revengerat | 7ac7096ac0d29805f2fa29fa229384a68b2e338e9d74968dd7e1a00adaa904a3

Resubmissions

25-06-2024 09:30

240625-lgn8kavcnr 10

25-06-2024 09:25

240625-ldw41a1emf 10

25-06-2024 09:19

240625-laeesa1cqa 10

Analysis

max time kernel
88s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
25-06-2024 09:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YAPM-v2.4.1-Setup.exe
Size

1.3MB
MD5

90f828cd8df173636ae4a2233e70f774
SHA1

66924c162a8a4e17b8f8fe19c246f6586e359d98
SHA256

7ac7096ac0d29805f2fa29fa229384a68b2e338e9d74968dd7e1a00adaa904a3
SHA512

424b90603387cbfcd7aba6b1b4d3dce0af3f680b5944ce01541bcf73140e2583b524933972825473872c400e5e06fff02f45d9282d88997004777a09cb410c06
SSDEEP

24576:H+qqcWrftGXFOD6LRhKPVjcHx59UEugS+jcz1pxSo6WP58wrzWlXMMiM1K2xvj3Q:JIGXN1hqVcDKEHS+ohSoVP58EWlF1zBE

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
RevengeRat Executable 1 IoCs
stealer

Processes:

resource yara_rule

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe revengerat
Executes dropped EXE 10 IoCs

Processes:

YAPM-v2.4.1-Setup.tmpYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exe

pid process

3564 YAPM-v2.4.1-Setup.tmp
1940 YAPM.exe
1816 YAPM.exe
1020 YAPM.exe
3128 YAPM.exe
4804 YAPM.exe
2948 YAPM.exe
5056 YAPM.exe
4036 YAPM.exe
4628 YAPM.exe

resource	yara_rule
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe	revengerat

pid	process
3564	YAPM-v2.4.1-Setup.tmp
1940	YAPM.exe
1816	YAPM.exe
1020	YAPM.exe
3128	YAPM.exe
4804	YAPM.exe
2948	YAPM.exe
5056	YAPM.exe
4036	YAPM.exe
4628	YAPM.exe

Loads dropped DLL 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
1952	mscorsvw.exe
1952	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
2668	mscorsvw.exe
3712	mscorsvw.exe
3712	mscorsvw.exe
3712	mscorsvw.exe
3712	mscorsvw.exe
3712	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
2008	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
904	mscorsvw.exe
3876	mscorsvw.exe
3876	mscorsvw.exe
3876	mscorsvw.exe
3876	mscorsvw.exe
3876	mscorsvw.exe
3876	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
2828	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
1216	mscorsvw.exe
3416	mscorsvw.exe
3416	mscorsvw.exe
3416	mscorsvw.exe
3416	mscorsvw.exe
3416	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
3824	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe
2660	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

Processes:

YAPM-v2.4.1-Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-E1V71.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-K2FGC.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-N8TC0.tmp	YAPM-v2.4.1-Setup.tmp
File opened for modification	C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-PT82C.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-3QGGB.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-HOQJO.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-BSAKT.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-48FLK.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-O7QL1.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-E36UB.tmp	YAPM-v2.4.1-Setup.tmp

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index24.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index20.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index27.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index27.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index25.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE947.tmp\System.Xml.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1b.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F65.tmp\Microsoft.Vsa.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE222.tmp\System.Configuration.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF11.tmp\System.Windows.Forms.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1d.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat	ngen.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BED.tmp\System.Design.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1e.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index22.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD34E.tmp\YAPM.exe	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP395B.tmp\System.ServiceProcess.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index25.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock	ngen.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEFFD.tmp\System.Data.SqlXml.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1e.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

MiniSearchHost.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

YAPM.exe

pid process

1940 YAPM.exe
1940 YAPM.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

YAPM.exe

description pid process

Token: SeDebugPrivilege 1940 YAPM.exe
Token: SeShutdownPrivilege 1940 YAPM.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

YAPM-v2.4.1-Setup.tmp

pid process

3564 YAPM-v2.4.1-Setup.tmp
Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

YAPM.exeMiniSearchHost.exe

pid process

1940 YAPM.exe
1940 YAPM.exe
1940 YAPM.exe
1940 YAPM.exe
1428 MiniSearchHost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe

pid	process
1940	YAPM.exe
1940	YAPM.exe

description	pid	process
Token: SeDebugPrivilege	1940	YAPM.exe
Token: SeShutdownPrivilege	1940	YAPM.exe

pid	process
3564	YAPM-v2.4.1-Setup.tmp

pid	process
1940	YAPM.exe
1940	YAPM.exe
1940	YAPM.exe
1940	YAPM.exe
1428	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

YAPM-v2.4.1-Setup.exeYAPM-v2.4.1-Setup.tmpngen.exe

description	pid	process	target process
PID 3900 wrote to memory of 3564	3900	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 3900 wrote to memory of 3564	3900	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 3900 wrote to memory of 3564	3900	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 3564 wrote to memory of 4788	3564	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 3564 wrote to memory of 4788	3564	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 3564 wrote to memory of 4788	3564	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 4788 wrote to memory of 1952	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1952	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1952	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2668	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2668	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2668	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3712	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3712	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3712	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2008	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2008	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2008	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 904	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 904	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 904	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3876	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3876	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3876	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2828	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2828	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2828	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1216	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1216	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1216	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3416	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3416	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3416	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3824	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3824	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3824	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2660	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2660	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2660	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1124	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1124	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1124	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1544	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1544	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1544	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4968	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4968	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4968	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1672	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1672	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 1672	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2220	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2220	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2220	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3060	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3060	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3060	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2352	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2352	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 2352	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4796	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4796	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 4796	4788	ngen.exe	mscorsvw.exe
PID 4788 wrote to memory of 3048	4788	ngen.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmp" /SL5="$40214,873450,187904,C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3564

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4788

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 0 -NGENProcess 22c -Pipe 228 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:1952

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2668

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 22c -Pipe 234 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 238 -Pipe 2c4 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2008

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2f4 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:904

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2f0 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 22c -Pipe 300 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2828

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:1216

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 308 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3416

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3824

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2660

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 304 -Pipe 338 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1124

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 0 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1544

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4968

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2fc -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1672

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2dc -Pipe 244 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2220

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3060

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2bc -Pipe 320 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2352

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4796

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 310 -Pipe 22c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3048

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 304 -Pipe 310 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4320

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 350 -Pipe 2c8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4200

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3864

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2dc -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3656

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 0 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"
4⤵
PID:2356

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 0 -NGENProcess 2bc -Pipe 324 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1760

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1588

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:900

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4712

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 344 -Pipe 314 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2260

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1940

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:1816

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:1020

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:3128

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:4804

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:2948

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:5056

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:4036

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
1⤵
- Executes dropped EXE
PID:4628

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1428

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\help_static.html
Filesize
36KB

MD5
077f62da6c357a22cc1df92d9c2b74ed

SHA1
f46e6c74f40a29607fde42e08f2957af71e7e248

SHA256
24f88ce719a05cd976a02b75e926b2596a35462c04148655dc4453ac55b0af41

SHA512
72f5518c46f1f663bc0ae9555fb2566de19e7d9467c6426600b186222811129f74ceb69bec858298baa4e44b12f66dde685b9341f55631e64a5865d8d588f006

Download Submit
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
Filesize
2.8MB

MD5
377184a9da8cbfbb154c82da78abc172

SHA1
6af4a6668711a52e9d49a717e9fdfea80acf411a

SHA256
9a6702cc0aa6c783c7ed5888b814ed49f6e03412f8f3b7d88b0c9217ba35c638

SHA512
8efa7af98fad460da685c47d04af9a2ad7ec2bec945a1f8950768a99a9da5fd1d170470a887a0317ea08c78ddf9909e0ec9884673fe5f44659a280c10c9e9b20

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize
11KB

MD5
4d28bcdaed05510a3825974e54074a1d

SHA1
a02ed436833bd6509a69e6a16751cbdd65a126c3

SHA256
7e579f03e19f6672cfb37c8e9c434bf353299c1fc1a2e815d8c480fcb4340c22

SHA512
737861785c58701377b251f727c928dd93c1343e79154c31608f18eb1d96830c65796c9c3f63ac960b9f43f37c812d18f032493d9532514304e8e64223e3dcaa

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmp
Filesize
1.2MB

MD5
4bbb6af20037ff0a429b494c9cc3b922

SHA1
d3a400c2627460bc4c5d6b686dc0a7d6f7842be9

SHA256
fd1ec145fec2ae61e534951ce597597537cf4c775c464a9d8793667131f305d7

SHA512
31995b56d53377f2cd53ef42e6d9f32287409fdf054d8beb8725ea7e46046ec1f8b2df74fd9780e1c7a53feb08c93f4b550e7e07e550b382cdf60235490abca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log
Filesize
44KB

MD5
e6eaf550425dc3a6cf8796082845267d

SHA1
90cf7342d46448962b27ef4f1b21eab3648d3ffa

SHA256
5ca0642b95ada38932401a636b8c5155caec864ac1c25ed275c31c5a2dc10f8c

SHA512
9dd2283c54bfec60a5b76f0f19925dd426f63f6d54ec02d7d1555544d19c0e3b6d4b250d4070a16a2b93f631ef926e349de8b30affe97a5dd98e710a87f1a0d7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\10df751d5f95f37d9c88b64e1beb8dcb\Accessibility.ni.dll
Filesize
25KB

MD5
d7467485e45b04f8fdcd93ff0a3fa48a

SHA1
7197c9065062ca7f42dbb03ee2f49e14961d3c4e

SHA256
ad553ff167e90219be73541b38b24bfe7367c1814d2c6eb098eedc0042cfd41b

SHA512
97973a483797cdc8db4fada668afeecb5ff46820a19576e2bc795648caa5c3967f64c176389ff66635ecc3357265cd14a2d929d59f45ebb418685317bcbece5f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\c3824eb71e8cd3a08f2a6dd6059fbbdf\Microsoft.JScript.ni.dll
Filesize
2.2MB

MD5
968bb8b51ff4bdafeeae56edd11ee7bb

SHA1
78d7d86d83f811a27445acc78ce1e6081a557eb4

SHA256
0056ddc036382ec1c7a79f74e637ff23ac2f73617e2dab6a0a2843c7db16a790

SHA512
ab9a6ce22acff1d097ae466d521449088773b3f3a85ac0f8bd8970308f1708226a3223e659bb26e312761a11fa68737cf6cab5a86ed6534e6b9a5e7deca0ecc2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\8d5412981d050f07acbe1057cdbaeeca\Microsoft.VisualBasic.ni.dll
Filesize
1.6MB

MD5
7a229c9b97096fb089295650f399bb0d

SHA1
93e8a745fa26715cf073526111663d1db93ed56d

SHA256
f1ebc108221a40ba6909e945d17d05b3449bba071091fc1fe02a184b430b4fe3

SHA512
298ca4b2b0a94c2f8410296e254db9731762aa3ce92a1601e030df45a3931eb3ac429985fa57f13089f2a70f6c506a1880a3d9237a9c5e3168787b3e6838feb1

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\2289812b5029c6f128652101cf72223c\Microsoft.VisualC.ni.dll
Filesize
15KB

MD5
b97b1e5f26cd7362e10a67c3a45cc4fb

SHA1
4fbb5bbc2cd9fc53df112b401acad42dc0750156

SHA256
670bbdec7dbb7b7ce4ed652ff185e65044a39f892cefd55914f5b2b8ae8bd775

SHA512
9c02802a809e698d193707d0af1d89bb84afec5f31153e8b0084557971bdec596fafe6d38d1159278084bfb3b5194d596147125eb55b6141de1217ee3cba10be

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\1e8e2353d91111060930e5ec365c21a5\Microsoft.Vsa.ni.dll
Filesize
54KB

MD5
decf4b249a962742285c8f80c11a2c26

SHA1
dbc1343c2c39eba6055768b156032533edf4de29

SHA256
70cc9f374a909805cb346e34c8a9a6d406ae44f323e2db5f8f98f119c4fcb7c5

SHA512
b0cd2088727619599c68f5d70d667b21f282ce11d598167f323a6639f6cfc74e15830dd85f080e31044d8125e5d3b10df2aaac8da1e974fb9f152c4154af01e4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f85219766178466ee0a6c6a7b2c13c95\System.Configuration.Install.ni.dll
Filesize
138KB

MD5
d1ffbd058a144431f0cba23cd8b376d8

SHA1
8ec78d97cb0cdab760bc4309b1fb848a67f34500

SHA256
fbea32efde25d793ba59ed2abb3e6cec772570c6fbda3f693de9c70a2190c469

SHA512
4e2387b35f272fc77ffa2f0f8e5df7fb6e36629c9489375ff2562bb3ea10458489a6f07e770c336edc63f28f0896bfd5e735ab9c0417411794e356350d89c149

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ecdb24396bcb9857fa0de5e002471e6\System.Configuration.ni.dll
Filesize
958KB

MD5
1cb62f3d8911973b06103dc096991c11

SHA1
ab5c4a252d2addb7fa040b5321046ceab58becc3

SHA256
9a49cc144445723e87d94a3a9e9d38eb5f79a26895b9b47538060ced3b8b40aa

SHA512
ef1b5ceac3662a1717a60d9f930534a8c72343d6484270d3bf97052f9a6388ab706b4aff694453b306dfa8fab3989536827286dfc3bbb1ff6367386a297b5a41

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\2aa2650daf642f6edd6c59370c42dcd7\System.Data.OracleClient.ni.dll
Filesize
1.1MB

MD5
b916ddba5474e0f9d385d4ce9e60e0c3

SHA1
8f69a6da8a3ebfb1d8dd7c1db09be6848daeb943

SHA256
e41fca3bf1ba9079a0d61c5cd5e272997e03a3dec7d5956b55cd9fe36958a05b

SHA512
d835c5414709c2bc17341f50de1dd3cff01d4fc90eab160f4e699e976c87d644289fb2f68509fb19fb2db09ff22f15c098900c48cba4ec38013341848c4c93b2

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\9f82ca5148638df88ea6c6e4c0b4c7d8\System.Data.ni.dll
Filesize
6.4MB

MD5
784220d194cc4d39f63291af7c0367f5

SHA1
b4f7e27405b433081c956d486eace7c3b3858ad4

SHA256
0452a52a0f52ff36c026eabe07a5a58b0fcc3ad04485270875a2153e6babfce3

SHA512
30a48943681cfa4e1765d148a63402e713209ddc0c38375bac87b481d9855c35f1bb89f73a8e21f95369f9b73ac49785023c9cbbf6738015d26cb1b8997b4070

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\324e8e15d7b35ab06f77270d904a5def\System.Deployment.ni.dll
Filesize
1.6MB

MD5
fb5ac6b1c0ce8774b9be3c278f2e13e4

SHA1
609a3915a4452df69d80d9acf1d94a9a23483ef6

SHA256
24d43b799b9e4cd2605d5c69865753c67600195d6622cfb1a1960547b9ba2518

SHA512
8356992a5415348c20fb5e8e4f28b23ed4923ee74fb8ca4c31725d1ead5d0e24bef303954b8d991e80533606a255dd75c01f59bd28cf6ed89cbda9aee8894fbf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\78ae2e80df2372b9736a640dcb0ea298\System.Design.ni.dll
Filesize
10.2MB

MD5
07de56122a9163a6af6219f59cb09bad

SHA1
e2230ee1bcffdcfa6c4dfd76350170776f69251e

SHA256
0dd5d6534ab07e3388cfa06495e9ca3fc70347f9f25884ded2e931dd230dbc74

SHA512
27c561a755f9d9419167ba530c5fe570363600eaff770a788de8c8b59e93862d6e169b09996385e2f9da57f875ee4d03d36120c92e165bde168dcccd930014f9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\0802466c2a05da01bbaa08d22d503fbb\System.DirectoryServices.ni.dll
Filesize
1.1MB

MD5
35d4549d58eb355233be43f2ebb85a9b

SHA1
6b87d3ab6e3ec0f00935154932c0189ca88913cb

SHA256
8be3623b586f4a4451b89f0768f6848dcb1b02b8fd550268d8c606ceccc4c2a4

SHA512
0272a5e175ef4faec3d828cec24169e27ccdbd9b277928ff9de0265941795ed4eb14bed97cc65c848d12fa74cff671b183c3973923a25a2c942e4f52e2cb17e5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\9c4793a7af8a93b77e2577319fcac235\System.DirectoryServices.Protocols.ni.dll
Filesize
444KB

MD5
cca2220f741b31a1e7fc33628e8d384a

SHA1
e4f7b9293751de02e59f1ddc0c4cdce809c5b3e3

SHA256
d3c3f0281423a2d33d60dd9ba78779c0735fdc0cf6b35902539e57c60c6a9106

SHA512
b67c849464a47e6f24a4fd78e81cc96b15267ae15cbfcc0553e3f0669c9bed495800a3259546a96f194699c27f420d00718ff87e9cbaeab3927541d7fb7d672e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\c60b51dc9c2b441c9723bccb1c3254a5\System.Drawing.Design.ni.dll
Filesize
203KB

MD5
ce0720155f2cf7c6d6348cf0ec29a25e

SHA1
8f710162fc5b1d452320c2f0549fb90507b45d67

SHA256
5cc4ca62f376ac848bbb3fe2775723ed58248f1fd9addebddac006d2f5171982

SHA512
19108351dd38f0a5514579b9986b8fd2f81c4f815815e80f1947d2d4f9d03a1c4560285a8757c8cf7abf62946be8ae110c800e10c4fb440b09fb9b8ae5f412ae

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8ea0c76b413164e23e638a4c2412ec51\System.EnterpriseServices.ni.dll
Filesize
613KB

MD5
b3d03767f3e8b473c514c93996ca23ff

SHA1
f41b180d3ddc01bf2b6897737d16a1261091263b

SHA256
06998b4ca49688ac8e64c7a504421b31cfb04e282ca01f6f13c43845566660d5

SHA512
e56198f1f9627ee843f8f3e52c8ceb3da38d06750db1c81eca4747eb11f917e41fa6e424d39d03c8d709e2c377ad791742769663c677e5464bf0f73be882f826

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\85eb29631da7a19a49149178845e2245\System.Management.ni.dll
Filesize
1.0MB

MD5
92d67fb22247d349b2d6b0df4d66aee8

SHA1
18415e4de817a93016b1c8721cad9c5a9a107ce6

SHA256
240829437e617fb2fbc288dc224030b5852920f4b7e3705eb49d2825adc11e21

SHA512
82ef60cae37daf11f17b00e7ddc87dcdc6433586f0a9254321cb763c5b9994c9f4582a75f2b418d9342830204883e8a50ec358491c53df50a37b0a76e6d6837d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\f08cacfee20d05ccc1758e8bb0cd6083\System.Runtime.Remoting.ni.dll
Filesize
756KB

MD5
f583f790900c61d40b623c2c0d020cb1

SHA1
672986203ee17855bfccfa9aa9620cf639c8c814

SHA256
d93e99513be2ef05288af6389e023566875f89198bdacf686c83e49c6554b4c8

SHA512
43c9efcfde299bbde68a451ef0814f531a3f932ba2353ed608e7a769de23548c1148729c01e89576847ed14e9557ee70d07d36ce2d9930d5eda0c4612ac78f9a

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9dfe2dfe6827a2ae6da4f06e0a04402c\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize
303KB

MD5
4c947dd62b018e5c81648ae4bde2db59

SHA1
81b30a695bf5aeaec4fa15cc97facb1acd171acf

SHA256
2d78491eb040d73c25b607b37f189f55a58efd90c0140fe168d442f02386ba1e

SHA512
8dce80408eb831b490a8f119b236919bdf50247d8740153fb696e5574ed34a9c5a76aa15dc0294029fb45f024dccb360865e68730d895a6e8b6fceb7dad178db

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\3b6d7bf601438839b52ad3eb480061f5\System.Security.ni.dll
Filesize
705KB

MD5
6c9ca33de94dcdb888550b432c1d9632

SHA1
24fa19b9b96b880dd0c61c5b69bb4dce1161647c

SHA256
beec57e255e4db1ead56a3fb147a8407352580b0e2a3e95abea569dac62ec511

SHA512
5dd2deff15619bf401c1a0c2c02c39db750d0fee21128e4dd36fcc785d90a407b9c60d2375fe60c08c3d41a995e90365138a76f2434b5290c8c68eeb4a741503

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0305eeff23ff7c2bc98994970404418f\System.ServiceProcess.ni.dll
Filesize
219KB

MD5
8b752f2330c9ec9d4668d713f53c471c

SHA1
91058daa2a58f3d66e7fa0011a637b7f87b39ac7

SHA256
4b6d20eeddb2a2ffbfa99ca62bad1ecaf87446ad316e73d4491fe8b2f9023c9f

SHA512
4c2963e17b4e2c61dc90ca3373f8bfaea44f3830d3fac1be37d566b6daedf17c60f95514a5cd0bc2dd0c02bf50fcff827174a7d5d7b4ce5f34b1488935992885

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\e1d84e0089ad134a868c26a85682e890\System.Transactions.ni.dll
Filesize
612KB

MD5
0dbbfc21c386e42590526f24e78f1390

SHA1
3b405d664b36269d078df0f34ebeb9a251aba5b1

SHA256
a98ddbcfa134840ef5f7006f964f01b96d4567da1cd42550aa2317660672bf34

SHA512
dcb5f3d90f5077e99519c0cbbfcaec71864317463f3cb70cd1c8e30ff73e73e6d78e6895a91481c93e6d8e63cd82650153e63f98f38d78a4297bcd034aaeae29

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\3aed5487698e43f1ddcc655c6c02f67c\System.Web.RegularExpressions.ni.dll
Filesize
248KB

MD5
c726b4100ad16bfffe02db9932e7c4c2

SHA1
e86e422251c3ec48e2ce6dc785e5c29d78922306

SHA256
7c6299d05932c20f4a482045ef7c4987de87e6807890b084a033dd7be557a3de

SHA512
71831a1c1fc7dd81c022d8c3d650799c53b021775e7c3fd229c60d73654336831a376ca8cbd8abe20c19a303b3534e713c14a6bb944c40d13bb075a34407041d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\aa057537ca7ef7aa15494c83399c9ea1\System.Web.Services.ni.dll
Filesize
1.8MB

MD5
6f07db10fe21bbc82463f3b0ccd3bec8

SHA1
0cdfcd394e6f1a72912f7573fb7e9d3c7afc1968

SHA256
4c325d706d1d02b1c680ddcc94de5f78f497906348d58d64a1c1abb06c208a66

SHA512
268ada8ab96625214c15e3756d020058b80fdca6ce84fc1795a2fe4a4611c87da27922960eb5969a0a44f936fd3de7f48c2cbb0b69a4d0ae3b692bfd28947a67

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\66188c676814b22a35cb64a2ad82d019\System.Web.ni.dll
Filesize
11.4MB

MD5
d480d2db478a03475f1975b79a1caa9f

SHA1
7be99698fa2c0e028acee10131e595fb309bdcf7

SHA256
83fe3315a7267009e4942a2371461af23b26410bf4de23477b7b54c95450defd

SHA512
f0162e10a432dc7fb0c035162909f189ec3d8bf03f18d1b0dc603c574831c5070ac6b0aa994dbb30832782e104875565a7810c365b662077b9cb608d8958db67

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD34E.tmp\YAPM.exe
Filesize
7.6MB

MD5
21726b7f942593d3aa6048963d00348f

SHA1
d677a78e6ee13129cdec16673f757fedc367b1ed

SHA256
7f02f32062db449f279843a9be18a6a2bcadddba60148e205d7154278b75a04d

SHA512
0569623c295e592ec0fb6174479f79d6cacc82d3c0790c334661da02b546e7238ca2a7f21cd02233e9e2fb0797e033a0b56ebc48bcac16d79b0f77d5186ff0cb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE947.tmp\System.Xml.dll
Filesize
5.2MB

MD5
c4b3a3cd8c8b8dcb27130915bc3b988e

SHA1
26a294f63ad52b65059251473e09d90c51b56f2b

SHA256
f83a83b6cdc9c95a183b0cd841a6391db263fa27c44d57ec0fe7e577af158718

SHA512
9f543eca80e2463d7deca3001d04380e9f15580d4951d7f3954abdd5f8a4f5879c807329de7d288db950caca36f5c417c0d1d0783637b2cc270661dfe298ecaf

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEFFD.tmp\System.Data.SqlXml.dll
Filesize
2.4MB

MD5
aa0ddbf341004af7a4dd01c116580968

SHA1
4159cae44b546355f60a3b3eb3cba96004637380

SHA256
38046b4dbc84a0af01ef479b6b54011fd4392fee5cfab6caa17bbb88fa7977e9

SHA512
69e2f249e059f070b7803072c691db85db056d5dfd40377ff27683e75c0893f4af45629cef360b9d21be5a936a1299b6f5671e65f5216fc34dceaa787b1ee15d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB48.tmp\System.Drawing.dll
Filesize
1.5MB

MD5
88d18286009d006166fb202312f7039b

SHA1
4bcac7df96a6a04f0e9e32270756c5e8e06a72ff

SHA256
cf510e0fa61e87d59ed569a713b9b4e49ac75695cae3b22ef2ac24eea2b569ad

SHA512
3df4ca1c5301df11db320964a1203fa7f6087f499e50e3985a2f9cbc356c210a18ec4b85309d61f68c957b57ec0226bd3ad75e4e22e4e4900bae4aba7ad934aa

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF11.tmp\System.Windows.Forms.dll
Filesize
11.9MB

MD5
e2569429243b123bca263865b75bcd04

SHA1
1f5b43c8257754ac1d6ced9955e062afa2b3f886

SHA256
0801188d8398bb1611e4ee1178a38ef34b3571195261ca5dcf94bc2ae3b75a7b

SHA512
d7d7199f0bf14d0cb3c347aec6806aa0d3d2e8748c87ac006eea3d385a0b1274bed76e3e6cac0ac66ef032b8c5d47cfc18f7e8e6e43d11cf5c3ae7ae7fbbffb8

Download Submit
memory/1940-341-0x0000000001B70000-0x0000000001B78000-memory.dmp

Filesize
32KB

Download
memory/1940-340-0x000000001CAD0000-0x000000001CB76000-memory.dmp

Filesize
664KB

Download
memory/1940-339-0x000000001C550000-0x000000001CA1E000-memory.dmp

Filesize
4.8MB

Download
memory/1940-338-0x000000001C030000-0x000000001C050000-memory.dmp

Filesize
128KB

Download
memory/1940-337-0x000000001BF50000-0x000000001BFEC000-memory.dmp

Filesize
624KB

Download
memory/1952-51-0x0000000073981000-0x0000000073982000-memory.dmp

Filesize
4KB

Download
memory/1952-54-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/1952-56-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/1952-57-0x0000000073980000-0x0000000073F31000-memory.dmp

Filesize
5.7MB

Download
memory/3564-13-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3564-9-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3564-331-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3564-335-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3564-55-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/3900-12-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3900-336-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3900-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/3900-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads