
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:4952
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:5008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3920
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:3340
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:3932
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe"
  2⤵
  PID:3592
- C:\Windows\System32\calc.exe
  "C:\Windows\System32\calc.exe"
  2⤵
  PID:3092
- C:\Windows\System32\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  PID:3528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe"
  2⤵
  PID:3080
- C:\Windows\System32\notepad.exe
  "C:\Windows\System32\notepad.exe"
  2⤵
  PID:940
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe"
  2⤵
  PID:3928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\9be9d947-0802-4fc8-85f3-7e644d563d98.tmp

Filesize
242KB

MD5
541f52e24fe1ef9f8e12377a6ccae0c0

SHA1
189898bb2dcae7d5a6057bc2d98b8b450afaebb6

SHA256
81e3a4d43a73699e1b7781723f56b8717175c536685c5450122b30789464ad82

SHA512
d779d78a15c5efca51ebd6b96a7ccb6d718741bdf7d9a37f53b2eb4b98aa1a78bc4cfa57d6e763aab97276c8f9088940ac0476690d4d46023ff4bf52f3326c88

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00000.log

Filesize
4KB

MD5
6e05438064de091a87fff964c7780ff4

SHA1
1971350c77ab4c4c08d0b268da85577023790828

SHA256
3f0437822b01ccfd1842412e0e5e56c8899144ff5dc0789c306cdc9de8ca55de

SHA512
64c1d42f0a45da3f65e55f9a6d8bfa2a14ab5e35ba3ce7c6999d56be0b3f9d8a02b085a108f0f1124464115b07a3b7388a89c775d31eb87fd32dcfbdca2d9806

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\ASPNETSetup_00001.log

Filesize
2KB

MD5
8de85ef6a851e982b0d4c3f3945b53fb

SHA1
e53f646605f943051a35197cb7de0ed9de3a0184

SHA256
500ea7cb12caa2b1ca71d7676ea5165b4ceed788fb41213556683d59927a2a8d

SHA512
0d9906f8b7de954536342c97fe5be1e498f63784633ad8183bd1644ecd77b2bdd155d8be80359b6b87db71f74f7b3748a2e87ed8a29bd3937c7d280949443e83

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Admin.bmp

Filesize
48KB

MD5
343fa15c150a516b20cc9f787cfd530e

SHA1
369e8ac39d762e531d961c58b8c5dc84d19ba989

SHA256
d632e9dbacdcd8f6b86ba011ed6b23f961d104869654caa764216ea57a916524

SHA512
7726bd196cfee176f3d2002e30d353f991ffeafda90bac23d0b44c84c104aa263b0c78f390dd85833635667a3ca3863d2e8cd806dad5751f7984b2d34cafdc57

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe

Filesize
633KB

MD5
a3d33d33f8b10595c252ee8e61a8892c

SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log

Filesize
4KB

MD5
612a650d1c773ee52d62546e66ff5918

SHA1
a7479722bea44f8719b651ba69aa337d60da4290

SHA256
9e0774deea09130ce23833cc3f0118e8dd06750e3570a230b199c87cdf354c00

SHA512
5882a9d5340d0197c660d0774f22a82f03a0fc73d14476c47d3ab86dfea8f80850bfb8af7a9433b120f4728da4889083086666145b3e2390966e6816ad981483

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937-MSI_netfx_Full_x64.msi.txt

Filesize
12.7MB

MD5
f6c7369f6b3e125b554df676138c3285

SHA1
d00f902d044356fcc332cd1686ea723db6f51182

SHA256
6e873225b1fd643ee65f0d84e922fd3cb3378b9b2b4c29d78aef3821f5f0d556

SHA512
c6aec37f93b7dbc0ececc2f9a49bf6d20b77427a4ed870203488ce617ae3b177f90695570f0e17ef046c588e6f5ca6aeb9eee7349f2b181f0be35184b78ac549

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241010_084439937.html

Filesize
1.1MB

MD5
f6c53bb91f2cc5c1c99909f7eb310eaa

SHA1
3975b76a71932b499371bf29c61df9f6768488b5

SHA256
81deb244ff7437f5971c813db00dfeb60046c10a10dc8477c5770e6b3148371e

SHA512
0081f34970481870acfa4061dc04294e3107c793c6d78d047ea74c1364e8fe5d288665a0a1c1b67acef1cd783c265c6b391a157b57b0de1d103dcbb8a3e975a9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\b57cea75-775c-491d-a857-e9d93995dfc5.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log

Filesize
4KB

MD5
68e497a5bd0d159edb0bcc383313b95e

SHA1
ead7b92dd830b03de185799b889a327ce4c702c7

SHA256
9699f5a873ba48c2f6a3a598ebb0b612cffff8538fedfec2e688dac3023e5e66

SHA512
2d200e2647cb3de6c25b643d5df1257933cefb55208d6cd1b1c46176cbd476f491ba05661f7a46aa85c28cad42851a3949c283cf89ebd0bc7fe85b63c514b519

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
4de73bbec8133d8c8059471bd3de61a5

SHA1
ee510dbd2df9cf887b02ded284beb0e9f0bae398

SHA256
4ea6f91597f0b064229c07edf81294871187fa81382c7074460530013dc4e183

SHA512
888f23acacfea7c31ab707925664e0f8efc96cb26b8b6b076ca9b2753bfcef39c2875029549e2cb78a6a0049b5f37c03c0aeadf19ef26fe75ef7cca44507572b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_SetupUtility.txt

Filesize
2KB

MD5
2edb668854551a417ad3bb1f7480646d

SHA1
dbc699322ff7c0420a0fc98c8c27098c07e08a6b

SHA256
e787f859608919b6a3b82c91ba04a06ef04e4c3fc8b95e6f2b8a4ed1cc3029ff

SHA512
479d23e6d17610ee1ec37f6dc565f0923567fdadf38217def1388b9a37139ce0fed343399457590b0827a9fd1fce8eb7e86db9a2a1cdbb2e0fcebd666272c029

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI0838.txt

Filesize
422KB

MD5
4a6978e05e68764a3c0f26cfe6892d53

SHA1
cd32e8d89876a3be9612288ba718ebe9ba9e08df

SHA256
98a4f847a4d138c6562377dab7355ecae330966525a962c45b0caab5a3a1dc14

SHA512
d46301d6f81747a142754ee3975df4e4af1dff12147b810bb4b655453a8306bced83f0a293dd425bf014a8c199742ad3e74d6a5267ac12ef90fb1098561d0d92

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI08A0.txt

Filesize
412KB

MD5
dad31cf11a82dc118d2b1c741ae9b08b

SHA1
83aa710780689f89d06dac0b3856c87220a3f49f

SHA256
26059b64a008b3182dad118801a2fe4f33ff4dd037cf26246ce26b653844d9d3

SHA512
d5ba8747bf06b179379a1328271929255b6bc29ab0c8545f04aef9d79a672b2a0c064f0622cab7d29ea638943a1546868c21f2f88b077996de156db23b4587b9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI0838.txt

Filesize
11KB

MD5
8d5d4ec9d6b1edfaf935814bfc666e24

SHA1
0352a86e02442de2e3aa0df23c662608fc2513f5

SHA256
ce6594b47db17ae50dac061fd5fdf562c5278091552844cff8c57bddd708dee3

SHA512
e232eddf9c335ec6d54010a4ae68770fa65202c8b3027f5af9f9213d9337c43645283ab4a4e9aac75f1ff8709cf8f935e24b339ffc4d0f612b9cc648e709c677

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI08A0.txt

Filesize
11KB

MD5
fef6d8805fc43128e69035b509f64188

SHA1
8c09919b24ddac1da15a35007a9702727070dac4

SHA256
11999b1cfa419d0cbf2c7fbfa11c6f944b1fdc292f0d64afacf1e6b26e1aed53

SHA512
c6dc6518bd01b03f427573223612726593a19f2bed918646497f5d14947a08b2151310d021b49524c28604d14e30627cb85b976a0c66db844a6ce36cd5db0a78

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084502_994.txt

Filesize
7KB

MD5
c4921f63df82784a877ce74c8efe94a4

SHA1
7dfd99facf3f91789437c990ff9b8b6e28e35012

SHA256
9360e52b1f64572da272963843955dbf238db376ee653fbb8a2703e32dd7cfe4

SHA512
0a1fcd32759af5bf29681f32cb0d7725dfe0f3a018127d33f63791736437aa8c60afab8c98cb5a6a38e5e575bad2d2fdef54fbb68a2a0665f332ca2a3e589453

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_wcf_CA_smci_20241010_084504_367.txt

Filesize
2KB

MD5
d71bf416c5eb4cb9b4d5ae882939433a

SHA1
b033e6d4f81a99a7f04350b5838e1b0e84823ab2

SHA256
f1cf62925121feec4af001846141499f35decd4a3d031a42db0b3f762d9a140a

SHA512
a64f614963c34f2a0cc588f248778b210a77907eded37e83cc0c62096ee30d516ce4cafc4c0024931dd238c40044f23854b046f50e16fdc20303cad46ac76bce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install.log

Filesize
170KB

MD5
61698f2ba07bda2ba323140f20b28e28

SHA1
d3e46602b6e042abdfb6a8630ccaff23801cd104

SHA256
51c06f89c259219fd364b1a36991964e772e968873496a4d61532d488b2cb8c0

SHA512
eb7f3dc17e49d2c2191fd6eb235e22ef3aa63157f90da42af3e6653e174e129e663b9c1eac8798d770a99ecdad4230754f07c84a96a73d85e6c8ef14aeb1cfeb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\java_install_reg.log

Filesize
4KB

MD5
36cf8d512a14fd2c5263e06775f2da47

SHA1
3e8ae2e7855ac773837272177b985f1705f65667

SHA256
c3d0d9bf10e08fc22138cb4fd1d0fdf59f37cd2e12e3ff779ece43259f861cc9

SHA512
e61afb7cf48065a5ad087dcd9ae7ae2c46552cb68c1bd1bd8f9df51b8f0eb040e6e69423d45b09166d16959e7bd1e247d7dd02552da8ec40d9bc805883e58725

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log

Filesize
347B

MD5
da257a2fce439915a7af7b5118fa75be

SHA1
51dbb8488010cac21f1eff9c40de7596c0871ffa

SHA256
5d18f2975e09ea3d46f4155722582219505452efd0e6051f9042b488110fa1c3

SHA512
bbdab0c80d0a34c51ed3bab24310f5028a76f68907f978972a10f23e76ebe0768eadc5169a94e854c2fca307af6fb13c1c793492ef8f57e052910ba65c6d8219

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090059-0.log

Filesize
33KB

MD5
26d6e5c9779d8a3bc29014c0ec3eaa60

SHA1
871374759fc741b92adb134c83f06c7edb0285b7

SHA256
6a4cc4afa659eecef3af065b326c0e409b2ad2e1aa82ca8ec46e0a2421f22cde

SHA512
909bcffcde25f684c09870db8688cff2af3c9f8a18548d8a42840cd63e4bbd7e1f0b3283de54484878c6be539e61bac4bae1d334201d65fa061d30992788587c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090430-0.log

Filesize
34KB

MD5
ceb7d25631e0661ededdf436bac98cee

SHA1
7183345d41e56a2bbd3d88a012233a922bdc0545

SHA256
8bebd10d29077b4fbd04bd14ab8e0464c412d0dc7a4ec8b31568c4e26cae863f

SHA512
ef2d1c48b1b54a5c799cf457f8818c3f7e10a213b730841a1f827924070c6288742d2ac8d833c6432bb4d28eaf706c774364a50cb539c7ccd787420cdd7c6292

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-090732-0.log

Filesize
44KB

MD5
e6cd42dcca7f52f192340f4c10a60768

SHA1
ca4115a3e50cdcb4e28eede00a1a3b5b3d0adc58

SHA256
936569ae95110fbd53f39653c884765af7804c2e4b6628bc7ee98f6c7c57c675

SHA512
065e8dfe698b344d9b64e91f3c85c4aa426d72abc9a005020b04d743155d1456fd5926093dd1673bd8c111328ce0de455e5818ac163d7267ca24b53a4bbebb0f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091105-0.log

Filesize
35KB

MD5
94d0775f1ab65060299a943d36a7315c

SHA1
a4dc1d2c97467a9d49e40590f7b3d604aad74f7b

SHA256
85f92ee8d4d168d1cb1292a093ae995b5a587148486b76126cef920423af4418

SHA512
6e55ae8cb1b3182ee1d3a151cf000e701f6a5b07a1699918300f54f7c88d94d9fa4b619c35156be6bb240fff5d98b9f34dcdab34c1d3dc7a986978bc5e81175d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\lpksetup-20241010-091411-0.log

Filesize
36KB

MD5
1dbb534e718121dfabcb1e7768623ab8

SHA1
ccfead21251e59841415dccf3ca342cd7a25203a

SHA256
f979ab763c381817254ea6f30ede73427436ce0650d496476d1ca72bb09f223e

SHA512
3c203f34fb48e1073a1ab20855215c3a45dfee695b2d86a40932d1eeb52d28bbab65680386d8fd6bc149fd468e04732f03dbb6c4c2eff814c7f69185099a8d38

Download Submit
memory/840-214-0x0000000000401000-0x0000000000458000-memory.dmp

Filesize
348KB

Download
memory/1780-2476-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1780-142-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2148-0-0x0000000000200000-0x0000000000210000-memory.dmp

Filesize
64KB

Download
memory/2956-39-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2956-37-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2956-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2956-43-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2956-42-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2956-41-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads