ID: 111943 Sample Name: Silverlight_x64.exe Cookbook: default.jbs Time: 14:43:52 Date: 21/02/2019 Version: 25.0.0 Tiger's Eye Table of Contents
Table of Contents 2 Analysis Report Silverlight_x64.exe 5 Overview 5 General Information 5 Detection 5 Confidence 6 Classification 6 Analysis Advice 7 Mitre Att&ck Matrix 7 Signature Overview 8 Cryptography: 8 Spreading: 8 Software Vulnerabilities: 8 Networking: 8 Key, Mouse, Clipboard, Microphone and Screen Capturing: 8 System Summary: 8 Data Obfuscation: 9 Persistence and Installation Behavior: 9 Hooking and other Techniques for Hiding and Protection: 9 Malware Analysis System Evasion: 9 Anti Debugging: 10 HIPS / PFW / Operating System Protection Evasion: 10 Language, Device and Operating System Detection: 10 Behavior Graph 10 Simulations 11 Behavior and APIs 11 Antivirus Detection 11 Initial Sample 11 Dropped Files 11 Unpacked PE Files 12 Domains 12 URLs 12 Yara Overview 12 Initial Sample 12 PCAP (Network Traffic) 12 Dropped Files 12 Memory Dumps 12 Unpacked PEs 12 Joe Sandbox View / Context 12 IPs 12 Domains 12 ASN 12 JA3 Fingerprints 12 Dropped Files 12 Screenshots 13 Thumbnails 13 Startup 13 Created / dropped Files 14 Domains and IPs 19 Contacted Domains 19 URLs from Memory and Binaries 19 Contacted IPs 22 Static File Info 22 General 22 File Icon 22 Static PE Info 22 General 22 Authenticode Signature 22 Entrypoint Preview 23
Copyright Joe Security LLC 2019 Page 2 of 74 Data Directories 24 Sections 24 Resources 24 Imports 25 Version Infos 25 Possible Origin 25 Network Behavior 25 TCP Packets 25 UDP Packets 26 DNS Queries 26 DNS Answers 26 Code Manipulations 26 Statistics 26 Behavior 26 System Behavior 27 Analysis Process: Silverlight_x64.exe PID: 2952 Parent PID: 4924 27 General 27 File Activities 27 File Created 27 File Written 28 File Read 31 Analysis Process: install.exe PID: 4188 Parent PID: 2952 31 General 31 File Activities 32 File Created 32 File Deleted 32 File Written 32 File Read 39 Registry Activities 40 Key Created 40 Analysis Process: microsoft_defaults.exe PID: 776 Parent PID: 4188 40 General 40 File Activities 40 File Created 40 File Written 41 Analysis Process: MSI12C0.tmp PID: 2680 Parent PID: 4960 43 General 43 Analysis Process: MSI13CA.tmp PID: 2216 Parent PID: 4960 43 General 43 Analysis Process: msiexec.exe PID: 4732 Parent PID: 4960 44 General 44 Registry Activities 44 Analysis Process: msiexec.exe PID: 4676 Parent PID: 4960 44 General 44 File Activities 44 Registry Activities 44 Analysis Process: rundll32.exe PID: 1920 Parent PID: 4188 44 General 44 File Activities 45 File Read 45 Analysis Process: rundll32.exe PID: 1488 Parent PID: 1920 45 General 45 Registry Activities 45 Analysis Process: rundll32.exe PID: 2244 Parent PID: 4188 45 General 45 File Activities 46 File Read 46 Analysis Process: rundll32.exe PID: 5108 Parent PID: 2244 46 General 46 Analysis Process: coregen.exe PID: 3896 Parent PID: 4188 46 General 46 File Activities 46 File Created 46 File Written 46 Analysis Process: conhost.exe PID: 2728 Parent PID: 3896 67 General 67 Analysis Process: Silverlight.Configuration.exe PID: 3492 Parent PID: 4188 68 General 68 Analysis Process: coregen.exe PID: 5020 Parent PID: 4188 68 General 68 Analysis Process: conhost.exe PID: 3508 Parent PID: 5020 68 Copyright Joe Security LLC 2019 Page 3 of 74 General 68 Analysis Process: coregen.exe PID: 4176 Parent PID: 4188 68 General 68 Analysis Process: conhost.exe PID: 4412 Parent PID: 4176 69 General 69 Analysis Process: coregen.exe PID: 4316 Parent PID: 4188 69 General 69 Analysis Process: conhost.exe PID: 4736 Parent PID: 4316 69 General 69 Analysis Process: coregen.exe PID: 3984 Parent PID: 4188 69 General 70 Analysis Process: conhost.exe PID: 5048 Parent PID: 3984 70 General 70 Analysis Process: coregen.exe PID: 1688 Parent PID: 4188 70 General 70 Analysis Process: conhost.exe PID: 1504 Parent PID: 1688 70 General 70 Analysis Process: coregen.exe PID: 2536 Parent PID: 4188 71 General 71 Analysis Process: conhost.exe PID: 4676 Parent PID: 2536 71 General 71 Analysis Process: coregen.exe PID: 4996 Parent PID: 4188 71 General 71 Analysis Process: conhost.exe PID: 4512 Parent PID: 4996 72 General 72 Analysis Process: coregen.exe PID: 5112 Parent PID: 4188 72 General 72 Analysis Process: conhost.exe PID: 4644 Parent PID: 5112 72 General 72 Analysis Process: coregen.exe PID: 2252 Parent PID: 4188 72 General 72 Analysis Process: conhost.exe PID: 1924 Parent PID: 2252 73 General 73 Analysis Process: coregen.exe PID: 4696 Parent PID: 4188 73 General 73 Analysis Process: conhost.exe PID: 4804 Parent PID: 4696 73 General 73 Analysis Process: coregen.exe PID: 4916 Parent PID: 4188 73 General 74 Disassembly 74 Code Analysis 74
Copyright Joe Security LLC 2019 Page 4 of 74 Analysis Report Silverlight_x64.exe
Overview
General Information
Joe Sandbox Version: 25.0.0 Tiger's Eye Analysis ID: 111943 Start date: 21.02.2019 Start time: 14:43:52 Joe Sandbox Product: CloudBasic Overall analysis duration: 0h 11m 57s Hypervisor based Inspection enabled: false Report type: light Sample file name: Silverlight_x64.exe Cookbook file name: default.jbs Analysis system description: Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113 Number of analysed new started processes analysed: 41 Number of new started drivers analysed: 0 Number of existing processes analysed: 0 Number of existing drivers analysed: 0 Number of injected processes analysed: 0 Technologies HCA enabled EGA enabled HDC enabled Analysis stop reason: Timeout Detection: SUS Classification: sus24.evad.winEXE@60/36@1/0 EGA Information: Successful, ratio: 100% HDC Information: Successful, ratio: 86.1% (good quality ratio 73.1%) Quality average: 67.3% Quality standard deviation: 35.6% HCA Information: Successful, ratio: 99% Number of executed functions: 0 Number of non-executed functions: 0 Cookbook Comments: Adjust boot time Found application associated with file extension: .exe Warnings: Show All Exclude process from analysis (whitelisted): dllhost.exe, wermgr.exe, conhost.exe, CompatTelRunner.exe, svchost.exe Report size exceeded maximum capacity and may have missing behavior information. Report size exceeded maximum capacity and may have missing disassembly code. Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenKeyEx calls found. Report size getting too big, too many NtProtectVirtualMemory calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtReadVirtualMemory calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe, coregen.exe
Detection
Copyright Joe Security LLC 2019 Page 5 of 74 Strategy Score Range Reporting Whitelisted Detection
Threshold 24 0 - 100 Report FP / FN false
Confidence
Strategy Score Range Further Analysis Required? Confidence
Threshold 2 0 - 5 true
Classification
Copyright Joe Security LLC 2019 Page 6 of 74 Ransomware
Miner Spreading
mmaallliiiccciiioouusss
malicious
Evader Phishing
sssuusssppiiiccciiioouusss
suspicious
cccllleeaann
clean
Exploiter Banker
Spyware Trojan / Bot
Adware
Analysis Advice
Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")
Sample tries to load a library which is not present or installed on the analysis machine, adding the library might reveal more behavior
Mitre Att&ck Matrix
Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Valid Accounts Windows Winlogon Process Disabling Input Process Application Input Capture 1 Data Standard Remote Helper DLL Injection 1 1 Security Capture 1 Discovery 1 Deployment Compressed Cryptographic Management Tools 1 Software Protocol 2 Replication Service Port Monitors Accessibility Process Network Security Remote Data from Exfiltration Over Standard Non- Through Execution Features Injection 1 1 Sniffing Software Services Removable Other Network Application Removable Discovery 5 Media Medium Layer Media Protocol 1
Copyright Joe Security LLC 2019 Page 7 of 74 Privilege Defense Credential Lateral Command and Initial Access Execution Persistence Escalation Evasion Access Discovery Movement Collection Exfiltration Control Drive-by Windows Accessibility Path Obfuscated Input System Windows Data from Automated Standard Compromise Management Features Interception Files or Capture Information Remote Network Shared Exfiltration Application Instrumentation Information 2 Discovery 2 3 Management Drive Layer Protocol 1 Exploit Public- Scheduled Task System DLL Search Obfuscated Credentials Remote System Logon Scripts Input Capture Data Encrypted Multiband Facing Firmware Order Hijacking Files or in Files Discovery 1 Communication Application Information
Signature Overview
• Cryptography • Spreading • Software Vulnerabilities • Networking • Key, Mouse, Clipboard, Microphone and Screen Capturing • System Summary • Data Obfuscation • Persistence and Installation Behavior • Hooking and other Techniques for Hiding and Protection • Malware Analysis System Evasion • Anti Debugging • HIPS / PFW / Operating System Protection Evasion • Language, Device and Operating System Detection
Click to jump to signature section
Cryptography:
Uses Microsoft's Enhanced Cryptographic Provider
Spreading:
Contains functionality to enumerate / list files inside a directory
Software Vulnerabilities:
Found inlined nop instructions (likely shell or obfuscated code)
Networking:
Contains functionality to download additional files from the internet
Performs DNS lookups
Urls found in memory or binary data
Key, Mouse, Clipboard, Microphone and Screen Capturing:
Creates a DirectInput object (often for capturing keystrokes)
System Summary:
Malicious sample detected (through custom Yara rule)
Contains functionality to call native functions
Contains functionality to communicate with device drivers
Contains functionality to shutdown / reboot the system
Creates mutexes
Detected potential crypto function
Copyright Joe Security LLC 2019 Page 8 of 74 Found potential string decryption / allocating functions
PE file contains executable resources (Code or Archives)
PE file contains strange resources
PE file does not import any functions
Reads the hosts file
Sample file is different than original file name gathered from version info
Sample reads its own file content
Tries to load missing DLLs
PE file has section (not .text) which is very likely to contain packed code (zlib compression ratio < 0.011)
Classification label
Contains functionality to check free disk space
Contains functionality to instantiate COM classes
Contains functionality to load and extract PE file embedded resources
Creates files inside the program directory
Creates files inside the user directory
Creates temporary files
Might use command line arguments
PE file has an executable .text section and no other executable section
Parts of this applications are using the .NET runtime (Probably coded in C#)
Reads ini files
Reads software policies
Runs a DLL by calling functions
Sample might require command line arguments (.Net)
Spawns processes
Uses an in-process (OLE) Automation server
Found GUI installer (many successful clicks)
Found graphical window changes (likely an installer)
Found installer window with terms and condition text
Uses Microsoft Silverlight
Submission file is bigger than most known malware samples
PE file has a big raw section
PE file contains a debug data directory
Binary contains paths to debug symbols
Data Obfuscation:
Contains functionality to dynamically determine API calls
PE file contains an invalid checksum
Uses code obfuscation techniques (call, push, ret)
Persistence and Installation Behavior:
Drops PE files
Hooking and other Techniques for Hiding and Protection:
Extensive use of GetProcAddress (often used to hide API calls)
Disables application error messsages (SetErrorMode)
Malware Analysis System Evasion:
Found dropped PE file which has not been started or loaded
Found evasive API chain (date check)
Found evasive API chain (may stop execution after checking a module file name)
Found evasive API chain checking for process token information
Copyright Joe Security LLC 2019 Page 9 of 74 Found large amount of non-executed APIs
Sample execution stops while process was sleeping (likely an evasion)
Contains functionality to enumerate / list files inside a directory
Contains functionality to query system information
Program exit points
Queries a list of all running processes
Anti Debugging:
Checks for debuggers (devices)
Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to check if a debugger is running (OutputDebugString,GetLastError)
Contains functionality to dynamically determine API calls
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Contains functionality to register its own exception handler
Creates guard pages, often used to prevent reverse engineering and debugging
HIPS / PFW / Operating System Protection Evasion:
Contains functionality to launch a program with higher privileges
Creates a process in suspended mode (likely to inject code)
Contains functionality to add an ACL to a security descriptor
Contains functionality to create a new security descriptor
May try to detect the Windows Explorer process (often used for injection)
Language, Device and Operating System Detection:
Contains functionality locales information (e.g. system language)
Contains functionality to query CPU information (cpuid)
Contains functionality to query local / system time
Contains functionality to query windows version
Queries the cryptographic machine GUID
Behavior Graph
Copyright Joe Security LLC 2019 Page 10 of 74 Hide Legend Legend: Process Signature Behavior Graph ID: 111943 Created File Sample: Silverlight_x64.exe Startdate: 21/02/2019 Architecture: WINDOWS DNS/IP Info Score: 24 Is Dropped
Malicious sample detected Is Windows Process (through custom Yara started started started rule) Number of created Registry Values
Silverlight_x64.exe msiexec.exe msiexec.exe Number of created Files
2 other processes Visual Basic 9 13 1 12
dropped dropped dropped Delphi
C:\...\microsoft_defaults.exe, PE32 C:\09ede400f8bb800a059f\install.res.dll, PE32+ C:\09ede400f8bb800a059f\install.exe, PE32+ started Java
.Net C# or VB.NET
install.exe C, C++ or other language
7 Is malicious
started started started
microsoft_defaults.exe coregen.exe rundll32.exe
13 other processes
14 2
g.msn.com 2-01-4ca6-0004.cdx.cedexis.net dropped dropped
started started started started started
C:\Users\user\AppData\...\DefaultPack[1].EXE, PE32 C:\Users\CRAIGH~1\AppData\...\DefaultPack.EXE, PE32
conhost.exe rundll32.exe rundll32.exe conhost.exe conhost.exe
8 other processes
Simulations
Behavior and APIs
No simulations
Antivirus Detection
Initial Sample
Source Detection Scanner Label Link Silverlight_x64.exe 0% virustotal Browse Silverlight_x64.exe 0% metadefender Browse
Dropped Files
Source Detection Scanner Label Link C:\09ede400f8bb800a059f\install.exe 0% virustotal Browse C:\09ede400f8bb800a059f\install.exe 0% metadefender Browse C:\09ede400f8bb800a059f\install.res.dll 0% virustotal Browse C:\09ede400f8bb800a059f\microsoft_defaults.exe 0% virustotal Browse C:\09ede400f8bb800a059f\microsoft_defaults.exe 0% metadefender Browse C:\Users\CRAIGH~1\AppData\Local\Temp\DefaultPack.EXE 0% virustotal Browse C:\Users\CRAIGH~1\AppData\Local\Temp\DefaultPack.EXE 0% metadefender Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\DefaultPack[1].EXE 0% virustotal Browse C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\DefaultPack[1].EXE 0% metadefender Browse
Copyright Joe Security LLC 2019 Page 11 of 74 Unpacked PE Files
No Antivirus matches
Domains
No Antivirus matches
URLs
Source Detection Scanner Label Link Download schemas.datacontract.org/2004/07/3DcTypeNotFoundOnSerialize 0% Avira URL Cloud safe Download File
Yara Overview
Initial Sample
No yara matches
PCAP (Network Traffic)
No yara matches
Dropped Files
Source Rule Description Author C:\09ede400f8bb800a059f\Silverlight.msp JoeSecurity_HiddenMacro Hidden Macro 4.0 in Excel Joe Security
Memory Dumps
No yara matches
Unpacked PEs
No yara matches
Joe Sandbox View / Context
IPs
No context
Domains
No context
ASN
No context
JA3 Fingerprints
No context
Dropped Files
No context
Copyright Joe Security LLC 2019 Page 12 of 74 Screenshots
Thumbnails This section contains all screenshots as thumbnails, including those not shown in the slideshow.
Startup
Copyright Joe Security LLC 2019 Page 13 of 74 System is w10x64 Silverlight_x64.exe (PID: 2952 cmdline: 'C:\Users\user\Desktop\Silverlight_x64.exe' MD5: 0FCD0FE64F56C7DA148AA5908EA22941) install.exe (PID: 4188 cmdline: c:\09ede400f8bb800a059f\install.exe MD5: D7407373D135FAFE0878A72C62387DD2) microsoft_defaults.exe (PID: 776 cmdline: 'C:\09ede400f8bb800a059f\microsoft_defaults.exe' dhp=true dsp=true MD5: 64CADAEF6DCF7B6A6171FC1A2BEE94A1) rundll32.exe (PID: 1920 cmdline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll',DllRegisterServer MD5: 73C519F050C20580F8A62C849D49215A) rundll32.exe (PID: 1488 cmdline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll',DllRegisterServer MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) rundll32.exe (PID: 2244 cmdline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\SLMSPRBootstrap.dll',SetupPlayReadyData MD5: 73C519F050C20580F8A62C849D49215A) rundll32.exe (PID: 5108 cmdline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\SLMSPRBootstrap.dll',SetupP layReadyData MD5: D7CA562B0DB4F4DD0F03A89A1FDAD63D) coregen.exe (PID: 3896 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' mscorlib.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) Silverlight.Configuration.exe (PID: 3492 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\silverlight.configuration.exe' -enableMU MD5: 17E40315660830AA625483BBF608730C) coregen.exe (PID: 5020 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 3508 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 4176 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Core.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4412 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 4316 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Net.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4736 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 3984 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Xml.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 5048 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 1688 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Runtime.Serialization.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 1504 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 2536 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.ServiceModel.Web.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4676 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 4996 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Framework.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 5112 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Framework.Graphics.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4644 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 2252 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Framework.Graphics.Shaders.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 1924 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 4696 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Windows.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) conhost.exe (PID: 4804 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496) coregen.exe (PID: 4916 cmdline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Windows.Xna.dll MD5: 3BF709AEDF5042C39515756FB72E9EC0) MSI12C0.tmp (PID: 2680 cmdline: 'C:\Windows\Installer\MSI12C0.tmp' flat MD5: 015F2D65BE1227973565EB9E3E9C631A) MSI13CA.tmp (PID: 2216 cmdline: 'C:\Windows\Installer\MSI13CA.tmp' flat MD5: 83A225172AB7A2C7B2EE85304B325F14) msiexec.exe (PID: 4732 cmdline: c:\Windows\syswow64\MsiExec.exe -Embedding 44EF0F538450CA53E70E028FDCED11E2 MD5: 12C17B5A5C2A7B97342C362CA467E9A2) msiexec.exe (PID: 4676 cmdline: c:\Windows\System32\MsiExec.exe -Embedding 6F57004EB12112F1439D8D2BA0D6DD78 MD5: 4767B71A318E201188A0D0A420C8B608) cleanup
Created / dropped Files
C:\09ede400f8bb800a059f\$shtdwn$.req Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: data Size (bytes): 788 Entropy (8bit): 0.09823380614560741 Encrypted: false MD5: DF7119A5D3CAEDA80BF0FB6F8E53DE8F SHA1: 76458E1D2E0FA4519FACB71A5F23F8799713BE2B SHA-256: 3C418A401CBE09F64EDE6E598C5CA36717830446147C8EF6327168EDC7B1CB0C SHA-512: 85142D1942111783303FA060348BC76B1DD361336DCCC9DC9CDD3432EC6CF215756CBA66A367E560C9D5719BA4F 585434319A66D9A97D9A09F5AC4A752B00B6C Malicious: false
C:\09ede400f8bb800a059f\Silverlight.msp Process: C:\09ede400f8bb800a059f\install.exe File Type: 151126039 Size (bytes): 53014528 Entropy (8bit): 6.525338457460767 Encrypted: false MD5: D14EF348F6F7D34B404C697B1A7DBA7B
Copyright Joe Security LLC 2019 Page 14 of 74 C:\09ede400f8bb800a059f\Silverlight.msp SHA1: 40C2055B13BAC8F61BD06DF5F7E73AF389624B4C SHA-256: F64A8D29D5A96341DEF30CB73262931666DAC3D757238B2D4EEBB789B2A7B29E SHA-512: E09DCD19F0F78E1A95CE70B9F57E0FB8B5A26831CEF7A48DFD221BE773F159AC61483252A9F720262F84FB911C 839FA7EC86E81C2CD46083D57A160C97BFFC3D Malicious: false Yara Hits: Rule: JoeSecurity_HiddenMacro, Description: Hidden Macro 4.0 in Excel, Source: C:\09ede400f8bb800a059f\Silverlight.msp, Author: Joe Security
C:\09ede400f8bb800a059f\install.exe
Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: PE32+ executable (GUI) x86-64, for MS Windows Size (bytes): 289472 Entropy (8bit): 6.171604627210657 Encrypted: false MD5: D7407373D135FAFE0878A72C62387DD2 SHA1: FB9159DB25CABD73876E17C2E74BF26629E1232E SHA-256: 68F3BFEA4F1510D690699CCD97618E73097EC5AA672428D960244DCA6544D2BA SHA-512: 5CABDF03A7C21BC4F34E10FBFCFFB22250CEC99DC63805038128F6956D7D505D816EFCB32DD852C03CC7C21817 A7C6824C4C6CC34DA60B131C105F5E8CDFB90D Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
C:\09ede400f8bb800a059f\install.res.dll
Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: PE32+ executable (DLL) (GUI) x86-64, for MS Windows Size (bytes): 438448 Entropy (8bit): 4.9743703484771835 Encrypted: false MD5: C902571F23C41D59F10680486B3A311B SHA1: E3CE8571EC36091995E91B2A5887DA163B972A53 SHA-256: 0173612039AA992F72D8B2BD9120CECB305CAA0B6D95FE2B04A4AC2F002CA184 SHA-512: F312A8B1B54653E2A18FC48613A2DBFEB2E5F7E40EFBC181859D008CEC80D36161E91FF50B1EBE1364DD451B3E BF0370FC17E4C2ECDE816C5F64931353A47CCF Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse
C:\09ede400f8bb800a059f\microsoft_defaults.exe
Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 119968 Entropy (8bit): 5.90991491651561 Encrypted: false MD5: 64CADAEF6DCF7B6A6171FC1A2BEE94A1 SHA1: 89B67F711F1F98F9991C688B32C555CC597F09BC SHA-256: 5720BD8E18456D0B96CD4BDBB715C2217A1EE30609DD05C195895874105A557C SHA-512: C0FE11F5575659E53CC5E0A37F68524A2C90633B9E1D931791329B320B4884FD7131328CC7EF02691BE2309EB4F4 2A1968A7B4E144ED83DCBDF284A570EB353B Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
C:\09ede400f8bb800a059f\silverlight.7z
Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: 7-zip archive data, version 0.3 Size (bytes): 12822503 Entropy (8bit): 7.999985362155246 Encrypted: true MD5: 5C328FA0A1497CA826CE0CB7D2A2824B SHA1: F842EE759E981BE8BC8144A1965ECAE09E07CDFD SHA-256: 97F8257268C73873D80788C93C52C48018B18D49E5CE06DA5299C1395FAF316F SHA-512: A3AB12826447FAC21308B6304D50B9879367F45773DBB8AD757511797F2FCE89204601A5D01A30A039235440ACAE C1944A0692E8E98E8CD233D0374F371D4BD0 Malicious: false
C:\09ede400f8bb800a059f\silverlight.msi
Copyright Joe Security LLC 2019 Page 15 of 74 C:\09ede400f8bb800a059f\silverlight.msi Process: C:\Users\user\Desktop\Silverlight_x64.exe File Type: 2 Size (bytes): 53248 Entropy (8bit): 4.790087328953825 Encrypted: false MD5: 18EB24728930616E838E6DDDB062779C SHA1: 7D2FB247CC537242D787DC31CE9A4B58EB6D6624 SHA-256: 2064ED1462702E28DF4F11AC7415275E1881D4F6737218413648ADA8091FAD1F SHA-512: 8968A78CA9E0627BF4BA41EA1E48F4D83CD14BA1A2D4ED2B6CEC053EA12ACF98F53A6F09CDBA1501325AD6B73 A873CC1259F7A5ECEBEFE675DFDA989FB277369 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\Microsoft.Xna.Framework.Graphics.Shaders.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 35304 Entropy (8bit): 5.42374327962554 Encrypted: false MD5: 02F8AB41E20855EF744DEDDC1BCED451 SHA1: E167A39C59A35A376BE93AE52018933B50D9BF67 SHA-256: B98874270CBACC84523E9D19ED3F8832934FC0CA664476D61CC8C592D102F5A2 SHA-512: FB2BC20453F712C030AEB206968EAED1C2DC66F0F1E89A7DF566C6455770C20D8CCBA41D7DC4170CDF26738E2 AD68534C1A501E421E5D2646C7E4EA04682345B Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\Microsoft.Xna.Framework.Graphics.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 152552 Entropy (8bit): 6.190567879746922 Encrypted: false MD5: D67A9179CAA5F8BFA3E27CFF602661AE SHA1: AEC3DD61B9C61C89F7767EE3B03F991E0CC0547B SHA-256: 5A3BB0793C2D542F47BA8F83F2A5D3DE49BB692BD94DC14C642F78AFFC2BE8DF SHA-512: 4A05AF8B7343C92D0F2225AE77C8229154E78E3A2F04838531DB981D0EB5A13F3DF3C77BB57611B94666E06FB93 F0AFBCF65933EC4EC00CEE43FFACAE4E51963 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\Microsoft.Xna.Framework.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 140776 Entropy (8bit): 6.3424199631646685 Encrypted: false MD5: 32223EF17F51A350FB9B3D25E1C081DF SHA1: 944E37B67906AFEEAB5829D4F4C84803B6021A5A SHA-256: 444EDCF2CF62E8E1E6015BD92DC2A21C33E62554F348B22380EDAC0BB48F0963 SHA-512: 117C55A00E4554A4C1BB5BDA2077846E6C36FA199CF1D0305C1929CC7912A2981496AFBD5802369949B1B8ABCC ED9A93AD8ABB02E2A2A19947EB564E1FC38757 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Core.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 2318312 Entropy (8bit): 6.65347507193831 Encrypted: false MD5: EDB1E7CCC034F65B388810DACA9617B7 SHA1: FDF6B6ABB25D7BBE768C8F7888B12E342046A231 SHA-256: DD7EBA8DB7BE9E809216E61E5974E725B27802FAE852638E3256656B3E23046C SHA-512: BE9CBF10D2EF7AA4AD0ECE4CE7061293754C453ED67F24CB8CE3EA05BF7E75CFF8414CBC91E1D98539ABEB1B F8D492F6011FADE7CA4F4D45DA5148079070271F Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Net.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe
Copyright Joe Security LLC 2019 Page 16 of 74 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Net.ni.dll File Type: data Size (bytes): 642536 Entropy (8bit): 6.615297315027376 Encrypted: false MD5: F9BE8759FF85E5624D12E78E77FE302D SHA1: 3ECD6647460EA7E0C2D74105425690B4EA1A76E5 SHA-256: 4621DD49FFB4341D502BA4E8AB2265395D7FA9488AA29087A69A32239261BABA SHA-512: B2288639E98BDCA8E91D4F52AF31F74C13C6AE55A4A0F67F8B18053F7C1721FEF097B93E5E01F50AEAFCFBBD9 CBF34AF5FD886A7FD0824EC1E453F928D739DD7 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Runtime.Serialization.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 1165288 Entropy (8bit): 6.665060427872024 Encrypted: false MD5: 084021C0CE25AE7D0C5BE32201A7D854 SHA1: 64299FB86D79270043BF4A65F5018F09A515F2BA SHA-256: F81754D45289C78FAD22A71C50EC22158AE03527A3C89CAAFDAFF747023CEF07 SHA-512: 360BE40FBEBE50D58F2F1BC166F9B842C1CFEB7C5544CD3FA7BBB44C029042CDC66CC3704A0013F3AEB73A0C7 B1B417F3C50C6A27D2A3942B3EDAE6800945FC7 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.ServiceModel.Web.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 141288 Entropy (8bit): 6.30195368730313 Encrypted: false MD5: 678BE8B9F8218410912F48D699F07F9C SHA1: 4AD46AA96D1AF561DB2B0A5B250F625BD0D14A3F SHA-256: 9372EC8AD64B384D662AC490DC787965BED64344EE36B25FD91B4F830BD5A7CF SHA-512: 330ED580F12C87A76BD551245B5AF0E8B08B6E24EC71944BE4C9576BC79813426EBD0DB218D996DEB40C41F6C7 D8107A4979FCC5036F7AD4F2FE85A4010C166D Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Windows.Xna.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 104424 Entropy (8bit): 6.135628302250843 Encrypted: false MD5: 0CEBBD90D1CA85690B23E151B09C54E5 SHA1: 2E1F469117D972DF3584775FC1B5522DF74288FB SHA-256: FB94F9217776248C3D350A1BBA92966D8585E50D0B9A8723337C825025E83E71 SHA-512: 01EFE13D44E97A61FF18A2298B3DAEC5DBDBB5B146F14D6AE27C37E625442D01A86F8188013C21712B4E28E089 DAD20F24C3998EE184F963275430D43557A4D4 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Windows.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 4982248 Entropy (8bit): 6.543565193401665 Encrypted: false MD5: 06B2B0A9A66545D4AEA8D7F28531428E SHA1: 7BD27B72A7E8E63C389AA7F773701F0F7E390743 SHA-256: 93BD6C8D4FC95E5A8DFA53C26BA49E85CFC66B8B3AF2C0013C10AFC664933E1E SHA-512: C6D2926007CCB51311613D3F1B99F08B703A7EE842348D7A00674CA8685396E11151629F8C6AC969399164BDC6C5 74E1ADB1862C9216C5F8E772EEC5A75B6C1A Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Xml.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data
Copyright Joe Security LLC 2019 Page 17 of 74 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.Xml.ni.dll Size (bytes): 825320 Entropy (8bit): 6.719056337338317 Encrypted: false MD5: 6454319CA086AC9970126BCF75CE35F7 SHA1: 29B3260E507D065998F0F44FAEF9C6A8130605F5 SHA-256: A3ACBE4D6910363B6C8A3D23F9AD4715BBA246F8857831067872EE714FA205D7 SHA-512: 02F3E79827579A05527D426C745139AE7684227E9BDCAD72BE841090BBFCD2F67B3104D0D1C923F8D37869FFCBE 8089145CEF278AF653F150FE82D0A9327A250 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\System.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 665576 Entropy (8bit): 6.709828371533 Encrypted: false MD5: 4288C6228003594835274D0DD237EF27 SHA1: 1D2B3E7C71916EF3EEF17EF3191107FA533984B7 SHA-256: F601B93B0935B0A553BCA70F5E42E912EEB087060C4FEF2E4E7DBFA248AA1A66 SHA-512: D729548F1F3358ACC867B0860042FB6418EC096F1737FA92ED18888304A2BBC6EF303A16593E2772DC3D0BA763B D18A0D4F51BD53D2BC324D95C471BDA910C27 Malicious: false
C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\mscorlib.ni.dll Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: data Size (bytes): 6417384 Entropy (8bit): 6.738793673932851 Encrypted: false MD5: E6D1B7A19E6163E12C84E33C2CDB1087 SHA1: 5C63D804278BF2CB14DA4DF98C0CCEBBB669953F SHA-256: BD3DC7FCB638FCAB4C930AAD6B3391C073D5AC40CCC90A836DE58E7F13AD716E SHA-512: AC2074DCE134719D4A15C31F4518BD39B9A9B8659D9C6F321E3FF7E9D606BC69E1D3B42492B9CCABE2B6FE7700 ACD0F68B228FFDFFB1E44E88D3C497FB2EBC26 Malicious: false
C:\Users\CRAIGH~1\AppData\Local\Temp\DefaultPack.EXE
Process: C:\09ede400f8bb800a059f\microsoft_defaults.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 2936680 Entropy (8bit): 7.985510867713554 Encrypted: false MD5: E70ED7DF1C42C279D9BC32E018E4C598 SHA1: 8A494E61C361724E10D64D08B18371BC7A06B1DA SHA-256: 9EF66FA5C9C8D6AF9D0E6D6B3235D5C5ABCACEA9A2EA661E9C15168667457E54 SHA-512: 78C10CD633B61013BFB2109FE753EC14590FC56748FA6B81F33FF1E01C25D4757A652CC69BB33B70BF97CBC2D2 897C035975A7A683F5C2626524EF70B90D612A Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log Process: C:\09ede400f8bb800a059f\install.exe File Type: Unicode text, UTF-32, little-endian Size (bytes): 4078 Entropy (8bit): 3.6021376456054353 Encrypted: false MD5: E781133DFC10544139F0F76CFA9C306E SHA1: C96F139187C08AF4DFF6E89CBD57EA123B171493 SHA-256: DCD226BDE8C33D1C702CC377A5B9D4216BA5E597C6CA62DD1D2D5207BEF6A6F2 SHA-512: E9790728C9603FA291E7F2E731206A4AB1E53D3479F0688A0AEC78DBCFF7F918FFB59A80215D7B9B26906C776FF 8C8860EB70A7EC85D0C72CCC41151D325F2EC Malicious: false
C:\Users\CRAIGH~1\AppData\Local\Temp\SilverlightMSI.log Process: C:\09ede400f8bb800a059f\install.exe
Copyright Joe Security LLC 2019 Page 18 of 74 C:\Users\CRAIGH~1\AppData\Local\Temp\SilverlightMSI.log File Type: Little-endian UTF-16 Unicode text, with CRLF, CR line terminators Size (bytes): 32232 Entropy (8bit): 3.5180238595948015 Encrypted: false MD5: 4C29A980BC9EC63CA52CEE2AADFB9B2A SHA1: 336E8B4840175362F741AE5112B09CE4A7960EB6 SHA-256: 445E94BDB39CBDE65747F4BCB57CFD00EE3EE47C7F2AFF2D3FF9A3542C65C281 SHA-512: C48E78E0C10B28A047BEA1707E2E9D06409CCD84BCAD98427AF5E1EE44E186C05A869582ABCF9709F3398B9D9 BD9F7A549C4A4EC68329EB16A4EFB76556A6D72 Malicious: false
C:\Users\user\AppData\LocalLow\Microsoft\Silverlight\mssl.lck Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\Silverlight.Configuration.exe File Type: data Size (bytes): 77 Entropy (8bit): 0.1000009430103235 Encrypted: false MD5: 6D4E28691607F7EA7B9E9CA8FEC200CD SHA1: A6C4E4D4E6157E4826D308F7A286B7590ADE750C SHA-256: A462EBA5DCAADF3604552E95B06B28F71F1F238952DDD47FA61C74B9D82FA9FE SHA-512: D303780B386B701F4E0BC1DA80D6DD45341987C5E55A0DD09AD952596DAF0EEDAE8C4395C0F88824CBD0D91F8 C9D750A0E5D3CCDA3B8AE5147A385BAED253448 Malicious: false
C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\G7QTC28F\DefaultPack[1].EXE
Process: C:\09ede400f8bb800a059f\microsoft_defaults.exe File Type: PE32 executable (GUI) Intel 80386, for MS Windows Size (bytes): 2936680 Entropy (8bit): 7.985510867713554 Encrypted: false MD5: E70ED7DF1C42C279D9BC32E018E4C598 SHA1: 8A494E61C361724E10D64D08B18371BC7A06B1DA SHA-256: 9EF66FA5C9C8D6AF9D0E6D6B3235D5C5ABCACEA9A2EA661E9C15168667457E54 SHA-512: 78C10CD633B61013BFB2109FE753EC14590FC56748FA6B81F33FF1E01C25D4757A652CC69BB33B70BF97CBC2D2 897C035975A7A683F5C2626524EF70B90D612A Malicious: false Antivirus: Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
\Device\ConDrv Process: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe File Type: ASCII text, with CRLF line terminators Size (bytes): 251 Entropy (8bit): 5.031245117356554 Encrypted: false MD5: 107B4CFC963ABEE4D469471DCE340977 SHA1: C10B94049FED6649C5FEF7E624EACA46B8B1489A SHA-256: B4FA8C65941AECB4D12120337896B78A1C10666DAD69A69CD3A6F0DE47CBA892 SHA-512: F42B27416337FDB42DB8CEF0ECA4BA09858A856327E4390B50CB452546FEF559B42D8456C8D67470B8FC558222B 964FC3BB50597268D1582D93D53938DAB9F3A Malicious: false
Domains and IPs
Contacted Domains
Name IP Active Malicious Antivirus Detection Reputation g.msn.com unknown unknown false high
URLs from Memory and Binaries
Copyright Joe Security LLC 2019 Page 19 of 74 Name Source Malicious Antivirus Detection Reputation Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_DEDE5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_D 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_CSCZ5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_C 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_RURU5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_R 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ETEE5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_E 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ZHCN5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_Z 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_PTPT5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_P 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ITIT5http://g.msn 00000002.7708197131.0000000004 .com/1ewenusDefaultPack/Privacy_Link_I 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_THTH5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_T 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_PTBR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_P 48B000.00000004.sdmp, install.exe coregen.exe, 0000001E.00000003 false Avira URL Cloud: safe low schemas.datacontract.org/2004/07/3DcTypeNotFoundOnSeria .7164061542.00000000000EA000.0 lize 0000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_DADK5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_D 48B000.00000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_SRCYRL7http://g 00000002.7708197131.0000000004 .msn.com/1ewenusDefaultPack/Privacy_Link 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ARAR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_A 48B000.00000004.sdmp, install.exe coregen.exe, 0000001C.00000003 false high schemas.datacontract.org/2004/07/EInvalidGlobalDataContrac .7124509476.000000000014F000.0 tNamespace?DataContractNamespaceAlr 0000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_KOKR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_K 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_FIFI5http://g.msn 00000002.7708197131.0000000004 .com/1ewenusDefaultPack/Privacy_Link_F 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_JAJP5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_J 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_FRFR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_F 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_UKUA5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_U 48B000.00000004.sdmp, install.exe install.exe false high g.msn.com/1ewenusDefaultPack/MSA_Link_NLNL5http://g.ms n.com/1ewenusDefaultPack/ install.exe false high g.msn.com/1ewenusDefaultPack/MSA_Link_DADK5http:// Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_MSMY5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_M 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_TRTR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_T 48B000.00000004.sdmp, install.exe install.exe false high g.msn.com/1ewenusDefaultPack/MSA_Link0http://g.msn.com/ 1ewenusDefaultPack/Privacy_Link Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_HUHU5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_H 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_NBNO5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_N 48B000.00000004.sdmp, install.exe
Copyright Joe Security LLC 2019 Page 20 of 74 Name Source Malicious Antivirus Detection Reputation Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/SLV5_DefaultPackopenen- 00000002.7708197131.0000000004 usBingServicestartedtemp 48B000.00000004.sdmp, microsof t_defaults.exe, 00000005.00000 002.6533017800.0000000000CB000 0.00000002.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ESES5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_E 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_RORO5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_R 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link0http://g.msn.com/ 00000002.7708197131.0000000004 1ewenusDefaultPack/Privacy_LinkPA 48B000.00000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_PLPL5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_P 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_LTLT5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_L 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_SISI5http://g.msn 00000002.7708197131.0000000004 .com/1ewenusDefaultPack/Privacy_Link_S 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_SKSK5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_S 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_NLNL5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_N 48B000.00000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_BGBG5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_B 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ZHTW5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_Z 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_HRHR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_H 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_EUES5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_E 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_CAES5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_C 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_SRLATN7http://g 00000002.7708197131.0000000004 .msn.com/1ewenusDefaultPack/Privacy_Link 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_HEIL5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_H 48B000.00000004.sdmp, install.exe g.msn.com/1ewenusDefaultPack/SLV5_DefaultPack microsoft_defaults.exe false high coregen.exe, 0000001C.00000003 false high schemas.datacontract.org/2004/07/System.Collections.Generi .7123504475.0000000005B44000.0 c 0000004.sdmp coregen.exe, 0000001C.00000003 false high schemas.datacontract.org/2004/07/dhttp://schemas.datacontra .7123504475.0000000005B44000.0 ct.org/2004/07/System.XmlRhttp://w 0000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_ELGR5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_E 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_LVLV5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_L 48B000.00000004.sdmp, install.exe schemas.datacontract.org/2004/07/System coregen.exe, 0000001C.00000003 false high .7123504475.0000000005B44000.0 0000004.sdmp Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_SVSE5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_S 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_VIVN5http://g.ms 00000002.7708197131.0000000004 n.com/1ewenusDefaultPack/Privacy_Link_V 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_KKKZ5http://g.m 00000002.7708197131.0000000004 sn.com/1ewenusDefaultPack/Privacy_Link_K 48B000.00000004.sdmp, install.exe Silverlight_x64.exe, 00000002. false high g.msn.com/1ewenusDefaultPack/MSA_Link_IDID5http://g.msn 00000002.7708197131.0000000004 .com/1ewenusDefaultPack/Privacy_Link_I 48B000.00000004.sdmp, install.exe
Copyright Joe Security LLC 2019 Page 21 of 74 Contacted IPs
No contacted IP infos
Static File Info
General File type: PE32 executable (GUI) Intel 80386, for MS Windows Entropy (8bit): 7.999870350315104 TrID: Win32 Executable (generic) a (10002005/4) 99.94% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Java Script embedded in Visual Basic Script (1500/0) 0.01% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00% File name: Silverlight_x64.exe File size: 13153080 MD5: 0fcd0fe64f56c7da148aa5908ea22941 SHA1: 16cfdfe075ee9249845eccff913acc4386a0a1e6 SHA256: 8eb0fc1163330294d62f8cbdb1088fc3af7ab552c544f2ec 1d29f3f48e199c8f SHA512: c75ed32073ce5a55de25b1df78e3f303fc5acebbc512d0c 55a06917a839a9a1d61ddaf22cfa10a9cd0c938ad88ea13 8c4e8b30f27547018eb836dd7f06346daf SSDEEP: 393216:3CUsnYj7UmKM9DqdqY356NvQa7pEzkDVMjS Q6ZO:y1YnU/VdqYQNvQaVEzoVMjKs File Content Preview: MZ...... @...... !..L.!Th is program cannot be run in DOS mode....$...... K...K.. .K...... D...K...!...... _...... J...... J...RichK...... PE..L ...Hn.@...... x...... X... .
File Icon
Icon Hash: 00828e8e8686b000
Static PE Info
General Entrypoint: 0x1005892 Entrypoint Section: .text Digitally signed: true Imagebase: 0x1000000 Subsystem: windows gui Image File Characteristics: LOCAL_SYMS_STRIPPED, 32BIT_MACHINE, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, REMOVABLE_RUN_FROM_SWAP, NET_RUN_FROM_SWAP, RELOCS_STRIPPED DLL Characteristics: NO_SEH, TERMINAL_SERVER_AWARE Time Stamp: 0x40DB6E48 [Fri Jun 25 00:14:00 2004 UTC] TLS Callbacks: CLR (.Net) Version: OS Version Major: 5 OS Version Minor: 2 File Version Major: 5 File Version Minor: 2 Subsystem Version Major: 5 Subsystem Version Minor: 2 Import Hash: 7972ce6c674527bb9c502674ccaa92c4
Authenticode Signature
Signature Valid: true
Copyright Joe Security LLC 2019 Page 22 of 74 Signature Issuer: CN=Microsoft Code Signing PCA, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Signature Validation Error: The operation completed successfully Error Number: 0 Not Before, Not After 7/12/2018 1:11:19 PM 7/26/2019 1:11:19 PM Subject Chain CN=Microsoft Corporation, O=Microsoft Corporation, L=Redmond, S=Washington, C=US Version: 3 Thumbprint: 9DC17888B5CFAD98B3CB35C1994E96227F061675 Serial: 33000001B1DDEDBA54E965B85F0001000001B1
Entrypoint Preview
Instruction jmp 00007F0ADDE432ADh mov eax, dword ptr [esp+04h] jmp 00007F0ADDE43859h cmp cl, 0000003Bh jne 00007F0ADDE4384Eh test cl, cl je 00007F0ADDE43856h inc eax mov cl, byte ptr [eax] cmp cl, 0000000Ah jne 00007F0ADDE43836h cmp byte ptr [eax], 00000020h jnle 00007F0ADDE4384Bh inc eax mov cl, byte ptr [eax] test cl, cl jne 00007F0ADDE43825h xor eax, eax retn 0004h mov ecx, dword ptr [esp+04h] jmp 00007F0ADDE43847h test al, al je 00007F0ADDE43853h inc ecx mov al, byte ptr [ecx] cmp al, 0Ah jne 00007F0ADDE43837h inc ecx push ecx call 00007F0ADDE43805h retn 0004h xor eax, eax jmp 00007F0ADDE4383Bh push ebx mov ebx, dword ptr [esp+0Ch] push esi mov esi, dword ptr [esp+0Ch] push edi mov byte ptr [ebx], 00000000h jmp 00007F0ADDE4384Eh push esi call 00007F0ADDE43810h mov esi, eax test esi, esi je 00007F0ADDE4386Fh cmp byte ptr [esi], 0000005Bh jne 00007F0ADDE43831h lea eax, dword ptr [esi+01h] jmp 00007F0ADDE4384Ch test cl, cl je 00007F0ADDE43861h cmp cl, 00000020h
Copyright Joe Security LLC 2019 Page 23 of 74 Instruction jle 00007F0ADDE4384Ch inc eax mov cl, byte ptr [eax] cmp cl, 0000005Dh jne 00007F0ADDE43831h jmp 00007F0ADDE43845h lea esi, dword ptr [eax-01h] sub eax, esi dec eax mov edi, eax je 00007F0ADDE4381Bh cmp dword ptr [esp+18h], edi jnbe 00007F0ADDE43846h xor eax, eax jmp 00007F0ADDE4385Eh push edi lea eax, dword ptr [esi+01h] push eax push ebx call dword ptr [0100219Ch] push ebx mov byte ptr [edi+ebx], 00000000h call dword ptr [01002198h] add esp, 10h mov eax, esi pop edi pop esi pop ebx retn 000Ch mov eax, dword ptr [esp+04h]
Data Directories
Name Virtual Address Virtual Size Is in Section IMAGE_DIRECTORY_ENTRY_EXPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IMPORT 0x8d20 0xa0 .text IMAGE_DIRECTORY_ENTRY_RESOURCE 0x1c000 0x9b0 .rsrc IMAGE_DIRECTORY_ENTRY_EXCEPTION 0x0 0x0 IMAGE_DIRECTORY_ENTRY_SECURITY 0xc87600 0x3d38 IMAGE_DIRECTORY_ENTRY_BASERELOC 0x0 0x0 IMAGE_DIRECTORY_ENTRY_DEBUG 0x21d0 0x1c .text IMAGE_DIRECTORY_ENTRY_COPYRIGHT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_GLOBALPTR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_TLS 0x0 0x0 IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG 0x0 0x0 IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_IAT 0x2000 0x1c4 .text IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT 0x0 0x0 IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR 0x0 0x0 IMAGE_DIRECTORY_ENTRY_RESERVED 0x0 0x0
Sections
Name Virtual Address Virtual Size Raw Size Xored PE ZLIB Complexity File Type Entropy Characteristics .text 0x2000 0x7760 0x7800 False 0.600748697917 data 6.6021235867 IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_READ .data 0xa000 0x110d4 0x200 False 0.095703125 data 0.509584268592 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_WRITE, IMAGE_SCN_MEM_READ .rsrc 0x1c000 0x9b0 0xc7f800 False 1.00015009364 data 7.99996925107 IMAGE_SCN_CNT_INITIALIZED_D ATA, IMAGE_SCN_MEM_READ
Resources
Name RVA Size Type Language Country RT_DIALOG 0x1c118 0x11a data English United States Copyright Joe Security LLC 2019 Page 24 of 74 Name RVA Size Type Language Country RT_DIALOG 0x1c234 0xe0 data English United States RT_STRING 0x1c314 0x2da data English United States RT_VERSION 0x1c5f0 0x3c0 data English United States
Imports
DLL Import KERNEL32.dll GetDriveTypeA, HeapFree, FormatMessageA, LeaveCriticalSection, DeleteFileA, EnterCriticalSection, TerminateProcess, WaitForMultipleObjects, CreateEventW, SetEvent, Sleep, SetEnvironmentVariableA, GetEnvironmentVariableA, WideCharToMultiByte, HeapAlloc, SetLastError, WriteFile, MoveFileA, ExitProcess, DeleteCriticalSection, FlushFileBuffers, GetVersionExA, WaitForSingleObject, OpenEventA, GetCurrentProcess, GetFileAttributesA, GetCommandLineA, CreateFileA, FindClose, FindNextFileA, FindFirstFileA, CopyFileA, SetFileAttributesA, SystemTimeToFileTime, GetSystemTime, GetDiskFreeSpaceA, QueryDosDeviceA, GetCurrentDirectoryA, SetEndOfFile, SetFileTime, LocalFileTimeToFileTime, DosDateTimeToFileTime, GetExitCodeProcess, CreateProcessA, GetFileSize, CreateThread, CreateEventA, GetProcessHeap, InitializeCriticalSectionAndSpinCount, GetModuleHandleA, QueryPerformanceCounter, GetCurrentThreadId, GetCurrentProcessId, GetSystemTimeAsFileTime, SetUnhandledExceptionFilter, CloseHandle, DeviceIoControl, GetSystemDirectoryA, LoadLibraryA, GetProcAddress, FreeLibrary, SetErrorMode, GetTickCount, CreateDirectoryA, GetLastError, RemoveDirectoryA, MoveFileExA, SetFilePointer, GetModuleFileNameA, ReadFile msvcrt.dll strchr, _strnicmp, _stricmp, strrchr, _strlwr, strncpy, strstr, _snprintf, sprintf ADVAPI32.dll AllocateAndInitializeSid, GetTokenInformation, GetLengthSid, InitiateSystemShutdownA, CryptReleaseContext, CryptGenRandom, CryptAcquireContextA, SetSecurityDescriptorDacl, AddAccessAllowedAce, InitializeAcl, InitializeSecurityDescriptor, OpenProcessToken USER32.dll ShowWindow, SendDlgItemMessageA, SendMessageA, DialogBoxParamA, LoadStringA, EndDialog, SetParent, MessageBoxA ntdll.dll NtShutdownSystem, NtAdjustPrivilegesToken, NtClose, NtOpenProcessToken COMCTL32.dll SHELL32.dll SHBrowseForFolderA, SHGetPathFromIDListA
Version Infos
Description Data LegalCopyright Microsoft Corporation. All rights reserved. InternalName SFXCAB.EXE FileVersion 5.1.50918.0 CompanyName Microsoft Corporation ProductName Microsoft Windows Operating System ProductVersion 5.5.0031.0 FileDescription Self-Extracting Cabinet OriginalFilename SFXCAB.EXE Translation 0x0409 0x04b0
Possible Origin
Language of compilation system Country where language is spoken Map
English United States
Network Behavior
TCP Packets
Timestamp Source Port Dest Port Source IP Dest IP Feb 21, 2019 14:44:38.580075979 CET 53875 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.593245983 CET 53 53875 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:38.634816885 CET 62935 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.648504019 CET 53 62935 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:38.686856031 CET 54098 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.700485945 CET 53 54098 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:39.032908916 CET 56170 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:39.088443995 CET 53 56170 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:39.770783901 CET 61560 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:39.784509897 CET 53 61560 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:52.476134062 CET 60682 53 192.168.2.6 8.8.8.8 Copyright Joe Security LLC 2019 Page 25 of 74 Timestamp Source Port Dest Port Source IP Dest IP Feb 21, 2019 14:44:52.514427900 CET 53 60682 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:52.646507025 CET 55604 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:52.702008963 CET 53 55604 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:14.418935061 CET 51490 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:14.432044983 CET 53 51490 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:14.742929935 CET 50230 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:14.756028891 CET 53 50230 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:36.754216909 CET 55962 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:36.767829895 CET 53 55962 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:36.848788977 CET 54406 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:36.862163067 CET 53 54406 8.8.8.8 192.168.2.6
UDP Packets
Timestamp Source Port Dest Port Source IP Dest IP Feb 21, 2019 14:44:38.580075979 CET 53875 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.593245983 CET 53 53875 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:38.634816885 CET 62935 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.648504019 CET 53 62935 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:38.686856031 CET 54098 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:38.700485945 CET 53 54098 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:39.032908916 CET 56170 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:39.088443995 CET 53 56170 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:39.770783901 CET 61560 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:39.784509897 CET 53 61560 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:52.476134062 CET 60682 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:52.514427900 CET 53 60682 8.8.8.8 192.168.2.6 Feb 21, 2019 14:44:52.646507025 CET 55604 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:44:52.702008963 CET 53 55604 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:14.418935061 CET 51490 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:14.432044983 CET 53 51490 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:14.742929935 CET 50230 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:14.756028891 CET 53 50230 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:36.754216909 CET 55962 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:36.767829895 CET 53 55962 8.8.8.8 192.168.2.6 Feb 21, 2019 14:45:36.848788977 CET 54406 53 192.168.2.6 8.8.8.8 Feb 21, 2019 14:45:36.862163067 CET 53 54406 8.8.8.8 192.168.2.6
DNS Queries
Timestamp Source IP Dest IP Trans ID OP Code Name Type Class Feb 21, 2019 14:44:52.476134062 CET 192.168.2.6 8.8.8.8 0x991a Standard query g.msn.com A (IP address) IN (0x0001) (0)
DNS Answers
Timestamp Source IP Dest IP Trans ID Reply Code Name CName Address Type Class Feb 21, 2019 8.8.8.8 192.168.2.6 0x991a No error (0) g.msn.com g.msn.com.nsatc.net CNAME IN (0x0001) 14:44:52.514427900 (Canonical CET name) Feb 21, 2019 8.8.8.8 192.168.2.6 0xc72e No error (0) 2-01-4ca6- main.dl.ms.akadns.net CNAME IN (0x0001) 14:44:52.702008963 0004.cdx.c (Canonical CET edexis.net name)
Code Manipulations
Statistics
Behavior
Copyright Joe Security LLC 2019 Page 26 of 74 • Silverlight_x64.exe • install.exe • microsoft_defaults.exe • MSI12C0.tmp • MSI13CA.tmp • msiexec.exe • msiexec.exe • rundll32.exe • rundll32.exe • rundll32.exe • rundll32.exe • coregen.exe • conhost.exe • Silverlight.Configuration.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe • conhost.exe • coregen.exe
Click to jump to process
System Behavior
Analysis Process: Silverlight_x64.exe PID: 2952 Parent PID: 4924
General
Start time: 14:44:46 Start date: 21/02/2019 Path: C:\Users\user\Desktop\Silverlight_x64.exe Wow64 process (32bit): true Commandline: 'C:\Users\user\Desktop\Silverlight_x64.exe' Imagebase: 0x1000000 File size: 13153080 bytes MD5 hash: 0FCD0FE64F56C7DA148AA5908EA22941 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol c:\_645187_ read data or list normal directory file | success or wait 1 10027D7 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Copyright Joe Security LLC 2019 Page 27 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\Desktop read data or list normal directory file | object name collision 1 1004267 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point c:\09ede400f8bb800a059f read data or list normal directory file | success or wait 1 1004267 CreateDirectoryA directory | synchronous io synchronize non alert | open for backup ident | open reparse point c:\09ede400f8bb800a059f\silverlight.7z read attributes | normal synchronous io success or wait 1 10052C3 CreateFileA synchronize | non alert | non generic write directory file c:\09ede400f8bb800a059f\install.res.dll read attributes | normal synchronous io success or wait 1 10052C3 CreateFileA synchronize | non alert | non generic write directory file c:\09ede400f8bb800a059f\install.exe read attributes | normal synchronous io success or wait 1 10052C3 CreateFileA synchronize | non alert | non generic write directory file c:\09ede400f8bb800a059f\microsoft_defaults.exe read attributes | normal synchronous io success or wait 1 10052C3 CreateFileA synchronize | non alert | non generic write directory file c:\09ede400f8bb800a059f\silverlight.msi read attributes | normal synchronous io success or wait 1 10052C3 CreateFileA synchronize | non alert | non generic write directory file c:\09ede400f8bb800a059f\$shtdwn$.req read attributes | hidden synchronous io success or wait 1 100353E CreateFileA delete | syn non alert | non chronize | directory file | generic read | delete on close generic write
Source File Path Completion Count Address Symbol
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\09ede400f8bb800a059f\silverlight.7z unknown 32768 37 7a bc af 27 1c 00 7z..'...iew.+...... J success or wait 392 10039D9 WriteFile 03 69 65 77 92 2b a7 9..h3.?.1T.YP....+.^6.%...n c3 00 00 00 00 00 9c >.Q 00 00 00 00 00 00 00 2>.wB...... O.6Cw...... ^...i. a7 4a 39 01 00 68 33 $...... bS..0...a.=...... a.. be 3f e9 31 54 b2 59 .@.&..3.4.~..i.;..Xz.N.7B... 50 bd f0 0c 8c 2b 95 R...... ]....f>.E..(.H.....u|.. 5e 36 be 25 a2 bf d4 .6[.j#"6.$.p....A(/.....Z..U . 6e 3e fb 51 32 3e a2 ...... b.bd.....+.pk...... h.. 77 42 e9 e3 a4 8a c6 ....]J../tx.eZ. df 4f a1 36 43 77 f7 0b 03 a0 ba c4 c9 95 5e af ed d1 69 e5 24 b5 86 07 cc 97 b2 84 62 53 a0 93 30 06 0b 18 61 ca 3d e9 0d b3 85 ed 98 1f c8 61 d4 08 cd 40 f5 26 b6 93 33 7f 34 ec 7e 01 c9 69 cc 3b 7f 0e 58 7a a3 4e 9e 37 42 e3 dc ab 52 87 df ca f1 06 83 8e be 5d 07 11 e8 89 66 3e 1f 45 e4 ef 28 04 48 dd 0c 14 d4 1e 75 7c fd ba 1c 36 5b 8b 6a 23 22 36 c4 24 da 70 c5 0b b1 95 41 28 2f 9a c6 f8 0e e7 5a bd 2e 55 20 cf 00 ab 9b 0a 8a 12 62 8b 62 64 f4 e6 d1 86 95 2b d3 70 6b 92 d4 c2 b8 b2 9f b5 09 68 cd b8 c4 12 93 91 5d 4a f4 82 2f 74 78 1a 65 5a dc
Copyright Joe Security LLC 2019 Page 28 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\09ede400f8bb800a059f\install.res.dll unknown 22553 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 14 10039D9 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode....$...... l...... 00 00 00 00 00 00 00 {%...... {".....Rich...... 00 00 00 00 00 00 00 ...... PE..d...O..[...... " 00 00 00 00 00 00 00 ...... 00 00 00 c0 00 00 00 0e 1f ba 0e 00 b4 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 f9 6c d1 d9 bd 0d bf 8a bd 0d bf 8a bd 0d bf 8a da 7b 25 8a bc 0d bf 8a da 7b 22 8a bc 0d bf 8a 52 69 63 68 bd 0d bf 8a 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 64 86 02 00 4f d9 cf 5b 00 00 00 00 00 00 00 00 f0 00 22 20 0b 02 0a 00 00 00 00 00 00 92 06 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 80 01 00 00 00 00 10 00 00 00 02 00 C:\09ede400f8bb800a059f\install.exe unknown 10089 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 10 10039D9 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... R...... 1..... 00 00 00 00 00 00 00 ....g.....1...-.....g.....1... 00 00 00 00 00 00 00 ....1.c.....1...... q. 00 00 00 08 01 00 00 L.....q.y.....q.~.....Rich.... 0e 1f ba 0e 00 b4 09 ...... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 52 ae 8d bc 16 cf e3 ef 16 cf e3 ef 16 cf e3 ef 31 09 9e ef 1e cf e3 ef 1f b7 67 ef 13 cf e3 ef 31 09 8d ef 2d cf e3 ef 08 9d 67 ef 15 cf e3 ef 31 09 8e ef 96 cf e3 ef 31 09 63 ef 14 cf e3 ef 31 09 98 ef 05 cf e3 ef 16 cf e2 ef 06 ce e3 ef 71 b9 4c ef 0e cf e3 ef 71 b9 79 ef 17 cf e3 ef 71 b9 7e ef 17 cf e3 ef 52 69 63 68 16 cf e3 ef 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 29 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\09ede400f8bb800a059f\microsoft_defaults.exe unknown 15529 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 5 10039D9 WriteFile 00 04 00 00 00 ff ff 00 ...... 00 b8 00 00 00 00 00 ...... !..L.!This program 00 00 40 00 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... K.k...k...k..k.k..k 00 00 00 00 00 00 00 ..k.h..k..k.i..k....5..k...k.. 00 00 00 00 00 00 00 .k....u..k....o..k...k1..k.... 00 00 00 f0 00 00 00 j..k..Rich.k...... 0e 1f ba 0e 00 b4 09 PE..L...c`'U... cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 de 0a c8 4b 9a 6b a6 18 9a 6b a6 18 9a 6b a6 18 6b ad 6b 18 8f 6b a6 18 6b ad 68 18 e4 6b a6 18 6b ad 69 18 a9 6b a6 18 93 13 35 18 8f 6b a6 18 9a 6b a7 18 18 6b a6 18 fc 85 75 18 9c 6b a6 18 fc 85 6f 18 9b 6b a6 18 9a 6b 31 18 9b 6b a6 18 fc 85 6a 18 9b 6b a6 18 52 69 63 68 9a 6b a6 18 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 00 63 60 27 55 00 00 00 C:\09ede400f8bb800a059f\silverlight.msi unknown 26633 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 2 10039D9 WriteFile e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 00 ...... 00 00 00 00 01 00 00 ...... 00 01 00 00 00 01 00 ...... 00 00 00 00 00 00 00 ...... 10 00 00 02 00 00 00 ...... 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
Copyright Joe Security LLC 2019 Page 30 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\09ede400f8bb800a059f\$shtdwn$.req unknown 788 53 64 77 6e 00 00 01 Sdwn...... success or wait 1 1003595 WriteFile 00 13 00 00 c0 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Users\user\Desktop\Silverlight_x64.exe unknown 248 success or wait 1 1002E5E ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 248 success or wait 1 1002EA9 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 15672 success or wait 1 1002F41 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 36 success or wait 1 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 36 success or wait 1 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 16 success or wait 5 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 256 success or wait 5 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 8 success or wait 1 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 8 success or wait 1 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 32788 success or wait 1 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 8 success or wait 417 1003961 ReadFile C:\Users\user\Desktop\Silverlight_x64.exe unknown 32768 success or wait 417 1003961 ReadFile
Analysis Process: install.exe PID: 4188 Parent PID: 2952
General
Start time: 14:44:48 Start date: 21/02/2019 Path: C:\09ede400f8bb800a059f\install.exe Wow64 process (32bit): false Commandline: c:\09ede400f8bb800a059f\install.exe Imagebase: 0x7ff638a80000 File size: 289472 bytes MD5 hash: D7407373D135FAFE0878A72C62387DD2 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Detection: 0%, metadefender, Browse Reputation: low Copyright Joe Security LLC 2019 Page 31 of 74 File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log read attributes | normal synchronous io success or wait 1 7FF638A9655F CreateFileW synchronize | non alert | non generic read | directory file generic write C:\09ede400f8bb800a059f\Silverlight.msp read attributes | normal synchronous io success or wait 1 7FF638A984AC CreateFileA synchronize | non alert | non generic write directory file C:\Users\user\AppData\LocalLow\Microsoft\Silverlight read data or list normal directory file | success or wait 1 7FF638A97EED CreateDirectoryW directory | synchronous io synchronize non alert | open for backup ident | open reparse point
File Deleted
Source File Path Completion Count Address Symbol C:\09ede400f8bb800a059f\Silverlight.msp success or wait 1 7FF638A89A10 DeleteFileW
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 6 ff fe 00 00 00 00 ...... success or wait 1 7FF638A965E0 WriteFile C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 104 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.4.9.]. .S.i.l.v. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 e.r.l.i.g.h.t. .i.n.s.t.a.l.l.e.r. 34 00 39 00 5d 00 20 .l.o.g.g.i.n.g. .s.t.a.r.t.e.d... 00 53 00 69 00 6c 00 ..... 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 6c 00 6f 00 67 00 67 00 69 00 6e 00 67 00 20 00 73 00 74 00 61 00 72 00 74 00 65 00 64 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 74 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .I.n.s.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 a.l.l. .b.u.t.t.o.n. .c.l.i.c. 35 00 31 00 5d 00 20 k.e.d...... 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 62 00 75 00 74 00 74 00 6f 00 6e 00 20 00 63 00 6c 00 69 00 63 00 6b 00 65 00 64 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 112 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .S.e.t.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 i.n.g. .d.e.f.a.u.l.t.s. .w.i.t.h. 35 00 31 00 5d 00 20 .U.n.i.v.e.r.s.a.l. .I.n. 00 53 00 65 00 74 00 s.t.a.l.l.e.r.:...... 74 00 69 00 6e 00 67 00 20 00 64 00 65 00 66 00 61 00 75 00 6c 00 74 00 73 00 20 00 77 00 69 00 74 00 68 00 20 00 55 00 6e 00 69 00 76 00 65 00 72 00 73 00 61 00 6c 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 3a 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 32 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 72 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .M.i.c.r. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 o.s.o.f.t._.D.e.f.a.u.l.t.s... 35 00 31 00 5d 00 20 e.x.e...... 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 5f 00 44 00 65 00 66 00 61 00 75 00 6c 00 74 00 73 00 2e 00 65 00 78 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 88 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .S.e.t.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 i.n.g. .t.h.e. .d.e.f.a.u.l.t. 35 00 31 00 5d 00 20 .h.o.m.e. .p.a.g.e...... 00 53 00 65 00 74 00 74 00 69 00 6e 00 67 00 20 00 74 00 68 00 65 00 20 00 64 00 65 00 66 00 61 00 75 00 6c 00 74 00 20 00 68 00 6f 00 6d 00 65 00 20 00 70 00 61 00 67 00 65 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 96 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .S.e.t.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 i.n.g. .t.h.e. .d.e.f.a.u.l.t. 35 00 31 00 5d 00 20 .s.e.a.r.c.h. .e.n.g.i.n.e... 00 53 00 65 00 74 00 ..... 74 00 69 00 6e 00 67 00 20 00 74 00 68 00 65 00 20 00 64 00 65 00 66 00 61 00 75 00 6c 00 74 00 20 00 73 00 65 00 61 00 72 00 63 00 68 00 20 00 65 00 6e 00 67 00 69 00 6e 00 65 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 104 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .R.u.n.n. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 i.n.g. .U.n.i.v.e.r.s.a.l. .I. 35 00 31 00 5d 00 20 n.s.t.a.l.l.e.r. .w.i.t.h. .a. 00 52 00 75 00 6e 00 r.g.s.:...... 6e 00 69 00 6e 00 67 00 20 00 55 00 6e 00 69 00 76 00 65 00 72 00 73 00 61 00 6c 00 20 00 49 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 65 00 72 00 20 00 77 00 69 00 74 00 68 00 20 00 61 00 72 00 67 00 73 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 62 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.1.]. .d.h.p.=. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 t.r.u.e. .d.s.p.=.t.r.u.e...... 35 00 31 00 5d 00 20 00 64 00 68 00 70 00 3d 00 74 00 72 00 75 00 65 00 20 00 64 00 73 00 70 00 3d 00 74 00 72 00 75 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 86 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.6.]. .N.o.n.e. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 .=.=.>. .5...1...5.0.9.1.8...0. 35 00 36 00 5d 00 20 .(.6.4.-.b.i.t.)...... 00 4e 00 6f 00 6e 00 65 00 20 00 3d 00 3d 00 3e 00 20 00 35 00 2e 00 31 00 2e 00 35 00 30 00 39 00 31 00 38 00 2e 00 30 00 20 00 28 00 36 00 34 00 2d 00 62 00 69 00 74 00 29 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 33 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 136 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.6.]. .B.e.g.i. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 n.n.i.n.g. .i.n.s.t.a.l.l. .M. 35 00 36 00 5d 00 20 S.I. .w.i.t.h. .t.h.e. .f.o.l. 00 42 00 65 00 67 00 l.o.w.i.n.g. .c.o.m.m.a.n.d. . 69 00 6e 00 6e 00 69 l.i.n.e.:...... 00 6e 00 67 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 4d 00 53 00 49 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 66 00 6f 00 6c 00 6c 00 6f 00 77 00 69 00 6e 00 67 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 6c 00 69 00 6e 00 65 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 102 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.6.]. .M.S.I.R. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 M.S.H.U.T.D.O.W.N.=.2. 35 00 36 00 5d 00 20 .R.E.B. 00 4d 00 53 00 49 00 O.O.T.=.R.e.a.l.l.y.S.u.p.p. 52 00 4d 00 53 00 48 r.e.s.s...... 00 55 00 54 00 44 00 4f 00 57 00 4e 00 3d 00 32 00 20 00 52 00 45 00 42 00 4f 00 4f 00 54 00 3d 00 52 00 65 00 61 00 6c 00 6c 00 79 00 53 00 75 00 70 00 70 00 72 00 65 00 73 00 73 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 124 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.7.]. .I.n.s.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 a.l.l. .M.S.I. .f.i.n.i.s.h.e.d. 35 00 37 00 5d 00 20 .w.i.t.h. .f.o.l.l.o.w.i.n.g. 00 49 00 6e 00 73 00 .r.e.t.u.r.n. .c.o.d.e.:...... 74 00 61 00 6c 00 6c 00 20 00 4d 00 53 00 49 00 20 00 66 00 69 00 6e 00 69 00 73 00 68 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 66 00 6f 00 6c 00 6c 00 6f 00 77 00 69 00 6e 00 67 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 20 00 63 00 6f 00 64 00 65 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.7.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 35 00 37 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 74 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.7.]. .E.x.t.r. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 a.c.t.i.n.g. .7.z. .p.a.c.k.a. 35 00 37 00 5d 00 20 g.e.:...... 00 45 00 78 00 74 00 72 00 61 00 63 00 74 00 69 00 6e 00 67 00 20 00 37 00 7a 00 20 00 70 00 61 00 63 00 6b 00 61 00 67 00 65 00 3a 00 20 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 34 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\09ede400f8bb800a059f\Silverlight.msp unknown 4194304 d0 cf 11 e0 a1 b1 1a ...... >..... success or wait 13 7FF638A98502 WriteFile e1 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 3e 00 04 00 ...... fe ff 0c 00 06 00 00 ...... 00 00 00 00 00 02 00 ...... 00 00 0d 00 00 00 01 ...... 00 00 00 00 00 00 00 ...... 00 10 00 00 02 00 00 ...... 00 01 00 00 00 fe ff ff ff 00 00 00 00 00 00 00 00 05 00 00 00 06 00 00 00 07 00 00 00 08 00 00 00 09 00 00 00 0a 00 00 00 0b 00 00 00 0c 00 00 00 0d 00 00 00 0e 00 00 00 0f 00 00 00 10 00 00 00 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 102 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.9.]. .S.i.l.v. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 e.r.l.i.g.h.t...7.z. .e.x.t.r. 35 00 39 00 5d 00 20 a.c.t.e.d. .s.u.c.c.e.s.s.f.u. 00 53 00 69 00 6c 00 l.l.y...... 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 2e 00 37 00 7a 00 20 00 65 00 78 00 74 00 72 00 61 00 63 00 74 00 65 00 64 00 20 00 73 00 75 00 63 00 63 00 65 00 73 00 73 00 66 00 75 00 6c 00 6c 00 79 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 150 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.9.]. .B.e.g.i. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 n.n.i.n.g. .i.n.s.t.a.l.l. .c. 35 00 39 00 5d 00 20 o.r.e. .p.a.t.c.h. .w.i.t.h. . 00 42 00 65 00 67 00 t.h.e. .f.o.l.l.o.w.i.n.g. .c. 69 00 6e 00 6e 00 69 o.m.m.a.n.d. .l.i.n.e.:...... 00 6e 00 67 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 63 00 6f 00 72 00 65 00 20 00 70 00 61 00 74 00 63 00 68 00 20 00 77 00 69 00 74 00 68 00 20 00 74 00 68 00 65 00 20 00 66 00 6f 00 6c 00 6c 00 6f 00 77 00 69 00 6e 00 67 00 20 00 63 00 6f 00 6d 00 6d 00 61 00 6e 00 64 00 20 00 6c 00 69 00 6e 00 65 00 3a 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 35 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 182 5b 00 31 00 34 00 3a [.1.4.:.4.4.:.5.9.]. .M.S.I.R. success or wait 1 7FF638A96708 WriteFile 00 34 00 34 00 3a 00 M.S.H.U.T.D.O.W.N.=.2. 35 00 39 00 5d 00 20 .R.E.B. 00 4d 00 53 00 49 00 O.O.T.=.R.e.a.l.l.y.S.u.p.p. 52 00 4d 00 53 00 48 r.e.s.s. 00 55 00 54 00 44 00 .A.C.C.E.P.T.E.D.E.U.L. 4f 00 57 00 4e 00 3d A.=.1. 00 32 00 20 00 52 00 .C.O.N.S.E.N.T.M.O.D.E. 45 00 42 00 4f 00 4f =.0. .S.K.I.P.N.G.E.N.=.1. 00 54 00 3d 00 52 00 ..... 65 00 61 00 6c 00 6c 00 79 00 53 00 75 00 70 00 70 00 72 00 65 00 73 00 73 00 20 00 41 00 43 00 43 00 45 00 50 00 54 00 45 00 44 00 45 00 55 00 4c 00 41 00 3d 00 31 00 20 00 43 00 4f 00 4e 00 53 00 45 00 4e 00 54 00 4d 00 4f 00 44 00 45 00 3d 00 30 00 20 00 53 00 4b 00 49 00 50 00 4e 00 47 00 45 00 4e 00 3d 00 31 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 124 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.0.8.]. .I.n.s.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 a.l.l. .M.S.P. .f.i.n.i.s.h.e.d. 30 00 38 00 5d 00 20 .w.i.t.h. .f.o.l.l.o.w.i.n.g. 00 49 00 6e 00 73 00 .r.e.t.u.r.n. .c.o.d.e.:...... 74 00 61 00 6c 00 6c 00 20 00 4d 00 53 00 50 00 20 00 66 00 69 00 6e 00 69 00 73 00 68 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 66 00 6f 00 6c 00 6c 00 6f 00 77 00 69 00 6e 00 67 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 20 00 63 00 6f 00 64 00 65 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.0.8.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 30 00 38 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 70 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.0.9.]. .F.i.n.i. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 s.h.e.d. .M.S.I. .i.n.s.t.a.l. 30 00 39 00 5d 00 20 l...... 00 46 00 69 00 6e 00 69 00 73 00 68 00 65 00 64 00 20 00 4d 00 53 00 49 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 2e 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 36 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 212 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.0.9.]. .R.u.n. . success or wait 3 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 R.e.g.i.s.t.e.r.A.u.t.h.e.n.t. 30 00 39 00 5d 00 20 i.c.o.d.e.S.I.P. .i.n. .C.:.\. 00 52 00 75 00 6e 00 P.r.o.g.r.a.m. .F.i.l.e.s.\.M. 20 00 52 00 65 00 67 i.c.r.o.s.o.f.t. .S.i.l.v.e.r. 00 69 00 73 00 74 00 l.i.g.h.t.\.x.a.p.a.u.t.h.e.n. 65 00 72 00 41 00 75 t.i.c.o.d.e.s.i.p...d.l.l...... 00 74 00 68 00 65 00 6e 00 74 00 69 00 63 00 6f 00 64 00 65 00 53 00 49 00 50 00 20 00 69 00 6e 00 20 00 43 00 3a 00 5c 00 50 00 72 00 6f 00 67 00 72 00 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 69 00 6c 00 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 5c 00 78 00 61 00 70 00 61 00 75 00 74 00 68 00 65 00 6e 00 74 00 69 00 63 00 6f 00 64 00 65 00 73 00 69 00 70 00 2e 00 64 00 6c 00 6c 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.0.9.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 30 00 39 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.0.]. .0...... success or wait 2 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 31 00 30 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 96 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .Q.u.e.r. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 y.S.e.r.v.i.c.e.R.e.g.i.s.t.r. 31 00 31 00 5d 00 20 a.t.i.o.n. .r.e.t.u.r.n.e.d.:. 00 51 00 75 00 65 00 ..... 72 00 79 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 52 00 65 00 67 00 69 00 73 00 74 00 72 00 61 00 74 00 69 00 6f 00 6e 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 31 00 31 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 62 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .S.e.r.v. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.c.e. .r.e.t.u.r.n.e.d.:...... 31 00 31 00 5d 00 20 00 53 00 65 00 72 00 76 00 69 00 63 00 65 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 31 00 31 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 72 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .N.o.t. . success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 r.e.g.i.s.t.e.r.e.d. .w.i.t.h. 31 00 31 00 5d 00 20 .M.U...... 00 4e 00 6f 00 74 00 20 00 72 00 65 00 67 00 69 00 73 00 74 00 65 00 72 00 65 00 64 00 20 00 77 00 69 00 74 00 68 00 20 00 4d 00 55 00 20 00 0d 00 0a 00
Copyright Joe Security LLC 2019 Page 37 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 74 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .S.h.o.w. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .M.U. .o.p.t. .i.n. .p. 31 00 31 00 5d 00 20 a.g.e...... 00 53 00 68 00 6f 00 77 00 69 00 6e 00 67 00 20 00 4d 00 55 00 20 00 6f 00 70 00 74 00 20 00 69 00 6e 00 20 00 70 00 61 00 67 00 65 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 104 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .F.i.n.i. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 s.h.e.d. .t.h.e. .i.n.s.t.a.l.l. 31 00 31 00 5d 00 20 .w.i.t.h. .r.e.t.u.r.n. .c. 00 46 00 69 00 6e 00 o.d.e.:...... 69 00 73 00 68 00 65 00 64 00 20 00 74 00 68 00 65 00 20 00 69 00 6e 00 73 00 74 00 61 00 6c 00 6c 00 20 00 77 00 69 00 74 00 68 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 20 00 63 00 6f 00 64 00 65 00 3a 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.1.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 31 00 31 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 74 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.4.]. .M.U. .n. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 e.x.t. .b.u.t.t.o.n. .c.l.i.c. 31 00 34 00 5d 00 20 k.e.d...... 00 4d 00 55 00 20 00 6e 00 65 00 78 00 74 00 20 00 62 00 75 00 74 00 74 00 6f 00 6e 00 20 00 63 00 6c 00 69 00 63 00 6b 00 65 00 64 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 218 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.4.]. .C.a.l.l. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g.:. .C.:.\.P.r.o.g.r.a.m. 31 00 34 00 5d 00 20 .F.i.l.e.s. .(.x.8.6.).\.M.i. 00 43 00 61 00 6c 00 c.r.o.s.o.f.t. .S.i.l.v.e.r.l. 6c 00 69 00 6e 00 67 i.g.h.t.\.5...1...5.0.9.1.8... 00 3a 00 20 00 43 00 0.\.s.i.l.v.e.r.l.i.g.h.t...c. 3a 00 5c 00 50 00 72 o.n.f.i.g.u.r.a.t.i.o.n...e.x.e. 00 6f 00 67 00 72 00 ..... 61 00 6d 00 20 00 46 00 69 00 6c 00 65 00 73 00 20 00 28 00 78 00 38 00 36 00 29 00 5c 00 4d 00 69 00 63 00 72 00 6f 00 73 00 6f 00 66 00 74 00 20 00 53 00 69 00 6c 00 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 5c 00 35 00 2e 00 31 00 2e 00 35 00 30 00 39 00 31 00 38 00 2e 00 30 00 5c 00 73 00 69 00 6c 00 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 2e 00 63 00 6f 00 6e 00 66 00 69 00 67 00 75 00 72 00 61 00 74 00 69 00 6f 00 6e 00 2e 00 65 00 78 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 82 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.6.]. .S.i.l.v. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 e.r.l.i.g.h.t.C.o.n.f.i.g. .r. 31 00 36 00 5d 00 20 e.t.u.r.n.e.d.:...... 00 53 00 69 00 6c 00 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 43 00 6f 00 6e 00 66 00 69 00 67 00 20 00 72 00 65 00 74 00 75 00 72 00 6e 00 65 00 64 00 3a 00 20 00 0d 00 0a 00 Copyright Joe Security LLC 2019 Page 38 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 30 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.6.]. .0...... success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 31 00 36 00 5d 00 20 00 30 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 66 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.6.]. .S.h.o.w. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .f.i.n.a.l. .p.a.g.e... 31 00 36 00 5d 00 20 ..... 00 53 00 68 00 6f 00 77 00 69 00 6e 00 67 00 20 00 66 00 69 00 6e 00 61 00 6c 00 20 00 70 00 61 00 67 00 65 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 72 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.9.]. .C.a.n.c. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 e.l. .b.u.t.t.o.n. .c.l.i.c.k. 31 00 39 00 5d 00 20 e.d...... 00 43 00 61 00 6e 00 63 00 65 00 6c 00 20 00 62 00 75 00 74 00 74 00 6f 00 6e 00 20 00 63 00 6c 00 69 00 63 00 6b 00 65 00 64 00 2e 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 88 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.9.]. .E.x.i.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .d.u.e. .t.o. .d.e.s.t. 31 00 39 00 5d 00 20 r.o.y. .m.e.s.s.a.g.e...... 00 45 00 78 00 69 00 74 00 69 00 6e 00 67 00 20 00 64 00 75 00 65 00 20 00 74 00 6f 00 20 00 64 00 65 00 73 00 74 00 72 00 6f 00 79 00 20 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 88 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.9.]. .E.x.i.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .d.u.e. .t.o. .d.e.s.t. 31 00 39 00 5d 00 20 r.o.y. .m.e.s.s.a.g.e...... 00 45 00 78 00 69 00 74 00 69 00 6e 00 67 00 20 00 64 00 75 00 65 00 20 00 74 00 6f 00 20 00 64 00 65 00 73 00 74 00 72 00 6f 00 79 00 20 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 88 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.9.]. .E.x.i.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .d.u.e. .t.o. .d.e.s.t. 31 00 39 00 5d 00 20 r.o.y. .m.e.s.s.a.g.e...... 00 45 00 78 00 69 00 74 00 69 00 6e 00 67 00 20 00 64 00 75 00 65 00 20 00 74 00 6f 00 20 00 64 00 65 00 73 00 74 00 72 00 6f 00 79 00 20 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 0d 00 0a 00 C:\Users\CRAIGH~1\AppData\Local\Temp\Silverlight0.log unknown 88 5b 00 31 00 34 00 3a [.1.4.:.4.5.:.1.9.]. .E.x.i.t. success or wait 1 7FF638A96708 WriteFile 00 34 00 35 00 3a 00 i.n.g. .d.u.e. .t.o. .d.e.s.t. 31 00 39 00 5d 00 20 r.o.y. .m.e.s.s.a.g.e...... 00 45 00 78 00 69 00 74 00 69 00 6e 00 67 00 20 00 64 00 75 00 65 00 20 00 74 00 6f 00 20 00 64 00 65 00 73 00 74 00 72 00 6f 00 79 00 20 00 6d 00 65 00 73 00 73 00 61 00 67 00 65 00 20 00 0d 00 0a 00
File Read
Source File Path Offset Length Completion Count Address Symbol
Copyright Joe Security LLC 2019 Page 39 of 74 Source File Path Offset Length Completion Count Address Symbol C:\09ede400f8bb800a059f\silverlight.7z unknown 32 success or wait 1 7FF638A98926 ReadFile C:\09ede400f8bb800a059f\silverlight.7z unknown 156 success or wait 1 7FF638A98926 ReadFile C:\09ede400f8bb800a059f\silverlight.7z unknown 16384 success or wait 783 7FF638A98926 ReadFile C:\09ede400f8bb800a059f\silverlight.7z unknown 16384 success or wait 2 7FF638A98926 ReadFile
Registry Activities
Key Created
Source Key Path Completion Count Address Symbol HKEY_CURRENT_USER\SOFTWARE\AppDataLow\Software\Microsoft\Silverlight success or wait 1 7FF638A8C50A RegCreateKeyExW
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: microsoft_defaults.exe PID: 776 Parent PID: 4188
General
Start time: 14:44:52 Start date: 21/02/2019 Path: C:\09ede400f8bb800a059f\microsoft_defaults.exe Wow64 process (32bit): true Commandline: 'C:\09ede400f8bb800a059f\microsoft_defaults.exe' dhp=true dsp=true Imagebase: 0xca0000 File size: 119968 bytes MD5 hash: 64CADAEF6DCF7B6A6171FC1A2BEE94A1 Has administrator privileges: true Programmed in: C, C++ or other language Antivirus matches: Detection: 0%, virustotal, Browse Detection: 0%, metadefender, Browse Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCache read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point
Copyright Joe Security LLC 2019 Page 40 of 74 Source File Path Access Attributes Options Completion Count Address Symbol C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\INetCookies read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\user\AppData\Local\Microsoft\Windows\History read data or list normal directory file | object name collision 1 CA2AF3 InternetOpenUrlW directory | synchronous io synchronize non alert | open for backup ident | open reparse point C:\Users\CRAIGH~1\AppData\Local\Temp\DefaultPack.EXE read attributes | normal synchronous io success or wait 1 CA2B54 CreateFileW synchronize | non alert | non generic write directory file
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright Joe Security LLC 2019 Page 41 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 2048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1 CA2B7B InternetReadFile crosoft\Windows\INetCache\IE\G 00 04 00 00 00 ff ff ...... 7QTC28F\DefaultPack[1].EXE 00 00 b8 00 00 00 00 ...... !..L.!This program 00 00 00 40 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... y...... =o.... 00 00 00 00 00 00 00 ..=o...... =o...... =o...... 00 00 00 00 00 00 00 ....=o}...... =o...... =o 00 00 00 00 f8 00 00 ...... Rich...... 00 0e 1f ba 0e 00 b4 ...... PE..L.. 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 85 79 d3 c4 c1 18 bd 97 c1 18 bd 97 c1 18 bd 97 3d 6f 06 97 c7 18 bd 97 3d 6f 00 97 cf 18 bd 97 3d 6f 01 97 85 18 bd 97 3d 6f 04 97 d0 18 bd 97 c1 18 bc 97 08 18 bd 97 3d 6f 7d 97 c8 18 bd 97 e6 de c3 97 c0 18 bd 97 3d 6f 0a 97 c0 18 bd 97 3d 6f 07 97 c0 18 bd 97 52 69 63 68 c1 18 bd 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05 C:\Users\CRAIGH~1\AppData\Local\Temp\DefaultPack.EXE unknown 2048 4d 5a 90 00 03 00 00 MZ...... @..... success or wait 1434 CA2BA8 WriteFile 00 04 00 00 00 ff ff ...... 00 00 b8 00 00 00 00 ...... !..L.!This program 00 00 00 40 00 00 00 cannot be run in DOS 00 00 00 00 00 00 00 mode.... 00 00 00 00 00 00 00 $...... y...... =o.... 00 00 00 00 00 00 00 ..=o...... =o...... =o...... 00 00 00 00 00 00 00 ....=o}...... =o...... =o 00 00 00 00 f8 00 00 ...... Rich...... 00 0e 1f ba 0e 00 b4 ...... PE..L.. 09 cd 21 b8 01 4c cd 21 54 68 69 73 20 70 72 6f 67 72 61 6d 20 63 61 6e 6e 6f 74 20 62 65 20 72 75 6e 20 69 6e 20 44 4f 53 20 6d 6f 64 65 2e 0d 0d 0a 24 00 00 00 00 00 00 00 85 79 d3 c4 c1 18 bd 97 c1 18 bd 97 c1 18 bd 97 3d 6f 06 97 c7 18 bd 97 3d 6f 00 97 cf 18 bd 97 3d 6f 01 97 85 18 bd 97 3d 6f 04 97 d0 18 bd 97 c1 18 bc 97 08 18 bd 97 3d 6f 7d 97 c8 18 bd 97 e6 de c3 97 c0 18 bd 97 3d 6f 0a 97 c0 18 bd 97 3d 6f 07 97 c0 18 bd 97 52 69 63 68 c1 18 bd 97 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 05
Copyright Joe Security LLC 2019 Page 42 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Users\user\AppData\Local\Mi unknown 2048 2e 70 64 62 00 00 00 .pdb...... dl..Zr...... success or wait 1433 CA2BDA InternetReadFile crosoft\Windows\INetCache\IE\G 00 00 00 00 00 00 00 ...... 3...t...... v..W.....x. 7QTC28F\DefaultPack[1].EXE 00 00 64 6c 00 00 5a ...... t...... U..V..3. 72 00 00 00 00 00 00 ....t...... v..W.....x8W...... 00 00 00 00 00 00 00 ..t.8.t.GJu...t...+....W..._.. 00 00 33 c0 85 f6 74 x..U.+...... v...... ^]...... 08 81 fe ff ff ff 7f 76 ...U...E.V3...t.=....v..W..... 05 b8 57 00 07 80 85 x5S.].W.x..E.P.u.3.WS.... c0 78 07 8b c6 e9 da @...... x.;.w.u....z. 00 00 00 85 f6 74 03 c6 01 00 c3 cc cc cc cc cc 8b ff 55 8b ec 56 8b f0 33 c0 8b c8 85 f6 74 08 81 fe ff ff ff 7f 76 05 b9 57 00 07 80 85 c9 78 38 57 8b d6 8b fb 8b c8 85 f6 74 12 38 07 74 04 47 4a 75 f8 85 d2 74 06 8b c6 2b c2 eb 05 b9 57 00 07 80 5f 85 c9 78 11 8b 55 08 2b f0 8d 0c 18 8b c6 e8 76 00 00 00 8b c8 8b c1 5e 5d c2 04 00 cc cc cc cc cc 8b ff 55 8b ec 8b 45 0c 56 33 f6 85 c0 74 07 3d ff ff ff 7f 76 05 be 57 00 07 80 85 f6 78 35 53 8b 5d 08 57 8d 78 ff 8d 45 14 50 ff 75 10 33 f6 57 53 ff 15 d8 a5 40 00 83 c4 10 85 c0 78 08 3b c7 77 04 75 0b eb 05 be 7a 00
Source File Path Offset Length Completion Count Address Symbol
Analysis Process: MSI12C0.tmp PID: 2680 Parent PID: 4960
General
Start time: 14:45:02 Start date: 21/02/2019 Path: C:\Windows\Installer\MSI12C0.tmp Wow64 process (32bit): true Commandline: 'C:\Windows\Installer\MSI12C0.tmp' flat Imagebase: 0xd20000 File size: 68744 bytes MD5 hash: 015F2D65BE1227973565EB9E3E9C631A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low
Analysis Process: MSI13CA.tmp PID: 2216 Parent PID: 4960
General
Start time: 14:45:02 Start date: 21/02/2019 Path: C:\Windows\Installer\MSI13CA.tmp Wow64 process (32bit): false Commandline: 'C:\Windows\Installer\MSI13CA.tmp' flat Imagebase: 0x7ff7dae30000 File size: 83592 bytes MD5 hash: 83A225172AB7A2C7B2EE85304B325F14 Has administrator privileges: true
Copyright Joe Security LLC 2019 Page 43 of 74 Programmed in: C, C++ or other language Reputation: low
Analysis Process: msiexec.exe PID: 4732 Parent PID: 4960
General
Start time: 14:45:07 Start date: 21/02/2019 Path: C:\Windows\SysWOW64\msiexec.exe Wow64 process (32bit): true Commandline: c:\Windows\syswow64\MsiExec.exe -Embedding 44EF0F538450CA53E70E028FDCED11E2 Imagebase: 0xf20000 File size: 59904 bytes MD5 hash: 12C17B5A5C2A7B97342C362CA467E9A2 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: msiexec.exe PID: 4676 Parent PID: 4960
General
Start time: 14:45:08 Start date: 21/02/2019 Path: C:\Windows\System32\msiexec.exe Wow64 process (32bit): false Commandline: c:\Windows\System32\MsiExec.exe -Embedding 6F57004EB12112F1439D8D2BA0D6DD78 Imagebase: 0x7ff697c70000 File size: 66048 bytes MD5 hash: 4767B71A318E201188A0D0A420C8B608 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
Source File Path Access Attributes Options Completion Count Address Symbol
Registry Activities
Source Key Path Completion Count Address Symbol
Source Key Path Name Type Data Completion Count Address Symbol
Analysis Process: rundll32.exe PID: 1920 Parent PID: 4188
General
Copyright Joe Security LLC 2019 Page 44 of 74 Start time: 14:45:09 Start date: 21/02/2019 Path: C:\Windows\System32\rundll32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\xapauthen ticodesip.dll',DllRegisterServer Imagebase: 0x7ff6e0db0000 File size: 69632 bytes MD5 hash: 73C519F050C20580F8A62C849D49215A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
File Activities
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll unknown 64 success or wait 1 7FF6E0DB2FA7 ReadFile C:\Program Files (x86)\Microsoft Silverlight\xapauthenticodesip.dll unknown 264 success or wait 1 7FF6E0DB2FEA ReadFile
Analysis Process: rundll32.exe PID: 1488 Parent PID: 1920
General
Start time: 14:45:09 Start date: 21/02/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\xapauthen ticodesip.dll',DllRegisterServer Imagebase: 0x260000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Registry Activities
Source Key Path Name Type Old Data New Data Completion Count Address Symbol
Analysis Process: rundll32.exe PID: 2244 Parent PID: 4188
General
Start time: 14:45:10 Start date: 21/02/2019 Path: C:\Windows\System32\rundll32.exe Wow64 process (32bit): false Commandline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918 .0\SLMSPRBootstrap.dll',SetupPlayReadyData Imagebase: 0x7ff6e0db0000 File size: 69632 bytes MD5 hash: 73C519F050C20580F8A62C849D49215A Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Copyright Joe Security LLC 2019 Page 45 of 74 File Activities
File Read
Source File Path Offset Length Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\SLMSPRBootstrap.dll unknown 64 success or wait 1 7FF6E0DB2FA7 ReadFile C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\SLMSPRBootstrap.dll unknown 264 success or wait 1 7FF6E0DB2FEA ReadFile
Analysis Process: rundll32.exe PID: 5108 Parent PID: 2244
General
Start time: 14:45:11 Start date: 21/02/2019 Path: C:\Windows\SysWOW64\rundll32.exe Wow64 process (32bit): true Commandline: 'C:\Windows\System32\rundll32.exe' 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918 .0\SLMSPRBootstrap.dll',SetupPlayReadyData Imagebase: 0x260000 File size: 61952 bytes MD5 hash: D7CA562B0DB4F4DD0F03A89A1FDAD63D Has administrator privileges: true Programmed in: C, C++ or other language Reputation: moderate
Analysis Process: coregen.exe PID: 3896 Parent PID: 4188
General
Start time: 14:45:11 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' mscorlib.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low
File Activities
File Created
Source File Path Access Attributes Options Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\mscorlib.ni.dll read attributes | normal sequential only | success or wait 1 6D429B0C CreateFileW synchronize | synchronous io generic write non alert | non directory file
File Written
Source File Path Offset Length Value Ascii Completion Count Address Symbol
Copyright Joe Security LLC 2019 Page 46 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol \Device\ConDrv unknown 68 4d 69 63 72 6f 73 6f Microsoft (R) CoreCLR success or wait 1 FCA331 WriteFile 66 74 20 28 52 29 20 Native Image Generator - 43 6f 72 65 43 4c 52 Version 5.1.50918.0.. 20 4e 61 74 69 76 65 20 49 6d 61 67 65 20 47 65 6e 65 72 61 74 6f 72 20 2d 20 56 65 72 73 69 6f 6e 20 35 2e 31 2e 35 30 39 31 38 2e 30 0d 0a \Device\ConDrv unknown 60 43 6f 70 79 72 69 67 Copyright (c) Microsoft success or wait 1 FCA331 WriteFile 68 74 20 28 63 29 20 Corporation. All rights 4d 69 63 72 6f 73 6f reserved... 66 74 20 43 6f 72 70 6f 72 61 74 69 6f 6e 2e 20 20 41 6c 6c 20 72 69 67 68 74 73 20 72 65 73 65 72 76 65 64 2e 0d 0a \Device\ConDrv unknown 2 0d 0a .. success or wait 1 FCA331 WriteFile C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 00 00 00 00 00 00 00 ...... success or wait 300 6D429903 WriteFile orlib.ni.dll 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Copyright Joe Security LLC 2019 Page 47 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 8192 c7 da 05 68 e0 46 72 ...h.Fry...h.Gry...h.Gry...h success or wait 5 6D429903 WriteFile orlib.ni.dll 79 c7 da 05 68 e8 47 @M 72 79 c7 da 05 68 10 ry...hHNry...h.Lry...h.Mry... 47 72 79 c7 da 05 68 h 40 4d 72 79 c7 da 05 RFry...h.*ry]q.h..ry.T.}.Try. 68 48 4e 72 79 c7 da @.h 05 68 b0 4c 72 79 c7 fry.E.h.*ry^q.h@[email protected] da 05 68 88 4d 72 79 y c7 da 05 68 52 46 72 .E.h.Wry.B.h`[email protected]. 79 c8 da 05 68 8c 2a B.h.? 72 79 5d 71 15 68 d0 ryU..h..ry...h.+rybq.h..ry...h 99 72 79 d7 54 c6 7d Copyright Joe Security LLC 2019 Page 48 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 58 20 7a 79 58 20 7a X zyX zyX zyX zyX zyX success or wait 1 6D429903 WriteFile orlib.ni.dll 79 58 20 7a 79 58 20 zyX zyX zyX zyX zyX zyX 7a 79 58 20 7a 79 58 zyX zyX zyX zyX zyX zyX 20 7a 79 58 20 7a 79 zyX zyX zyX zyX zyX zyX 58 20 7a 79 58 20 7a zyX zyX zyX zyX zyX zyX 79 58 20 7a 79 58 20 zyX zyX zyX zyX zyX zyX 7a 79 58 20 7a 79 58 zyX zyX zyX zyX zyX zyX 20 7a 79 58 20 7a 79 zyX zyX zyX zyX zyX zyX 58 20 7a 79 58 20 7a zyX zyX zyX zyX zyX zyX 79 58 20 7a 79 58 20 zyX zyX zyX zyX zyX zyX 7a 79 58 20 7a 79 58 zyX zyX zyX zyX z 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a 79 58 20 7a C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 00 08 00 00 00 00 00 ...... 8.oy...... y...... success or wait 2 6D429903 WriteFile orlib.ni.dll 00 00 00 00 00 38 07 ...... $..8...... 6f 79 00 00 00 00 e0 ....,...... y8.B.4...... e6 b4 79 00 00 00 00 ....$.#...... @A...... b0 e1 f9 ff 00 00 00 00 ...... 0..y$.B...... a1 00 00 00 04 01 00 ...... $.Aa...... 00 12 01 24 00 80 38 ...... y..B...... 00 00 00 00 00 00 00 $.#...... @A.. .oy...... y.... 00 00 00 00 00 00 00 (...... 2c 00 00 00 e0 e8 b4 79 38 ec 42 00 34 e2 f9 ff 00 00 00 00 01 00 14 00 04 09 04 00 12 01 24 08 23 8b 1f 0e 03 00 00 00 40 41 01 00 00 00 00 00 00 00 00 00 ff ff ff ff 13 00 00 00 90 08 80 00 00 00 00 00 00 00 00 00 30 e9 b4 79 24 ec 42 00 dc e3 f9 ff 00 00 00 00 05 01 10 00 84 09 04 00 12 01 24 08 41 61 00 00 00 00 00 00 10 00 00 00 00 00 00 00 bc 00 00 00 b4 f0 b4 79 0c ec 42 00 88 e7 f9 ff 00 00 00 00 01 00 14 00 04 09 04 00 12 01 24 08 23 8b 1f 0e 03 00 00 00 40 41 01 00 20 09 6f 79 00 00 00 00 a0 ea b4 79 00 00 00 00 28 e4 f9 ff 00 00 00 00 a1 00 00 00 04 01 00 Copyright Joe Security LLC 2019 Page 49 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 ec 52 00 00 28 0d 3b .R..(.;..S..H.;.lS....;.|S..(. success or wait 329 6D429903 WriteFile orlib.ni.dll 00 14 53 00 00 48 0e ;..S..@.;.,T....;.lT..D.;.|T.. 3b 00 6c 53 00 00 e0 ..;..T....;..T....;.TU..H.;.dU 0e 3b 00 7c 53 00 00 ..@.;..U....;..U..D.;..U..X.;. 28 10 3b 00 d4 53 00 .U....;..U...!;. Copyright Joe Security LLC 2019 Page 50 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 3c 4e ff ff b8 30 9a 73 Copyright Joe Security LLC 2019 Page 51 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 e8 4b 7e fe ff 5e 06 01 .K~..^...C~..^...5wy.....3~..^ success or wait 455 6D429903 WriteFile orlib.ni.dll e8 43 7e fe ff 5e 12 00 ...+~..^...#~..^....~..^....~. a4 35 77 79 00 00 00 .^...6wy...... ~..^....}..^.... 00 e8 33 7e fe ff 5e 0a }..^....}..^....}..^..l6wy.... 04 e8 2b 7e fe ff 5e 02 ..}..^....}..^....}..^....}..^ 03 e8 23 7e fe ff 5e 0e ....}..^...7wy...... }..^....}. 02 e8 1b 7e fe ff 5e 06 .^....}..^....}..^....}..^...{ 01 e8 13 7e fe ff 5e 12 }..^...s}..^...k}..^...7wy..... 00 08 36 77 79 00 00 [}..^...S}..^. 00 00 e8 03 7e fe ff 5e 0a 04 e8 fb 7d fe ff 5e 02 03 e8 f3 7d fe ff 5e 0e 02 e8 eb 7d fe ff 5e 06 01 e8 e3 7d fe ff 5e 12 00 6c 36 77 79 00 00 00 00 e8 d3 7d fe ff 5e 0a 04 e8 cb 7d fe ff 5e 02 03 e8 c3 7d fe ff 5e 0e 02 e8 bb 7d fe ff 5e 06 01 e8 b3 7d fe ff 5e 12 00 0c 37 77 79 00 00 00 00 e8 a3 7d fe ff 5e 0e 07 e8 9b 7d fe ff 5e 12 06 e8 93 7d fe ff 5e 06 05 e8 8b 7d fe ff 5e 16 04 e8 83 7d fe ff 5e 02 03 e8 7b 7d fe ff 5e 1a 02 e8 73 7d fe ff 5e 0a 01 e8 6b 7d fe ff 5e 1e 00 f8 37 77 79 00 00 00 00 e8 5b 7d fe ff 5e 0a 04 e8 53 7d fe ff 5e 02 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 19 98 97 79 d6 98 97 ...y...y9..y...... success or wait 3 6D429903 WriteFile orlib.ni.dll 79 39 98 97 79 00 00 ...... ?...... ?...y...y...y 80 bf 00 00 80 bf 00 ...y...y...y...yA..y[..y...y.. 00 80 bf 00 00 80 bf .y...y...y...y...y...... 00 00 80 bf 9a 99 99 ...... _..y+. 99 99 99 b9 3f 9a 99 .y...y...y+..y...y-..y+..y"..y 99 99 99 99 b9 3f 95 D..y+..y...y#..y...y{..y/..y.. a4 97 79 95 a4 97 79 .y...y...... [email protected]<..y...y...y 9b af 97 79 9b af 97 ...y...y...y... 79 ef ac 97 79 92 af 97 79 af ac 97 79 41 af 97 79 5b ae 97 79 9c b0 97 79 d5 af 97 79 b6 aa 97 79 95 ae 97 79 eb ae 97 79 9c b0 97 79 00 00 80 bf 00 00 80 7f 00 00 00 00 00 00 80 ff 00 00 00 00 00 00 00 00 00 00 f8 ff 00 00 80 7f 00 00 80 ff 5f 02 98 79 2b 03 98 79 c0 01 98 79 c9 f9 97 79 2b 03 98 79 df f8 97 79 2d 01 98 79 2b 03 98 79 22 fe 97 79 44 fd 97 79 2b 03 98 79 c9 f9 97 79 23 f8 97 79 8b f8 97 79 7b f9 97 79 2f fc 97 79 9b ff 97 79 e7 00 98 79 00 00 00 00 00 00 24 40 59 06 98 79 3c 06 98 79 09 08 98 79 f8 b6 bd 79 ae 08 98 79 ca 08 98 79 d8 08 98 79 f8 b6 bd Copyright Joe Security LLC 2019 Page 52 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 1f 13 1b 17 17 20 ff 00 ...... s.-...... r...p...... success or wait 2 6D429903 WriteFile orlib.ni.dll 00 00 1b 1b 16 17 73 ...... s.-...... r...p...... 1c 2d 00 06 80 1a 16 ...... s.-...... r...p...... 00 04 72 c8 f9 00 70 ...... s.-...... r...p...... 16 1f 13 1b 17 17 20 ff ...... s.-...... r...p...... 00 00 00 1c 1b 16 17 ...... s.-...... r...p...... 73 1c 2d 00 06 80 1b ...... s.-...... r(..p...... 16 00 04 72 d8 f9 00 ...... s.-...!...r8..p...... 70 16 1f 13 1b 17 17 20 ff 00 00 00 1d 1b 16 17 73 1c 2d 00 06 80 1c 16 00 04 72 e8 f9 00 70 16 1f 13 1b 17 17 20 ff 00 00 00 1e 1b 16 17 73 1c 2d 00 06 80 1d 16 00 04 72 f8 f9 00 70 16 1f 13 1b 17 17 20 ff 00 00 00 1f 09 1b 16 17 73 1c 2d 00 06 80 1e 16 00 04 72 08 fa 00 70 17 1f 12 1b 17 17 20 ff 00 00 00 1f 0a 1b 16 15 73 1c 2d 00 06 80 1f 16 00 04 72 18 fa 00 70 17 1f 12 1b 17 17 20 ff 00 00 00 1f 0b 1b 16 15 73 1c 2d 00 06 80 20 16 00 04 72 28 fa 00 70 17 1f 12 1b 17 17 20 ff 00 00 00 1f 0c 1b 16 15 73 1c 2d 00 06 80 21 16 00 04 72 38 fa 00 70 17 1f 12 1b 17 17 20 ff 00 00 00 1f C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 72 6f 75 03 00 06 26 rou...&...oi...&.._,&...ou...& success or wait 1 6D429903 WriteFile orlib.ni.dll 09 11 05 6f 69 03 00 .r...poi...&.(....o....ow...&. 06 26 08 17 5f 2c 26 .._,....ou...&..o....oi...&.._ 09 11 04 6f 75 03 00 ,....ou...&..oI...oK...oi...&. 06 26 09 72 9e 1c 01 o....*...0...... (q0.....(3... 70 6f 69 03 00 06 26 (....*..0..K...Y...... _.. 09 28 d6 04 00 06 6f .YE...... S...^...... +\..._. 08 05 00 06 6f 77 03 ..YE....h...... +...`. 00 06 26 08 1f 10 5f +`..`.+Zr...p.. 2c 16 09 11 04 6f 75 03 00 06 26 09 05 6f b9 0a 00 06 6f 69 03 00 06 26 08 1e 5f 2c 1b 09 11 04 6f 75 03 00 06 26 09 05 6f 49 0b 00 06 6f 4b 17 00 06 6f 69 03 00 06 26 09 6f 02 00 00 06 2a 00 00 13 30 02 00 13 00 00 00 2e 00 00 11 28 71 30 00 06 0a 12 00 28 33 1c 00 06 28 85 09 00 06 2a 00 13 30 04 00 4b 01 00 00 59 06 00 11 16 0a 03 1f 0f 5f 0b 07 17 59 45 04 00 00 00 02 00 00 00 53 00 00 00 5e 00 00 00 87 00 00 00 2b 5c 02 1f 0f 5f 0c 08 17 59 45 04 00 00 00 68 00 00 00 02 00 00 00 0e 00 00 00 08 00 00 00 2b 0c 06 18 60 0a 2b 60 06 1d 60 0a 2b 5a 72 a4 1c 01 70 17 8d Copyright Joe Security LLC 2019 Page 53 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 62 61 63 6b 41 72 72 backArray>5__3.Ldloc_3.S success or wait 1 6D429903 WriteFile orlib.ni.dll 61 79 3e 35 5f 5f 33 tloc_3 00 4c 64 6c 6f 63 5f 33 .Ldarg_3.Func`3.Tuple`3.A 00 53 74 6c 6f 63 5f 33 ction 00 4c 64 61 72 67 5f `3.wReserved3.TraceLevel 33 00 46 75 6e 63 60 3.Stat 33 00 54 75 70 6c 65 usLevel3.get_Item3.Prefix 60 33 00 41 63 74 69 3.IA6 6f 6e 60 33 00 77 52 4.AMD64.Amd64.Size64.R 65 73 65 72 76 65 64 eadUInt6 33 00 54 72 61 63 65 4.HexNumberToUInt64.For 4c 65 76 65 6c 33 00 matUInt 53 74 61 74 75 73 4c 64.ReadInt64.WriteInt64.H 65 76 65 6c 33 00 67 exNum 65 74 5f 49 74 65 6d berToInt64.FormatInt64.Re 33 00 50 72 65 66 69 gistry64.VT_UI4.VT_I 78 33 00 49 41 36 34 00 41 4d 44 36 34 00 41 6d 64 36 34 00 53 69 7a 65 36 34 00 52 65 61 64 55 49 6e 74 36 34 00 48 65 78 4e 75 6d 62 65 72 54 6f 55 49 6e 74 36 34 00 46 6f 72 6d 61 74 55 49 6e 74 36 34 00 52 65 61 64 49 6e 74 36 34 00 57 72 69 74 65 49 6e 74 36 34 00 48 65 78 4e 75 6d 62 65 72 54 6f 49 6e 74 36 34 00 46 6f 72 6d 61 74 49 6e 74 36 34 00 52 65 67 69 73 74 72 79 36 34 00 56 54 5f 55 49 34 00 56 54 5f 49 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 176128 72 6f 70 53 65 72 76 ropServices._MethodBase. success or wait 1 6D429903 WriteFile orlib.ni.dll 69 63 65 73 2e 5f 4d get_Is 65 74 68 6f 64 42 61 Public.get_IsNotPublic.get 73 65 2e 67 65 74 5f _IsD 49 73 50 75 62 6c 69 ynamic.Panic.System.Coll 63 00 67 65 74 5f 49 ection 73 4e 6f 74 50 75 62 s.Generic.ThrowIfGeneric. 6c 69 63 00 67 65 74 get_I 5f 49 73 44 79 6e 61 sMetric.FormatBasic.MyM 6d 69 63 00 50 61 6e usic.Sy 69 63 00 53 79 73 74 stem.Runtime.InteropServi 65 6d 2e 43 6f 6c 6c ces._ 65 63 74 69 6f 6e 73 MethodBase.get_IsStatic.i 2e 47 65 6e 65 72 69 sStat 63 00 54 68 72 6f 77 ic.HasSemantic.FromAsyn 49 66 47 65 6e 65 72 c.Ldloc.CoTaskMemAlloc 69 63 00 67 65 74 5f 49 73 4d 65 74 72 69 63 00 46 6f 72 6d 61 74 42 61 73 69 63 00 4d 79 4d 75 73 69 63 00 53 79 73 74 65 6d 2e 52 75 6e 74 69 6d 65 2e 49 6e 74 65 72 6f 70 53 65 72 76 69 63 65 73 2e 5f 4d 65 74 68 6f 64 42 61 73 65 2e 67 65 74 5f 49 73 53 74 61 74 69 63 00 69 73 53 74 61 74 69 63 00 48 61 73 53 65 6d 61 6e 74 69 63 00 46 72 6f 6d 41 73 79 6e 63 00 4c 64 6c 6f 63 00 43 6f 54 61 73 6b 4d 65 6d 41 6c 6c 6f 63 Copyright Joe Security LLC 2019 Page 54 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 72 69 63 2e 49 43 6f ric.ICollection Copyright Joe Security LLC 2019 Page 55 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 16384 00 00 b5 62 00 00 42 ...b..BY..H...... &..BY.... success or wait 9 6D429903 WriteFile orlib.ni.dll 59 00 00 48 00 83 05 ...... "?..BY...... %.. c2 10 80 01 10 00 e1 BY...... &..BY...... 26 02 00 42 59 00 00 ...b..BY..H...... No..BY.... 08 00 83 05 c6 10 a0 ...... ]...BY..H...... yA.. 00 00 00 22 3f 02 00 BY..$...... BY..T...... 42 59 00 00 00 00 83 ...C...r...... BY..T. 05 c7 10 00 01 00 00 ...... BY...... b.. 9f 25 02 00 42 59 00 BY..H...... 00 08 00 83 05 c9 10 00 00 00 00 a3 26 02 00 42 59 00 00 08 00 87 05 cf 10 01 01 00 00 99 62 00 00 42 59 00 00 48 00 8c 05 d5 10 81 01 14 00 4e 6f 00 00 42 59 00 00 08 00 8c 05 d9 10 01 01 00 00 5d ca 00 00 42 59 00 00 48 00 8c 05 01 11 01 01 00 00 79 41 00 00 42 59 00 00 24 00 8c 05 05 11 01 00 10 00 96 86 00 00 42 59 00 00 54 01 97 05 05 11 01 00 10 00 de 43 00 00 01 72 00 00 e0 01 97 05 08 11 01 01 10 00 de 8a 00 00 42 59 00 00 54 01 97 05 09 11 81 01 10 00 f1 cc 00 00 42 59 00 00 08 00 97 05 0b 11 01 01 00 00 d0 62 00 00 42 59 00 00 48 00 9a 05 0c 11 00 00 10 00 f0 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 2a 00 d6 dc 00 00 01 *...... *...... ,...... success or wait 1 6D429903 WriteFile orlib.ni.dll 00 02 00 2a 00 1d de ,...... ,.:...... 00 00 00 00 02 00 2c ...... :...... g...... 00 d6 dc 00 00 01 00 0..]...... 2...... 2..]...... 02 00 2c 00 1d de 00 4...... 4...... 4..]...... 00 02 00 02 00 2c 00 6...... 6...... 6.:...... 3a df 00 00 00 00 02 6..]...... 8...... 8...... 00 2e 00 d6 dc 00 00 8.:...... 8.g...... 8..]...... 01 00 02 00 2e 00 1d :...... :.... de 00 00 02 00 02 00 2e 00 3a df 00 00 03 00 02 00 2e 00 67 df 00 00 00 00 01 00 30 00 15 5d 01 00 00 00 02 00 32 00 03 e4 00 00 01 00 01 00 32 00 15 5d 01 00 00 00 02 00 34 00 d6 dc 00 00 01 00 02 00 34 00 1d de 00 00 02 00 01 00 34 00 15 5d 01 00 00 00 02 00 36 00 d6 dc 00 00 01 00 02 00 36 00 1d de 00 00 02 00 02 00 36 00 3a df 00 00 03 00 01 00 36 00 15 5d 01 00 00 00 02 00 38 00 d6 dc 00 00 01 00 02 00 38 00 1d de 00 00 02 00 02 00 38 00 3a df 00 00 03 00 02 00 38 00 67 df 00 00 04 00 01 00 38 00 15 5d 01 00 00 00 02 00 3a 00 d6 dc 00 00 01 00 02 00 3a 00 1d de 00 Copyright Joe Security LLC 2019 Page 56 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 02 00 00 00 b3 26 3d .....&=...... &.]...... &.... success or wait 1 6D429903 WriteFile orlib.ni.dll df 00 00 03 00 00 00 .....&\]...... &\]...... &\].. b3 26 15 5d 01 00 00 .....&\]...... &.]...... &.].. 00 00 00 b9 26 03 e4 .....&.]...... &.]...... &\].. 00 00 00 00 00 00 c3 .....&.]...... &\]...... &.].. 26 5c 5d 01 00 00 00 .....&\]...... &.]...... &\].. 00 00 c5 26 5c 5d 01 .....&.]...... &.]...... &.].. 00 00 00 00 00 c7 26 .....&.]...... &.]...... &\].. 5c 5d 01 00 00 00 00 .....&.]...... 00 c9 26 5c 5d 01 00 00 00 00 00 cb 26 15 5d 01 00 00 00 00 00 cd 26 15 5d 01 00 00 00 00 00 cf 26 15 5d 01 00 00 00 00 00 d1 26 15 5d 01 00 00 00 00 00 d3 26 5c 5d 01 00 01 00 00 00 d3 26 15 5d 01 00 00 00 00 00 d5 26 5c 5d 01 00 01 00 00 00 d5 26 15 5d 01 00 00 00 00 00 d7 26 5c 5d 01 00 01 00 00 00 d7 26 15 5d 01 00 00 00 00 00 d9 26 5c 5d 01 00 01 00 00 00 d9 26 15 5d 01 00 00 00 00 00 e5 26 15 5d 01 00 00 00 00 00 e7 26 15 5d 01 00 00 00 00 00 e9 26 15 5d 01 00 00 00 00 00 eb 26 15 5d 01 00 00 00 00 00 ed 26 5c 5d 01 00 01 00 00 00 ed 26 15 5d 01 00 00 00 00 00 ef C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 69632 67 00 75 00 6d 00 65 g.u.m.e.n.t.O.u.t.O.f.R.a.n. success or wait 1 6D429903 WriteFile orlib.ni.dll 00 6e 00 74 00 4f 00 g. 75 00 74 00 4f 00 66 e._.C.o.u.n.t...e.n.d.I.n.d.e. 00 52 00 61 00 6e 00 x..KA.r.g.u.m.e.n.t.O.u.t.O. 67 00 65 00 5f 00 43 f. 00 6f 00 75 00 6e 00 R.a.n.g.e._.E.n.d.I.n.d.e.x. 74 00 00 11 65 00 6e S.t.a.r.t.I.n.d.e.x...k.e.y.s..1 00 64 00 49 00 6e 00 A.r.g._.L.o.w.e.r.B.o.u.n.d. 64 00 65 00 78 00 00 s. 4b 41 00 72 00 67 00 M.u.s.t.M.a.t.c.h...c.o.m.p. 75 00 6d 00 65 00 6e a. 00 74 00 4f 00 75 00 r.i.s.o.n..%A.r.g._.B.o.g.u.s 74 00 4f 00 66 00 52 .I.C.o.m.p.a.r.e 00 61 00 6e 00 67 00 65 00 5f 00 45 00 6e 00 64 00 49 00 6e 00 64 00 65 00 78 00 53 00 74 00 61 00 72 00 74 00 49 00 6e 00 64 00 65 00 78 00 00 09 6b 00 65 00 79 00 73 00 00 31 41 00 72 00 67 00 5f 00 4c 00 6f 00 77 00 65 00 72 00 42 00 6f 00 75 00 6e 00 64 00 73 00 4d 00 75 00 73 00 74 00 4d 00 61 00 74 00 63 00 68 00 00 15 63 00 6f 00 6d 00 70 00 61 00 72 00 69 00 73 00 6f 00 6e 00 00 25 41 00 72 00 67 00 5f 00 42 00 6f 00 67 00 75 00 73 00 49 00 43 00 6f 00 6d 00 70 00 61 00 72 00 65 Copyright Joe Security LLC 2019 Page 57 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 29 41 00 72 00 67 00 )A.r.g._.E.m.p.t.y.O.r.N.u.l.l success or wait 1 6D429903 WriteFile orlib.ni.dll 5f 00 45 00 6d 00 70 .A.r.r.a.y...r.a.w.D.a.t.a.... 00 74 00 79 00 4f 00 .N.E.T.F.r.a.m.e.w.o.r.k..... 72 00 4e 00 75 00 6c N 00 6c 00 41 00 72 00 .E.T.P.o.r.t.a.b.l.e.....N.E.T 72 00 61 00 79 00 00 .C.o.r.e...S.i.l.v.e.r.l.i.g.h 0f 72 00 61 00 77 00 .t...W.i.n.d.o.w.s.P.h.o.n.e.. 44 00 61 00 74 00 61 .W.i.n.d.o.w.s.P.h.o.n.e.7.1 00 00 1b 2e 00 4e 00 .. 45 00 54 00 46 00 72 .W.i.n.d.o.w.s.P.h.o.n.e.8... 00 61 00 6d 00 65 00 f.r.a.m.e.w.o.r. 77 00 6f 00 72 00 6b 00 00 19 2e 00 4e 00 45 00 54 00 50 00 6f 00 72 00 74 00 61 00 62 00 6c 00 65 00 00 11 2e 00 4e 00 45 00 54 00 43 00 6f 00 72 00 65 00 00 17 53 00 69 00 6c 00 76 00 65 00 72 00 6c 00 69 00 67 00 68 00 74 00 00 19 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 50 00 68 00 6f 00 6e 00 65 00 00 1d 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 50 00 68 00 6f 00 6e 00 65 00 37 00 31 00 00 1b 57 00 69 00 6e 00 64 00 6f 00 77 00 73 00 50 00 68 00 6f 00 6e 00 65 00 38 00 00 1b 66 00 72 00 61 00 6d 00 65 00 77 00 6f 00 72 00 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 12 8a 68 21 20 05 01 ..h! ...... |...... h...... h$ success or wait 1 6D429903 WriteFile orlib.ni.dll 11 83 fc 12 83 e8 15 ...... |...... h...... h. 12 87 7c 02 0e 15 12 ...... 87 d0 01 12 8a 68 1d ...... 02 15 12 87 d0 01 12 ...... |...... 8a 68 24 20 07 01 11 ...... l. 83 fc 12 83 e8 0f 08 ...... l.... 08 15 12 87 7c 02 0e ...... `...... L...... P...H. 15 12 87 d0 01 12 8a ....T...... 68 1d 02 15 12 87 d0 01 12 8a 68 10 20 03 15 12 84 18 01 13 00 0e 11 83 ec 11 83 f8 09 15 12 84 1c 02 13 00 13 01 04 06 1d 13 01 0f 00 05 01 1d 13 00 1d 13 01 10 08 13 00 13 01 08 15 12 87 d0 01 12 84 94 09 15 12 87 7c 02 0e 12 84 b4 04 1d 12 84 c0 08 15 12 87 d0 01 12 84 c0 07 15 12 85 0c 01 13 00 06 20 02 01 13 00 02 02 06 18 08 15 12 87 fc 01 12 85 6c 06 20 01 02 10 13 00 08 15 12 85 a4 01 12 85 a8 07 15 12 85 a4 01 13 00 07 06 1f 8f 6c 1d 13 00 05 20 01 08 13 00 06 15 12 60 01 1e 00 05 15 12 4c 01 1c 08 15 11 86 50 01 12 86 48 09 20 00 15 12 86 54 01 13 00 08 15 12 Copyright Joe Security LLC 2019 Page 58 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 90112 02 13 00 13 01 09 15 ...... success or wait 1 6D429903 WriteFile orlib.ni.dll 11 87 94 02 0e 12 83 ...... e4 08 15 12 87 d0 01 ...... \..d..X 12 92 c0 08 15 11 87 ..4..8..x...... d4 01 12 92 c0 04 1d X...... 0...... 12 93 14 08 07 02 12 ...... 89 a8 12 83 e4 05 07 ....L...... ,... 01 12 89 a8 08 07 02 ..,...... 12 83 e4 12 89 a8 04 ...... 07 01 1d 1c 06 07 02 12 10 12 10 03 07 01 0e 14 07 06 12 88 5c 12 88 64 12 89 58 12 8a 34 12 8a 38 12 92 78 07 07 04 0e 0e 0e 1d 0e 07 07 05 02 1c 1c 02 1c 06 07 02 12 90 58 02 10 07 07 12 83 e8 12 83 e8 1c 1c 1c 1d 12 89 a8 08 04 07 01 12 30 04 0a 01 1d 0b 04 0a 01 1d 0e 12 07 0c 11 84 cc 05 05 05 07 07 07 09 09 0b 0b 11 84 cc 0d 07 07 0b 1d 0e 1d 0b 08 12 81 4c 02 0b 09 07 03 11 84 cc 0b 11 84 cc 04 0a 01 1e 00 05 07 02 11 2c 02 04 07 01 11 2c 19 07 0e 12 83 e8 0b 12 83 e4 1c 12 10 1d 0e 1d 0e 1d 0b 08 02 08 0b 12 10 02 06 07 02 1d 0b 1d 0e 08 07 02 11 84 cc 11 84 cc C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 40 14 8b 38 52 51 c7 @..8RQ.E...... e..E..~.y.F.... success or wait 42 6D429903 WriteFile orlib.ni.dll 45 e0 08 00 00 00 89 .F...... my.9.t.P.....X.E...... 65 e4 c7 45 e8 1d 7e ...... }..~.%.....e.[^_].....D 95 79 c6 46 08 00 ff #.L7..U..WVS..(.E.3..]..]..}.. d7 c6 46 08 01 8b 0d .....E..E.....t.....E..E..E..@ a4 13 6d 79 83 39 00 ..8.u..u.SRQ.E...... e..E..~.y 74 07 50 e8 e6 a1 e4 .F.....F...... my.9.t.P.J...X.E. ff 58 c7 45 e8 00 00 ...... }..~.%.....e. 00 00 85 c0 0f 95 c0 0f [^_]...... C# b6 c0 8b 7d dc 89 7e 0c 25 ff 00 00 00 8d 65 f4 5b 5e 5f 5d c3 cc cc cc 88 44 23 00 4c 37 df ff 55 8b ec 57 56 53 83 ec 28 89 45 e8 33 db 89 5d f0 89 5d ec 8d 7d d0 e8 94 a1 e4 ff 8b 45 10 89 45 f0 8b d8 85 c0 74 03 83 c3 04 8b 45 08 89 45 ec 8b 45 e8 8b 40 14 8b 38 ff 75 08 ff 75 0c 53 52 51 c7 45 d8 14 00 00 00 89 65 dc c7 45 e0 b9 7e 95 79 c6 46 08 00 ff d7 c6 46 08 01 8b 0d a4 13 6d 79 83 39 00 74 07 50 e8 4a a1 e4 ff 58 c7 45 e0 00 00 00 00 8b f8 e8 e3 f6 e5 ff 85 ff 0f 95 c0 0f b6 c0 8b 7d d4 89 7e 0c 25 ff 00 00 00 8d 65 f4 5b 5e 5f 5d c2 0c 00 cc cc f1 43 23 Copyright Joe Security LLC 2019 Page 59 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 12288 ab 6a 03 b9 81 07 00 .j...... P...... success or wait 2 6D429903 WriteFile orlib.ni.dll 00 8d 50 09 e8 fc 00 ...... |...... p...3..... f0 ff 89 85 b0 f7 ff ff 89 {....S0...... l... 95 b4 f7 ff ff 8d bd 84 ..p...... 3...j...... P. fe ff ff 8d b5 b0 f7 ff ff ...... t...... a5 a5 8b bd 7c fe ff ff ...l.....p...... `...3.....{...../.... 8d b5 80 fe ff ff a5 a5 (.....\.....`...... a5 8d bd 70 fe ff ff 33 .....3...j...... P.."...... c0 ab ab ab 83 7b 04 ...... d...... 17 0f 86 53 30 00 00 8d 83 1c 01 00 00 89 85 6c fe ff ff c7 85 70 fe ff ff d5 06 00 00 8d bd a8 f7 ff ff 33 c0 ab ab 6a 17 b9 82 07 00 00 8d 50 08 e8 8f 00 f0 ff 89 85 a8 f7 ff ff 89 95 ac f7 ff ff 8d bd 74 fe ff ff 8d b5 a8 f7 ff ff a5 a5 8b bd 6c fe ff ff 8d b5 70 fe ff ff a5 a5 a5 8d bd 60 fe ff ff 33 c0 ab ab ab 83 7b 04 18 0f 86 e6 2f 00 00 8d 83 28 01 00 00 89 85 5c fe ff ff c7 85 60 fe ff ff aa 06 00 00 8d bd a0 f7 ff ff 33 c0 ab ab 6a 0d b9 83 07 00 00 8d 50 08 e8 22 00 f0 ff 89 85 a0 f7 ff ff 89 95 a4 f7 ff ff 8d bd 64 fe ff ff 8d b5 a0 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 46 08 8b 16 3b 42 24 F...;B$t...... 3..V.8..... success or wait 9 6D429903 WriteFile orlib.ni.dll 74 0a b9 20 00 00 00 .^...... U..V...~..t..F....R e8 99 e6 e6 ff 33 d2 B;.u...... ]...... y...... 89 56 04 38 06 83 c6 ..F..B...^]...y/..P....A...... 0c 89 16 5e c3 cc cc ...... t...... U..V.. cc fb a0 08 00 a4 9a .F...;B$tV...... F...;B sL c4 ff 55 8b ec 56 8b f1 [email protected].;P.sV....D...x..|%... 83 7e 04 00 74 0d 8b @ 46 04 8b 16 8b 52 20 ..V.;P.s<[email protected]...... 42 3b c2 75 0a b9 1f ^]..F..F...;B r 00 00 00 e8 5d e6 e6 ff b9 d4 7f b5 79 e8 f7 81 c7 ff 8b d0 8b 46 0c 89 42 04 8b c2 5e 5d c3 cc cc 79 2f 06 00 50 9a c4 ff 8b 41 0c c3 cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc cc 74 cc 08 00 20 9a c4 ff 55 8b ec 56 8b f1 8b 46 08 8b 16 3b 42 24 74 56 b9 20 00 00 00 e8 02 e6 e6 ff 8b 46 04 8b 16 3b 42 20 73 4c 8b 06 8b 40 08 8b 56 04 3b 50 04 73 56 c1 e2 04 8d 44 10 08 83 78 04 00 7c 25 8b 06 8b 40 08 8b 56 04 3b 50 04 73 3c c1 e2 04 8d 44 10 08 8b 40 0c 89 46 0c ff 46 04 b8 01 00 00 00 5e 5d c3 ff 46 04 8b 46 04 8b 16 3b 42 20 72 Copyright Joe Security LLC 2019 Page 60 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 01 00 4a b9 58 00 4a ..J.X.J.h...... success or wait 1 6D429903 WriteFile orlib.ni.dll b9 68 11 11 11 11 11 ...... 11 11 11 11 11 11 11 ...... 11 11 11 11 11 11 11 ...... 11 11 11 11 11 11 11 ...J...J)...J...J.-.J.=.J.M.J. 11 11 11 11 11 11 11 ].J..z.....J.N....J.?..J._.J.. 11 11 11 11 11 11 11 ..J...... e...... P.. 11 11 11 11 11 11 11 ...... 9...... \...... 11 11 11 11 11 11 11 ...... W...... 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 11 01 00 4a e9 0d 00 4a 29 a9 1e 00 4a e9 1d 00 4a e9 2d 00 4a e9 3d 00 4a e9 4d 00 4a e9 5d 00 4a e9 f6 7a cd 11 11 11 00 4a e9 4e 11 11 11 00 4a e9 3f 01 00 4a e9 5f 00 4a 1d 89 04 00 4a 11 d9 03 00 02 00 12 86 14 06 12 86 14 91 65 01 13 00 02 01 00 15 11 86 50 01 13 00 00 02 00 12 8f c0 06 12 8f c0 a7 39 01 13 00 01 01 01 15 11 87 5c 01 13 00 01 02 00 12 86 14 06 12 86 14 91 57 01 13 00 02 02 12 8f C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 11 07 de 08 00 00 00 ...... 3...... 2...... success or wait 4 6D429903 WriteFile orlib.ni.dll 90 04 33 fb ff 12 07 de [email protected]...... @.2...... @.3.. 08 00 00 00 90 f8 32 ...... 3...... 3...... fb ff 13 07 da 08 04 00 [email protected]...... @.3....J....@ 4.. 00 40 ec 32 fb ff 14 07 ..V...... 4....V...... 4..E..... 16 08 08 00 00 40 e0 ...4..F...... @[email protected].. 32 fb ff 15 07 1e 08 0c ...... 5...... @.5..!..... 00 00 40 1c 33 fb ff 0c [email protected].."...... 5..#...... 6.. 07 de 08 00 00 00 90 (...... `7..4.r e4 33 fb ff 0d 07 de 08 00 00 00 90 d8 33 fb ff 0e 07 da 08 04 00 00 40 cc 33 fb ff 0f 07 16 08 08 00 00 40 c0 33 fb ff 10 07 4a 08 0c 00 00 40 20 34 fb ff 16 07 56 09 00 00 00 90 9c 34 fb ff f1 06 56 09 00 00 00 90 e4 34 fb ff 45 00 92 08 00 00 00 90 d8 34 fb ff 46 00 10 08 04 00 00 40 cc 34 fb ff 47 00 66 08 08 00 00 40 ec 35 fb ff 1f 07 02 08 00 00 00 90 e0 35 fb ff 20 07 1a 08 08 00 00 40 d4 35 fb ff 21 07 b8 08 0c 00 00 40 c8 35 fb ff 22 07 ca 08 04 00 00 90 bc 35 fb ff 23 07 b6 09 00 00 00 90 e8 36 fb ff 28 07 a8 09 00 00 00 90 60 37 fb ff 34 00 72 Copyright Joe Security LLC 2019 Page 61 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 60 70 00 03 60 60 60 `p..````@PPP ..8...... success or wait 2 6D429903 WriteFile orlib.ni.dll 60 40 50 50 50 20 00 .`...... P...p0....P..p...... 05 38 05 05 17 10 00 ....0...... [email protected].... 02 00 05 00 00 80 00 .0...... [email protected].`@...... 00 06 02 60 00 05 01 ..`...... P...... 00 00 00 50 10 00 03 .`...0..@.....`...0...... 70 30 00 00 01 00 50 ...... p0...... P.0...p... 00 00 70 00 00 05 01 ...... B...... 01 00 00 03 00 17 00 .p..@...... 05 30 00 10 00 05 05 06 20 70 80 00 04 07 30 00 70 40 00 00 06 00 70 00 00 01 00 07 30 00 00 00 00 00 00 00 70 00 00 00 40 01 00 00 70 03 70 02 60 40 00 08 00 00 05 00 80 01 02 60 10 04 03 04 80 05 10 00 04 01 50 10 00 00 10 00 05 00 00 00 04 00 00 00 01 00 00 02 60 00 04 00 30 00 80 40 00 01 00 00 08 60 00 00 00 30 00 00 00 00 08 00 00 00 05 00 00 00 02 00 00 00 01 00 70 30 00 06 00 00 00 05 80 10 00 00 07 50 00 30 00 01 00 70 00 05 00 03 00 00 00 07 00 11 11 42 00 05 06 07 18 00 00 03 04 00 00 00 08 07 07 07 00 00 00 00 07 05 70 00 03 40 00 00 00 00 00 04 80 00 05 00 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 8192 ca 19 10 89 e4 43 ce .....C..L,%..d2.H,%..d2.L&.. success or wait 1 6D429903 WriteFile orlib.ni.dll 80 4c 2c 25 93 c9 64 d2.L&..d2.L.- 32 99 48 2c 25 12 c9 =...d2.L&..d2.L&..d 64 32 99 4c 26 12 c9 2.L&..d2.L&..d2.L&..d2.L$.. 64 32 99 4c 26 93 c9 ... 64 32 99 4c 2e 2d 3d Q<..L&.....R.p{PZXJ&...... 09 01 c8 64 32 99 4c Brq!y..*,, 26 93 c9 64 32 99 4c <...d2.L&...... L&..d2.L.--- 26 93 c9 64 32 99 4c -----%..d2.<.z...... 26 93 c9 64 32 99 4c ...... \XH.$. 26 93 c9 64 32 99 4c ..d2y.S(---%..d2.L.%...... 26 93 c9 64 32 99 4c ...... ).... 24 92 89 a5 85 e4 51 3c a4 90 4c 26 93 8f 14 85 c2 52 f2 70 7b 50 5a 58 4a 26 93 0f ad 8f c2 d2 d2 e2 42 72 71 21 79 98 ff 2a 2c 2c 3c e0 bf c8 64 32 99 4c 26 97 16 92 c9 c4 d2 c2 b1 b8 81 4c 26 93 c9 64 32 99 4c 2e 2d 2d 2d 2d 2d 2d 2d 2d 25 93 c9 64 32 99 3c a4 7a 94 96 97 97 96 96 92 c9 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 a5 e4 f3 89 a1 b0 90 5c 58 48 2e 24 17 92 c9 64 32 79 88 53 28 2d 2d 2d 25 93 c9 64 32 99 4c 2e 25 97 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 96 1e da 29 85 e4 f1 0c Copyright Joe Security LLC 2019 Page 62 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 32 f9 48 c5 20 92 c9 2.H. ..d2.H&..d2.L&..d2.L..- success or wait 1 6D429903 WriteFile orlib.ni.dll 64 32 99 48 26 93 c9 ...B2...kQH&.....P.. 64 32 99 4c 26 12 c9 <.....B2.|.. 64 32 99 4c 1e 96 2d ..D...A$..d2.\J&.K.D".XJ$.. 0a 89 e4 42 32 d9 ec D". e9 6b 51 48 26 93 89 L&..d".H&..D".H$..g|..L....D a5 85 a3 50 08 91 3c ". be 0c 10 c9 e4 42 32 H$...D".H$..D".XJ$..]db).X 99 7c a0 91 10 89 44 J,,%....d2..... e2 d0 a2 41 24 93 c9 ..d2.L$..D2.H&..D" 64 32 99 5c 4a 26 93 .H,%..D".8.\...d2.L&.K.d2.L 4b 89 44 22 91 58 4a &.. 24 12 89 44 22 99 4c .R2...L&..K...2.L&..d2.L$..*. 26 13 89 64 22 99 48 B...B$...D".H&.. 26 13 c9 44 22 91 48 24 92 c9 67 7c 06 99 4c 1e ef bb 88 44 22 91 48 24 12 89 a5 44 22 91 48 24 12 89 44 22 91 58 4a 24 1e e3 5d 64 62 29 91 58 4a 2c 2c 25 16 0e ae 18 64 32 b9 b8 f4 a0 1c 20 92 c9 64 32 99 4c 24 12 c9 44 32 91 48 26 93 c9 44 22 91 48 2c 25 12 89 44 22 91 38 e2 5c 94 92 c9 64 32 99 4c 26 93 4b c9 64 32 99 4c 26 93 c9 e4 52 32 b9 b4 94 4c 26 97 92 4b 0f c2 03 32 99 4c 26 93 c9 64 32 99 4c 24 93 0f 2a 92 42 f2 a0 9b 42 24 97 12 89 44 22 91 48 26 12 c9 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 00 60 a0 c3 b7 73 00 .`...s..I....`..m..@v.<...K;4. success or wait 19 6D429903 WriteFile orlib.ni.dll b0 49 87 91 e7 00 60 ..Jw...... @...<...7...C o.`... a5 0e 6d db 01 40 76 ...N...... =.....|....R.. 1d 3c ae 03 00 4b 3b ...... X9...C.p...... (...- 34 d4 06 00 4a 77 f0 .7...@pp.....^....q.....b;6.. d6 0d 00 ec ef 40 b3 D.l..K....@...... !.....C...... 1b 00 3c e2 a1 84 37 ...... !.0$..C..N.?...... 00 d0 c9 43 20 6f 00 a.R...."H...+F.u...... B...!. 60 9d 87 a9 0d 01 c0 .8..,.Xw.s..... 4e 0f 0b de 01 c0 cc 1e 90 db 03 00 e9 3d a0 dd 07 00 9a 7c 10 bd 0f 00 52 fa 80 84 1d 00 0c f8 81 58 39 00 00 f6 43 06 70 00 b0 f6 87 ca 0d 01 a0 02 10 28 cd 01 c0 2d 20 b2 37 04 80 bb 40 70 70 08 00 08 82 e8 5e 0e 00 b0 05 71 19 1b 00 14 0e 62 3b 36 00 d0 20 44 8b 6c 00 00 4b 08 e5 fb 00 40 af 10 a0 f0 01 c0 89 21 aa e1 03 00 83 43 fc 8a 07 00 c2 87 20 18 0f 00 a2 10 b1 c8 21 00 30 24 e2 9e 43 00 18 4e 04 3f 87 00 00 a8 08 9f 0e 01 e0 61 11 52 f1 01 c0 ea 22 48 f4 03 00 2b 46 e0 75 08 00 06 8d d8 ef 10 00 42 1b 11 e4 21 00 c8 38 e2 b0 2c 00 58 77 84 73 87 00 80 f8 08 Copyright Joe Security LLC 2019 Page 63 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 30 5a 2e 04 a6 58 2a 0Z...X*..X...Mz...5..!).'i,... success or wait 17 6D429903 WriteFile orlib.ni.dll 04 a6 58 7f 01 03 4d .8..I.!.yR ..!.{..^.....J. .". 7a 1a 10 a2 35 92 b6 Z..Z...9...:...... K...j.!.#.# 21 29 ba 27 69 2c b2 Y...']..y .....1$.A...1E.}.... 96 08 92 38 f9 04 49 ..;j9..5b9.. )|b...Z....;..n.. 8a 21 a3 79 52 20 09 ..Z..Z....0Z....*.....0u.!.... aa 21 a3 7b 92 a6 5e ....D0Yi.!Y#.#Y...'| .Y..Y.... 92 b1 09 92 b3 4a 02 pY~..Yi.!Y#.#Y...'. .Y..Y....p 20 09 22 06 5a 01 02 Y|...j.!:#.#Y.. 5a 04 a1 95 39 01 a6 a5 3a 04 a3 0f 1a 01 a6 0f 4b 04 03 0a 6a 07 21 1a 23 96 23 59 0c 92 c2 27 5d 99 04 79 20 06 1a 02 02 1a 31 24 a0 41 10 1a 0c 31 45 1a 7d 04 a6 91 1a 02 07 3b 6a 39 10 a2 35 62 39 92 c5 20 29 7c 62 0e d2 94 5a b0 04 92 90 3b e2 94 6e d0 07 02 06 5a 01 02 5a 04 a1 c5 13 30 5a 2e 04 a6 09 2a 04 a6 09 89 10 30 75 02 21 89 05 02 02 1a 04 a1 e1 44 30 59 69 06 21 59 23 96 23 59 0c 92 c2 27 7c 20 04 59 01 02 59 04 91 b5 15 70 59 7e 04 06 59 69 06 21 59 23 96 23 59 0c 92 c2 27 0e 20 04 59 01 02 59 04 91 b5 15 70 59 7c 04 06 0a 6a 07 21 3a 23 96 23 59 0c 92 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 4096 78 08 2e 00 04 a5 57 x.....W...... W...... W...... success or wait 1 6D429903 WriteFile orlib.ni.dll 80 a0 08 2e 00 f9 a4 W...... [email protected]..... 57 80 c8 08 2e 00 f9 F.W...:...V.0.:...X..{/...V.0{ a4 57 80 f0 08 2e 00 /...V.h#0.0hX.0&0...W.`.0... 04 a5 57 80 18 09 2e V.p.0...W.0.:..1V.P.:.O. 00 04 a5 57 80 40 09 [...:...V...:...W.../..VX...:.4. 2e 00 04 a5 57 00 d0 [..w/. 03 2e 00 41 db 55 80 ..U..w/...V.$...#.W...... W.p. c0 06 2e 00 46 a5 57 0.O.V...0.O.V...... V.`.....W. 00 10 ba 3a 00 08 17 ...... W.....D.W 56 80 30 ba 3a 00 b6 f3 58 00 10 7b 2f 00 08 17 56 80 30 7b 2f 00 cc 87 56 00 68 23 30 00 30 68 58 80 30 26 30 00 0c ed 57 00 60 e2 30 00 a3 08 56 80 70 e2 30 00 c6 0f 57 00 30 c5 3a 00 e2 31 56 80 50 c5 3a 00 4f 87 5b 00 10 c7 3a 00 e1 14 56 80 90 c9 3a 00 05 2e 57 00 90 ee 2f 00 13 56 58 80 f0 ca 3a 00 34 87 5b 00 c0 77 2f 00 04 c3 55 80 d0 77 2f 00 ac b0 56 00 24 e9 2e 00 23 ee 57 80 d4 ea 2e 00 ca ee 57 00 70 cb 30 00 4f 1a 56 80 90 cb 30 00 4f 1a 56 00 d0 cf 2e 00 f6 f5 56 80 60 d0 2e 00 fc e2 57 00 e8 ca 2e 00 0f e1 57 80 e8 cb 2e 00 44 e1 57 Copyright Joe Security LLC 2019 Page 64 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 229376 24 30 2c 30 34 30 3c $0,040<0D0L0T0\0d0l0t0|0 success or wait 1 6D429903 WriteFile orlib.ni.dll 30 44 30 4c 30 54 30 .0.0.0 5c 30 64 30 6c 30 74 .0.0.0.0.0.0.0.0.0.0.0.0.0.1. 30 7c 30 84 30 8c 30 1 94 30 9c 30 a4 30 ac .1.1$1,141<1D1L1T1\1d1l1 30 b4 30 bc 30 c4 30 t1|1.1 cc 30 d4 30 dc 30 e4 .1.1.1.1.1.1.1.1.1.1.1.1.1.1. 30 ec 30 f4 30 fc 30 1 04 31 0c 31 14 31 1c .2.2.2.2$2,242<2D2L2T2\2 31 24 31 2c 31 34 31 d2l2t2 3c 31 44 31 4c 31 54 |2.2.2.2.2.2.2.2.2.2.2.2.2.2. 31 5c 31 64 31 6c 31 2 74 31 7c 31 84 31 8c .2.2.3.3.3.3$3,343<3D3L3 31 94 31 9c 31 a4 31 T3\3d3 ac 31 b4 31 bc 31 c4 l3t3|3.3.3.3.3.3.3.3.3.3.3.3. 31 cc 31 d4 31 dc 31 3.3.3.3.3.4.4.4. e4 31 ec 31 f4 31 fc 31 04 32 0c 32 14 32 1c 32 24 32 2c 32 34 32 3c 32 44 32 4c 32 54 32 5c 32 64 32 6c 32 74 32 7c 32 84 32 8c 32 94 32 9c 32 a4 32 ac 32 b4 32 bc 32 c4 32 cc 32 d4 32 dc 32 e4 32 ec 32 f4 32 fc 32 04 33 0c 33 14 33 1c 33 24 33 2c 33 34 33 3c 33 44 33 4c 33 54 33 5c 33 64 33 6c 33 74 33 7c 33 84 33 8c 33 94 33 9c 33 a4 33 ac 33 b4 33 bc 33 c4 33 cc 33 d4 33 dc 33 e4 33 ec 33 f4 33 fc 33 04 34 0c 34 14 34 1c C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 2048 33 38 61 38 73 38 a1 38a8s8.8.8.8.8.8.9(9@9[9l success or wait 1 6D429903 WriteFile orlib.ni.dll 38 b2 38 d3 38 e4 38 9.9.9 fc 38 17 39 28 39 40 .9.9.9.:.:0:H:c:t:.:.:.:.:.:.; 39 5b 39 6c 39 84 39 5;G;u;.;.;.;.;.;.<. Copyright Joe Security LLC 2019 Page 65 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 536 4d 5a 00 00 00 00 00 MZ...... @..... success or wait 1 6D429903 WriteFile orlib.ni.dll 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 40 00 00 00 ...... 00 00 00 00 00 00 00 ...... PE..L...... [...... 00 00 00 00 00 00 00 .!...... 00 00 00 00 00 00 00 ..my...... 00 00 00 00 00 00 00 b...... @...... 00 00 00 00 80 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 50 45 00 00 4c 01 04 00 94 d6 cf 5b 00 00 00 00 00 00 00 00 e0 00 02 21 0b 01 0b 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 79 00 10 00 00 00 02 00 00 05 00 00 00 00 00 00 00 05 00 00 00 00 00 00 00 00 10 62 00 00 04 00 00 00 00 00 00 03 00 40 85 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 00 00 00 00 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 164 a0 13 00 00 24 00 00 ....$...... X...@...... X..... success or wait 1 6D429903 WriteFile orlib.ni.dll 00 00 20 0d 00 58 02 ..p...... \...... T. 00 00 40 b8 0e 00 18 \"...... `...D...... 01 00 00 58 b9 0e 00 ...... U...... *..p...x...(&.. 14 00 00 00 70 b9 0e ...... my.. 00 ac 00 00 00 5c b5 ...... L..! 0e 00 04 01 00 00 00 00 00 00 00 00 00 00 84 9d 54 00 5c 22 01 00 00 10 00 00 94 03 00 00 60 b6 0e 00 44 00 00 00 00 00 00 00 00 00 00 00 b0 b6 0e 00 90 01 00 00 e0 bf 55 00 04 02 00 00 c0 2a 01 00 70 19 00 00 78 cd 0e 00 28 26 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 6d 79 01 00 00 00 03 00 00 00 0b 00 00 00 4c 01 02 21 Copyright Joe Security LLC 2019 Page 66 of 74 Source File Path Offset Length Value Ascii Completion Count Address Symbol C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 284 52 53 44 53 8d 42 2b RSDS.B+.T9...'...... msco success or wait 1 6D429903 WriteFile orlib.ni.dll ca 54 39 05 8e ab 27 rlib.ni.pdb...... e7 c6 fd 87 a4 04 01 ...... 00 00 00 6d 73 63 6f ...... 72 6c 69 62 2e 6e 69 ...... 2e 70 64 62 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 ...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\msc unknown 16 ca 2b 42 8d 39 54 8e .+B.9T...'...... success or wait 1 6D429903 WriteFile orlib.ni.dll 05 ab 27 e7 c6 fd 87 a4 04 \Device\ConDrv unknown 111 4e 61 74 69 76 65 20 Native image C:\Program success or wait 1 6D4B7382 WriteFile 69 6d 61 67 65 20 43 Files (x86)\Microsoft 3a 5c 50 72 6f 67 72 Silverlight\5. 61 6d 20 46 69 6c 65 1.50918.0\mscorlib.ni.dll 73 20 28 78 38 36 29 generated successfully... 5c 4d 69 63 72 6f 73 6f 66 74 20 53 69 6c 76 65 72 6c 69 67 68 74 5c 35 2e 31 2e 35 30 39 31 38 2e 30 5c 6d 73 63 6f 72 6c 69 62 2e 6e 69 2e 64 6c 6c 20 67 65 6e 65 72 61 74 65 64 20 73 75 63 63 65 73 73 66 75 6c 6c 79 2e 0d 0a Analysis Process: conhost.exe PID: 2728 Parent PID: 3896 General Start time: 14:45:12 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Copyright Joe Security LLC 2019 Page 67 of 74 Analysis Process: Silverlight.Configuration.exe PID: 3492 Parent PID: 4188 General Start time: 14:45:14 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\Silverlight.Configuration.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\silverlight.configuration.exe' - enableMU Imagebase: 0x13b0000 File size: 237192 bytes MD5 hash: 17E40315660830AA625483BBF608730C Has administrator privileges: true Programmed in: C, C++ or other language Reputation: low Analysis Process: coregen.exe PID: 5020 Parent PID: 4188 General Start time: 14:45:27 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 3508 Parent PID: 5020 General Start time: 14:45:27 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 4176 Parent PID: 4188 General Start time: 14:45:32 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Core.dll Copyright Joe Security LLC 2019 Page 68 of 74 Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 4412 Parent PID: 4176 General Start time: 14:45:32 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 4316 Parent PID: 4188 General Start time: 14:45:41 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Net.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 4736 Parent PID: 4316 General Start time: 14:45:41 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 3984 Parent PID: 4188 Copyright Joe Security LLC 2019 Page 69 of 74 General Start time: 14:45:45 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Xml.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 5048 Parent PID: 3984 General Start time: 14:45:46 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 1688 Parent PID: 4188 General Start time: 14:45:51 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Runtime.Seri alization.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 1504 Parent PID: 1688 General Start time: 14:45:51 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 Copyright Joe Security LLC 2019 Page 70 of 74 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 2536 Parent PID: 4188 General Start time: 14:45:57 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.ServiceModel .Web.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 4676 Parent PID: 2536 General Start time: 14:45:57 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 4996 Parent PID: 4188 General Start time: 14:46:01 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Frame work.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Copyright Joe Security LLC 2019 Page 71 of 74 Analysis Process: conhost.exe PID: 4512 Parent PID: 4996 General Start time: 14:46:01 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 5112 Parent PID: 4188 General Start time: 14:46:04 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Frame work.Graphics.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 4644 Parent PID: 5112 General Start time: 14:46:04 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 2252 Parent PID: 4188 General Start time: 14:46:08 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Copyright Joe Security LLC 2019 Page 72 of 74 Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' Microsoft.Xna.Frame work.Graphics.Shaders.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Reputation: low Analysis Process: conhost.exe PID: 1924 Parent PID: 2252 General Start time: 14:46:08 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Reputation: high Analysis Process: coregen.exe PID: 4696 Parent PID: 4188 General Start time: 14:46:11 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Windows.dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Analysis Process: conhost.exe PID: 4804 Parent PID: 4696 General Start time: 14:46:11 Start date: 21/02/2019 Path: C:\Windows\System32\conhost.exe Wow64 process (32bit): false Commandline: C:\Windows\system32\conhost.exe 0x4 Imagebase: 0x7ff7898f0000 File size: 625664 bytes MD5 hash: EA777DEEA782E8B4D7C7C33BBF8A4496 Has administrator privileges: true Programmed in: C, C++ or other language Analysis Process: coregen.exe PID: 4916 Parent PID: 4188 Copyright Joe Security LLC 2019 Page 73 of 74 General Start time: 14:46:29 Start date: 21/02/2019 Path: C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe Wow64 process (32bit): true Commandline: 'C:\Program Files (x86)\Microsoft Silverlight\5.1.50918.0\coregen.exe' System.Windows.Xna. dll Imagebase: 0xfc0000 File size: 68744 bytes MD5 hash: 3BF709AEDF5042C39515756FB72E9EC0 Has administrator privileges: true Programmed in: .Net C# or VB.NET Disassembly Code Analysis Copyright Joe Security LLC 2019 Page 74 of 74