Resubmissions
25-06-2024 09:30
240625-lgn8kavcnr 1025-06-2024 09:25
240625-ldw41a1emf 1025-06-2024 09:19
240625-laeesa1cqa 10Analysis
-
max time kernel
88s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
25-06-2024 09:25
Static task
static1
Behavioral task
behavioral1
Sample
YAPM-v2.4.1-Setup.exe
Resource
win11-20240611-en
General
-
Target
YAPM-v2.4.1-Setup.exe
-
Size
1.3MB
-
MD5
90f828cd8df173636ae4a2233e70f774
-
SHA1
66924c162a8a4e17b8f8fe19c246f6586e359d98
-
SHA256
7ac7096ac0d29805f2fa29fa229384a68b2e338e9d74968dd7e1a00adaa904a3
-
SHA512
424b90603387cbfcd7aba6b1b4d3dce0af3f680b5944ce01541bcf73140e2583b524933972825473872c400e5e06fff02f45d9282d88997004777a09cb410c06
-
SSDEEP
24576:H+qqcWrftGXFOD6LRhKPVjcHx59UEugS+jcz1pxSo6WP58wrzWlXMMiM1K2xvj3Q:JIGXN1hqVcDKEHS+ohSoVP58EWlF1zBE
Malware Config
Signatures
-
RevengeRAT
Remote-access trojan with a wide range of capabilities.
-
RevengeRat Executable 1 IoCs
Processes:
resource yara_rule C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe revengerat -
Executes dropped EXE 10 IoCs
Processes:
YAPM-v2.4.1-Setup.tmpYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exeYAPM.exepid process 3564 YAPM-v2.4.1-Setup.tmp 1940 YAPM.exe 1816 YAPM.exe 1020 YAPM.exe 3128 YAPM.exe 4804 YAPM.exe 2948 YAPM.exe 5056 YAPM.exe 4036 YAPM.exe 4628 YAPM.exe -
Loads dropped DLL 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exepid process 1952 mscorsvw.exe 1952 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 2668 mscorsvw.exe 3712 mscorsvw.exe 3712 mscorsvw.exe 3712 mscorsvw.exe 3712 mscorsvw.exe 3712 mscorsvw.exe 2008 mscorsvw.exe 2008 mscorsvw.exe 2008 mscorsvw.exe 2008 mscorsvw.exe 2008 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 904 mscorsvw.exe 3876 mscorsvw.exe 3876 mscorsvw.exe 3876 mscorsvw.exe 3876 mscorsvw.exe 3876 mscorsvw.exe 3876 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 2828 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 1216 mscorsvw.exe 3416 mscorsvw.exe 3416 mscorsvw.exe 3416 mscorsvw.exe 3416 mscorsvw.exe 3416 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 3824 mscorsvw.exe 2660 mscorsvw.exe 2660 mscorsvw.exe 2660 mscorsvw.exe 2660 mscorsvw.exe 2660 mscorsvw.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 12 IoCs
Processes:
YAPM-v2.4.1-Setup.tmpdescription ioc process File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-E1V71.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-K2FGC.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-N8TC0.tmp YAPM-v2.4.1-Setup.tmp File opened for modification C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-PT82C.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-3QGGB.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-HOQJO.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-BSAKT.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-48FLK.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-O7QL1.tmp YAPM-v2.4.1-Setup.tmp File created C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-E36UB.tmp YAPM-v2.4.1-Setup.tmp -
Drops file in Windows directory 64 IoCs
Processes:
mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exedescription ioc process File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index24.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index10.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index20.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index27.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index27.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\ngenserviceclientlock.dat ngen.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index25.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE947.tmp\System.Xml.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1c.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1b.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP3F65.tmp\Microsoft.Vsa.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE222.tmp\System.Configuration.dll mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF11.tmp\System.Windows.Forms.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1d.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngenrootstorelock.dat ngen.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP2BED.tmp\System.Design.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1e.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index22.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD34E.tmp\YAPM.exe mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP395B.tmp\System.ServiceProcess.dll mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index25.dat mscorsvw.exe File created C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.lock ngen.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEFFD.tmp\System.Data.SqlXml.dll mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat mscorsvw.exe File created C:\Windows\assembly\GACLock.dat mscorsvw.exe File created C:\Windows\assembly\ngenlock.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\index1e.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat mscorsvw.exe File created C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat mscorsvw.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_32\index12.dat mscorsvw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
MiniSearchHost.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1560405787-796225086-678739705-1000_Classes\Local Settings\MuiCache MiniSearchHost.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
YAPM.exepid process 1940 YAPM.exe 1940 YAPM.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
YAPM.exedescription pid process Token: SeDebugPrivilege 1940 YAPM.exe Token: SeShutdownPrivilege 1940 YAPM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
YAPM-v2.4.1-Setup.tmppid process 3564 YAPM-v2.4.1-Setup.tmp -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
YAPM.exeMiniSearchHost.exepid process 1940 YAPM.exe 1940 YAPM.exe 1940 YAPM.exe 1940 YAPM.exe 1428 MiniSearchHost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
YAPM-v2.4.1-Setup.exeYAPM-v2.4.1-Setup.tmpngen.exedescription pid process target process PID 3900 wrote to memory of 3564 3900 YAPM-v2.4.1-Setup.exe YAPM-v2.4.1-Setup.tmp PID 3900 wrote to memory of 3564 3900 YAPM-v2.4.1-Setup.exe YAPM-v2.4.1-Setup.tmp PID 3900 wrote to memory of 3564 3900 YAPM-v2.4.1-Setup.exe YAPM-v2.4.1-Setup.tmp PID 3564 wrote to memory of 4788 3564 YAPM-v2.4.1-Setup.tmp ngen.exe PID 3564 wrote to memory of 4788 3564 YAPM-v2.4.1-Setup.tmp ngen.exe PID 3564 wrote to memory of 4788 3564 YAPM-v2.4.1-Setup.tmp ngen.exe PID 4788 wrote to memory of 1952 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1952 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1952 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2668 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2668 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2668 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3712 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3712 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3712 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2008 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2008 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2008 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 904 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 904 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 904 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3876 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3876 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3876 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2828 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2828 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2828 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1216 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1216 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1216 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3416 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3416 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3416 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3824 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3824 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3824 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2660 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2660 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2660 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1124 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1124 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1124 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1544 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1544 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1544 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4968 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4968 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4968 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1672 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1672 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 1672 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2220 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2220 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2220 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3060 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3060 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3060 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2352 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2352 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 2352 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4796 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4796 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 4796 4788 ngen.exe mscorsvw.exe PID 4788 wrote to memory of 3048 4788 ngen.exe mscorsvw.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmp"C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmp" /SL5="$40214,873450,187904,C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 238 -InterruptEvent 0 -NGENProcess 22c -Pipe 228 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2f0 -Pipe 2e4 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 22c -Pipe 234 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 238 -Pipe 2c4 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2f4 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 244 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2f0 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 22c -Pipe 300 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2b8 -InterruptEvent 0 -NGENProcess 308 -Pipe 2d8 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 2f8 -Pipe 308 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c0 -InterruptEvent 0 -NGENProcess 244 -Pipe 238 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 304 -Pipe 318 -Comment "NGen Worker Process"4⤵
- Loads dropped DLL
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 304 -Pipe 338 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 33c -InterruptEvent 0 -NGENProcess 328 -Pipe 330 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 310 -Pipe 33c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 0 -NGENProcess 2c0 -Pipe 2fc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2dc -Pipe 244 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 2c8 -Pipe 2b8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2f8 -InterruptEvent 0 -NGENProcess 2bc -Pipe 320 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 314 -Pipe 334 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 31c -InterruptEvent 0 -NGENProcess 310 -Pipe 22c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 304 -Pipe 310 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 350 -Pipe 2c8 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 314 -Pipe 31c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 328 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2dc -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 324 -InterruptEvent 0 -NGENProcess 314 -Pipe 328 -Comment "NGen Worker Process"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 354 -InterruptEvent 0 -NGENProcess 2bc -Pipe 324 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 34c -InterruptEvent 0 -NGENProcess 304 -Pipe 30c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 314 -Pipe 2e0 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 360 -InterruptEvent 0 -NGENProcess 350 -Pipe 34c -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exeC:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 364 -InterruptEvent 0 -NGENProcess 344 -Pipe 314 -Comment "NGen Worker Process"4⤵
- Drops file in Windows directory
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"1⤵
- Executes dropped EXE
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\help_static.htmlFilesize
36KB
MD5077f62da6c357a22cc1df92d9c2b74ed
SHA1f46e6c74f40a29607fde42e08f2957af71e7e248
SHA25624f88ce719a05cd976a02b75e926b2596a35462c04148655dc4453ac55b0af41
SHA51272f5518c46f1f663bc0ae9555fb2566de19e7d9467c6426600b186222811129f74ceb69bec858298baa4e44b12f66dde685b9341f55631e64a5865d8d588f006
-
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exeFilesize
2.8MB
MD5377184a9da8cbfbb154c82da78abc172
SHA16af4a6668711a52e9d49a717e9fdfea80acf411a
SHA2569a6702cc0aa6c783c7ed5888b814ed49f6e03412f8f3b7d88b0c9217ba35c638
SHA5128efa7af98fad460da685c47d04af9a2ad7ec2bec945a1f8950768a99a9da5fd1d170470a887a0317ea08c78ddf9909e0ec9884673fe5f44659a280c10c9e9b20
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.datFilesize
11KB
MD54d28bcdaed05510a3825974e54074a1d
SHA1a02ed436833bd6509a69e6a16751cbdd65a126c3
SHA2567e579f03e19f6672cfb37c8e9c434bf353299c1fc1a2e815d8c480fcb4340c22
SHA512737861785c58701377b251f727c928dd93c1343e79154c31608f18eb1d96830c65796c9c3f63ac960b9f43f37c812d18f032493d9532514304e8e64223e3dcaa
-
C:\Users\Admin\AppData\Local\Temp\is-PKKDQ.tmp\YAPM-v2.4.1-Setup.tmpFilesize
1.2MB
MD54bbb6af20037ff0a429b494c9cc3b922
SHA1d3a400c2627460bc4c5d6b686dc0a7d6f7842be9
SHA256fd1ec145fec2ae61e534951ce597597537cf4c775c464a9d8793667131f305d7
SHA51231995b56d53377f2cd53ef42e6d9f32287409fdf054d8beb8725ea7e46046ec1f8b2df74fd9780e1c7a53feb08c93f4b550e7e07e550b382cdf60235490abca8
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.logFilesize
44KB
MD5e6eaf550425dc3a6cf8796082845267d
SHA190cf7342d46448962b27ef4f1b21eab3648d3ffa
SHA2565ca0642b95ada38932401a636b8c5155caec864ac1c25ed275c31c5a2dc10f8c
SHA5129dd2283c54bfec60a5b76f0f19925dd426f63f6d54ec02d7d1555544d19c0e3b6d4b250d4070a16a2b93f631ef926e349de8b30affe97a5dd98e710a87f1a0d7
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\10df751d5f95f37d9c88b64e1beb8dcb\Accessibility.ni.dllFilesize
25KB
MD5d7467485e45b04f8fdcd93ff0a3fa48a
SHA17197c9065062ca7f42dbb03ee2f49e14961d3c4e
SHA256ad553ff167e90219be73541b38b24bfe7367c1814d2c6eb098eedc0042cfd41b
SHA51297973a483797cdc8db4fada668afeecb5ff46820a19576e2bc795648caa5c3967f64c176389ff66635ecc3357265cd14a2d929d59f45ebb418685317bcbece5f
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\c3824eb71e8cd3a08f2a6dd6059fbbdf\Microsoft.JScript.ni.dllFilesize
2.2MB
MD5968bb8b51ff4bdafeeae56edd11ee7bb
SHA178d7d86d83f811a27445acc78ce1e6081a557eb4
SHA2560056ddc036382ec1c7a79f74e637ff23ac2f73617e2dab6a0a2843c7db16a790
SHA512ab9a6ce22acff1d097ae466d521449088773b3f3a85ac0f8bd8970308f1708226a3223e659bb26e312761a11fa68737cf6cab5a86ed6534e6b9a5e7deca0ecc2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualBas#\8d5412981d050f07acbe1057cdbaeeca\Microsoft.VisualBasic.ni.dllFilesize
1.6MB
MD57a229c9b97096fb089295650f399bb0d
SHA193e8a745fa26715cf073526111663d1db93ed56d
SHA256f1ebc108221a40ba6909e945d17d05b3449bba071091fc1fe02a184b430b4fe3
SHA512298ca4b2b0a94c2f8410296e254db9731762aa3ce92a1601e030df45a3931eb3ac429985fa57f13089f2a70f6c506a1880a3d9237a9c5e3168787b3e6838feb1
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\2289812b5029c6f128652101cf72223c\Microsoft.VisualC.ni.dllFilesize
15KB
MD5b97b1e5f26cd7362e10a67c3a45cc4fb
SHA14fbb5bbc2cd9fc53df112b401acad42dc0750156
SHA256670bbdec7dbb7b7ce4ed652ff185e65044a39f892cefd55914f5b2b8ae8bd775
SHA5129c02802a809e698d193707d0af1d89bb84afec5f31153e8b0084557971bdec596fafe6d38d1159278084bfb3b5194d596147125eb55b6141de1217ee3cba10be
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\1e8e2353d91111060930e5ec365c21a5\Microsoft.Vsa.ni.dllFilesize
54KB
MD5decf4b249a962742285c8f80c11a2c26
SHA1dbc1343c2c39eba6055768b156032533edf4de29
SHA25670cc9f374a909805cb346e34c8a9a6d406ae44f323e2db5f8f98f119c4fcb7c5
SHA512b0cd2088727619599c68f5d70d667b21f282ce11d598167f323a6639f6cfc74e15830dd85f080e31044d8125e5d3b10df2aaac8da1e974fb9f152c4154af01e4
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\f85219766178466ee0a6c6a7b2c13c95\System.Configuration.Install.ni.dllFilesize
138KB
MD5d1ffbd058a144431f0cba23cd8b376d8
SHA18ec78d97cb0cdab760bc4309b1fb848a67f34500
SHA256fbea32efde25d793ba59ed2abb3e6cec772570c6fbda3f693de9c70a2190c469
SHA5124e2387b35f272fc77ffa2f0f8e5df7fb6e36629c9489375ff2562bb3ea10458489a6f07e770c336edc63f28f0896bfd5e735ab9c0417411794e356350d89c149
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuration\1ecdb24396bcb9857fa0de5e002471e6\System.Configuration.ni.dllFilesize
958KB
MD51cb62f3d8911973b06103dc096991c11
SHA1ab5c4a252d2addb7fa040b5321046ceab58becc3
SHA2569a49cc144445723e87d94a3a9e9d38eb5f79a26895b9b47538060ced3b8b40aa
SHA512ef1b5ceac3662a1717a60d9f930534a8c72343d6484270d3bf97052f9a6388ab706b4aff694453b306dfa8fab3989536827286dfc3bbb1ff6367386a297b5a41
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\2aa2650daf642f6edd6c59370c42dcd7\System.Data.OracleClient.ni.dllFilesize
1.1MB
MD5b916ddba5474e0f9d385d4ce9e60e0c3
SHA18f69a6da8a3ebfb1d8dd7c1db09be6848daeb943
SHA256e41fca3bf1ba9079a0d61c5cd5e272997e03a3dec7d5956b55cd9fe36958a05b
SHA512d835c5414709c2bc17341f50de1dd3cff01d4fc90eab160f4e699e976c87d644289fb2f68509fb19fb2db09ff22f15c098900c48cba4ec38013341848c4c93b2
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\9f82ca5148638df88ea6c6e4c0b4c7d8\System.Data.ni.dllFilesize
6.4MB
MD5784220d194cc4d39f63291af7c0367f5
SHA1b4f7e27405b433081c956d486eace7c3b3858ad4
SHA2560452a52a0f52ff36c026eabe07a5a58b0fcc3ad04485270875a2153e6babfce3
SHA51230a48943681cfa4e1765d148a63402e713209ddc0c38375bac87b481d9855c35f1bb89f73a8e21f95369f9b73ac49785023c9cbbf6738015d26cb1b8997b4070
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Deployment\324e8e15d7b35ab06f77270d904a5def\System.Deployment.ni.dllFilesize
1.6MB
MD5fb5ac6b1c0ce8774b9be3c278f2e13e4
SHA1609a3915a4452df69d80d9acf1d94a9a23483ef6
SHA25624d43b799b9e4cd2605d5c69865753c67600195d6622cfb1a1960547b9ba2518
SHA5128356992a5415348c20fb5e8e4f28b23ed4923ee74fb8ca4c31725d1ead5d0e24bef303954b8d991e80533606a255dd75c01f59bd28cf6ed89cbda9aee8894fbf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\78ae2e80df2372b9736a640dcb0ea298\System.Design.ni.dllFilesize
10.2MB
MD507de56122a9163a6af6219f59cb09bad
SHA1e2230ee1bcffdcfa6c4dfd76350170776f69251e
SHA2560dd5d6534ab07e3388cfa06495e9ca3fc70347f9f25884ded2e931dd230dbc74
SHA51227c561a755f9d9419167ba530c5fe570363600eaff770a788de8c8b59e93862d6e169b09996385e2f9da57f875ee4d03d36120c92e165bde168dcccd930014f9
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\0802466c2a05da01bbaa08d22d503fbb\System.DirectoryServices.ni.dllFilesize
1.1MB
MD535d4549d58eb355233be43f2ebb85a9b
SHA16b87d3ab6e3ec0f00935154932c0189ca88913cb
SHA2568be3623b586f4a4451b89f0768f6848dcb1b02b8fd550268d8c606ceccc4c2a4
SHA5120272a5e175ef4faec3d828cec24169e27ccdbd9b277928ff9de0265941795ed4eb14bed97cc65c848d12fa74cff671b183c3973923a25a2c942e4f52e2cb17e5
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\9c4793a7af8a93b77e2577319fcac235\System.DirectoryServices.Protocols.ni.dllFilesize
444KB
MD5cca2220f741b31a1e7fc33628e8d384a
SHA1e4f7b9293751de02e59f1ddc0c4cdce809c5b3e3
SHA256d3c3f0281423a2d33d60dd9ba78779c0735fdc0cf6b35902539e57c60c6a9106
SHA512b67c849464a47e6f24a4fd78e81cc96b15267ae15cbfcc0553e3f0669c9bed495800a3259546a96f194699c27f420d00718ff87e9cbaeab3927541d7fb7d672e
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\c60b51dc9c2b441c9723bccb1c3254a5\System.Drawing.Design.ni.dllFilesize
203KB
MD5ce0720155f2cf7c6d6348cf0ec29a25e
SHA18f710162fc5b1d452320c2f0549fb90507b45d67
SHA2565cc4ca62f376ac848bbb3fe2775723ed58248f1fd9addebddac006d2f5171982
SHA51219108351dd38f0a5514579b9986b8fd2f81c4f815815e80f1947d2d4f9d03a1c4560285a8757c8cf7abf62946be8ae110c800e10c4fb440b09fb9b8ae5f412ae
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\8ea0c76b413164e23e638a4c2412ec51\System.EnterpriseServices.ni.dllFilesize
613KB
MD5b3d03767f3e8b473c514c93996ca23ff
SHA1f41b180d3ddc01bf2b6897737d16a1261091263b
SHA25606998b4ca49688ac8e64c7a504421b31cfb04e282ca01f6f13c43845566660d5
SHA512e56198f1f9627ee843f8f3e52c8ceb3da38d06750db1c81eca4747eb11f917e41fa6e424d39d03c8d709e2c377ad791742769663c677e5464bf0f73be882f826
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\85eb29631da7a19a49149178845e2245\System.Management.ni.dllFilesize
1.0MB
MD592d67fb22247d349b2d6b0df4d66aee8
SHA118415e4de817a93016b1c8721cad9c5a9a107ce6
SHA256240829437e617fb2fbc288dc224030b5852920f4b7e3705eb49d2825adc11e21
SHA51282ef60cae37daf11f17b00e7ddc87dcdc6433586f0a9254321cb763c5b9994c9f4582a75f2b418d9342830204883e8a50ec358491c53df50a37b0a76e6d6837d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\f08cacfee20d05ccc1758e8bb0cd6083\System.Runtime.Remoting.ni.dllFilesize
756KB
MD5f583f790900c61d40b623c2c0d020cb1
SHA1672986203ee17855bfccfa9aa9620cf639c8c814
SHA256d93e99513be2ef05288af6389e023566875f89198bdacf686c83e49c6554b4c8
SHA51243c9efcfde299bbde68a451ef0814f531a3f932ba2353ed608e7a769de23548c1148729c01e89576847ed14e9557ee70d07d36ce2d9930d5eda0c4612ac78f9a
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\9dfe2dfe6827a2ae6da4f06e0a04402c\System.Runtime.Serialization.Formatters.Soap.ni.dllFilesize
303KB
MD54c947dd62b018e5c81648ae4bde2db59
SHA181b30a695bf5aeaec4fa15cc97facb1acd171acf
SHA2562d78491eb040d73c25b607b37f189f55a58efd90c0140fe168d442f02386ba1e
SHA5128dce80408eb831b490a8f119b236919bdf50247d8740153fb696e5574ed34a9c5a76aa15dc0294029fb45f024dccb360865e68730d895a6e8b6fceb7dad178db
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\3b6d7bf601438839b52ad3eb480061f5\System.Security.ni.dllFilesize
705KB
MD56c9ca33de94dcdb888550b432c1d9632
SHA124fa19b9b96b880dd0c61c5b69bb4dce1161647c
SHA256beec57e255e4db1ead56a3fb147a8407352580b0e2a3e95abea569dac62ec511
SHA5125dd2deff15619bf401c1a0c2c02c39db750d0fee21128e4dd36fcc785d90a407b9c60d2375fe60c08c3d41a995e90365138a76f2434b5290c8c68eeb4a741503
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\0305eeff23ff7c2bc98994970404418f\System.ServiceProcess.ni.dllFilesize
219KB
MD58b752f2330c9ec9d4668d713f53c471c
SHA191058daa2a58f3d66e7fa0011a637b7f87b39ac7
SHA2564b6d20eeddb2a2ffbfa99ca62bad1ecaf87446ad316e73d4491fe8b2f9023c9f
SHA5124c2963e17b4e2c61dc90ca3373f8bfaea44f3830d3fac1be37d566b6daedf17c60f95514a5cd0bc2dd0c02bf50fcff827174a7d5d7b4ce5f34b1488935992885
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\e1d84e0089ad134a868c26a85682e890\System.Transactions.ni.dllFilesize
612KB
MD50dbbfc21c386e42590526f24e78f1390
SHA13b405d664b36269d078df0f34ebeb9a251aba5b1
SHA256a98ddbcfa134840ef5f7006f964f01b96d4567da1cd42550aa2317660672bf34
SHA512dcb5f3d90f5077e99519c0cbbfcaec71864317463f3cb70cd1c8e30ff73e73e6d78e6895a91481c93e6d8e63cd82650153e63f98f38d78a4297bcd034aaeae29
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\3aed5487698e43f1ddcc655c6c02f67c\System.Web.RegularExpressions.ni.dllFilesize
248KB
MD5c726b4100ad16bfffe02db9932e7c4c2
SHA1e86e422251c3ec48e2ce6dc785e5c29d78922306
SHA2567c6299d05932c20f4a482045ef7c4987de87e6807890b084a033dd7be557a3de
SHA51271831a1c1fc7dd81c022d8c3d650799c53b021775e7c3fd229c60d73654336831a376ca8cbd8abe20c19a303b3534e713c14a6bb944c40d13bb075a34407041d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\aa057537ca7ef7aa15494c83399c9ea1\System.Web.Services.ni.dllFilesize
1.8MB
MD56f07db10fe21bbc82463f3b0ccd3bec8
SHA10cdfcd394e6f1a72912f7573fb7e9d3c7afc1968
SHA2564c325d706d1d02b1c680ddcc94de5f78f497906348d58d64a1c1abb06c208a66
SHA512268ada8ab96625214c15e3756d020058b80fdca6ce84fc1795a2fe4a4611c87da27922960eb5969a0a44f936fd3de7f48c2cbb0b69a4d0ae3b692bfd28947a67
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\66188c676814b22a35cb64a2ad82d019\System.Web.ni.dllFilesize
11.4MB
MD5d480d2db478a03475f1975b79a1caa9f
SHA17be99698fa2c0e028acee10131e595fb309bdcf7
SHA25683fe3315a7267009e4942a2371461af23b26410bf4de23477b7b54c95450defd
SHA512f0162e10a432dc7fb0c035162909f189ec3d8bf03f18d1b0dc603c574831c5070ac6b0aa994dbb30832782e104875565a7810c365b662077b9cb608d8958db67
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPD34E.tmp\YAPM.exeFilesize
7.6MB
MD521726b7f942593d3aa6048963d00348f
SHA1d677a78e6ee13129cdec16673f757fedc367b1ed
SHA2567f02f32062db449f279843a9be18a6a2bcadddba60148e205d7154278b75a04d
SHA5120569623c295e592ec0fb6174479f79d6cacc82d3c0790c334661da02b546e7238ca2a7f21cd02233e9e2fb0797e033a0b56ebc48bcac16d79b0f77d5186ff0cb
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPE947.tmp\System.Xml.dllFilesize
5.2MB
MD5c4b3a3cd8c8b8dcb27130915bc3b988e
SHA126a294f63ad52b65059251473e09d90c51b56f2b
SHA256f83a83b6cdc9c95a183b0cd841a6391db263fa27c44d57ec0fe7e577af158718
SHA5129f543eca80e2463d7deca3001d04380e9f15580d4951d7f3954abdd5f8a4f5879c807329de7d288db950caca36f5c417c0d1d0783637b2cc270661dfe298ecaf
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPEFFD.tmp\System.Data.SqlXml.dllFilesize
2.4MB
MD5aa0ddbf341004af7a4dd01c116580968
SHA14159cae44b546355f60a3b3eb3cba96004637380
SHA25638046b4dbc84a0af01ef479b6b54011fd4392fee5cfab6caa17bbb88fa7977e9
SHA51269e2f249e059f070b7803072c691db85db056d5dfd40377ff27683e75c0893f4af45629cef360b9d21be5a936a1299b6f5671e65f5216fc34dceaa787b1ee15d
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFB48.tmp\System.Drawing.dllFilesize
1.5MB
MD588d18286009d006166fb202312f7039b
SHA14bcac7df96a6a04f0e9e32270756c5e8e06a72ff
SHA256cf510e0fa61e87d59ed569a713b9b4e49ac75695cae3b22ef2ac24eea2b569ad
SHA5123df4ca1c5301df11db320964a1203fa7f6087f499e50e3985a2f9cbc356c210a18ec4b85309d61f68c957b57ec0226bd3ad75e4e22e4e4900bae4aba7ad934aa
-
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPFF11.tmp\System.Windows.Forms.dllFilesize
11.9MB
MD5e2569429243b123bca263865b75bcd04
SHA11f5b43c8257754ac1d6ced9955e062afa2b3f886
SHA2560801188d8398bb1611e4ee1178a38ef34b3571195261ca5dcf94bc2ae3b75a7b
SHA512d7d7199f0bf14d0cb3c347aec6806aa0d3d2e8748c87ac006eea3d385a0b1274bed76e3e6cac0ac66ef032b8c5d47cfc18f7e8e6e43d11cf5c3ae7ae7fbbffb8
-
memory/1940-341-0x0000000001B70000-0x0000000001B78000-memory.dmpFilesize
32KB
-
memory/1940-340-0x000000001CAD0000-0x000000001CB76000-memory.dmpFilesize
664KB
-
memory/1940-339-0x000000001C550000-0x000000001CA1E000-memory.dmpFilesize
4.8MB
-
memory/1940-338-0x000000001C030000-0x000000001C050000-memory.dmpFilesize
128KB
-
memory/1940-337-0x000000001BF50000-0x000000001BFEC000-memory.dmpFilesize
624KB
-
memory/1952-51-0x0000000073981000-0x0000000073982000-memory.dmpFilesize
4KB
-
memory/1952-54-0x0000000073980000-0x0000000073F31000-memory.dmpFilesize
5.7MB
-
memory/1952-56-0x0000000073980000-0x0000000073F31000-memory.dmpFilesize
5.7MB
-
memory/1952-57-0x0000000073980000-0x0000000073F31000-memory.dmpFilesize
5.7MB
-
memory/3564-13-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3564-9-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3564-331-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3564-335-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3564-55-0x0000000000400000-0x0000000000544000-memory.dmpFilesize
1.3MB
-
memory/3900-12-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3900-336-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3900-0-0x0000000000400000-0x000000000043A000-memory.dmpFilesize
232KB
-
memory/3900-2-0x0000000000401000-0x0000000000417000-memory.dmpFilesize
88KB