revengerat | 7ac7096ac0d29805f2fa29fa229384a68b2e338e9d74968dd7e1a00adaa904a3

Resubmissions

25-06-2024 09:30

240625-lgn8kavcnr 10

25-06-2024 09:25

240625-ldw41a1emf 10

25-06-2024 09:19

240625-laeesa1cqa 10

Analysis

max time kernel
147s
max time network
133s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-06-2024 09:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YAPM-v2.4.1-Setup.exe
Size

1.3MB
MD5

90f828cd8df173636ae4a2233e70f774
SHA1

66924c162a8a4e17b8f8fe19c246f6586e359d98
SHA256

7ac7096ac0d29805f2fa29fa229384a68b2e338e9d74968dd7e1a00adaa904a3
SHA512

424b90603387cbfcd7aba6b1b4d3dce0af3f680b5944ce01541bcf73140e2583b524933972825473872c400e5e06fff02f45d9282d88997004777a09cb410c06
SSDEEP

24576:H+qqcWrftGXFOD6LRhKPVjcHx59UEugS+jcz1pxSo6WP58wrzWlXMMiM1K2xvj3Q:JIGXN1hqVcDKEHS+ohSoVP58EWlF1zBE

Score

10^/10

revengerat discovery stealer trojan

Malware Config

Signatures

RevengeRAT
Remote-access trojan with a wide range of capabilities.
trojan revengerat
RevengeRat Executable 1 IoCs
stealer

Processes:

resource yara_rule

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe revengerat
Executes dropped EXE 2 IoCs

Processes:

YAPM-v2.4.1-Setup.tmpYAPM.exe

pid process

5052 YAPM-v2.4.1-Setup.tmp
2948 YAPM.exe

resource	yara_rule
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe	revengerat

Loads dropped DLL 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

pid	process
4004	mscorsvw.exe
4004	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
3328	mscorsvw.exe
4420	mscorsvw.exe
4420	mscorsvw.exe
4420	mscorsvw.exe
4420	mscorsvw.exe
4420	mscorsvw.exe
640	mscorsvw.exe
640	mscorsvw.exe
640	mscorsvw.exe
640	mscorsvw.exe
640	mscorsvw.exe
4676	mscorsvw.exe
4676	mscorsvw.exe
4676	mscorsvw.exe
4676	mscorsvw.exe
4676	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3128	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
3248	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
5036	mscorsvw.exe
4344	mscorsvw.exe
4344	mscorsvw.exe
4344	mscorsvw.exe
4344	mscorsvw.exe
4344	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
408	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe
4412	mscorsvw.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 12 IoCs

Processes:

YAPM-v2.4.1-Setup.tmp

description	ioc	process
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-KG09M.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-CINIO.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-KNCTK.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-CQDEV.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-62LHO.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-FGES7.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-HCMAG.tmp	YAPM-v2.4.1-Setup.tmp
File opened for modification	C:\Program Files (x86)\Yet Another (remote) Process Monitor\unins000.dat	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-JI3CN.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\is-2LE6N.tmp	YAPM-v2.4.1-Setup.tmp
File created	C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\is-L012Q.tmp	YAPM-v2.4.1-Setup.tmp

Drops file in Windows directory 64 IoCs

Processes:

mscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exengen.exemscorsvw.exemscorsvw.exemscorsvw.exemscorsvw.exe

description	ioc	process
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1b.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexf.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC1C9.tmp\System.DirectoryServices.Protocols.dll	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB71B.tmp\System.Design.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1d.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1f.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index28.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexb.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1e.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index11.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index27.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexd.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91A1.tmp\System.Windows.Forms.dll	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index17.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index10.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index20.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index23.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index26.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngennicupdatelock.dat	ngen.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index18.dat	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index25.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index16.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index14.dat	mscorsvw.exe
File created	C:\Windows\assembly\GACLock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8E46.tmp\System.Security.dll	mscorsvw.exe
File created	C:\Windows\assembly\ngenlock.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPB381.tmp\System.DirectoryServices.dll	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index24.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index24.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\ngenserviceclientlock.dat	ngen.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index15.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index19.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\index1a.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\indexe.dat	mscorsvw.exe
File opened for modification	C:\Windows\assembly\NativeImages_v2.0.50727_32\index13.dat	mscorsvw.exe
File created	C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAPC90D.tmp\Microsoft.Vsa.dll	mscorsvw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2804150937-2146708401-419095071-1000\{2E26C7EA-3E9C-46E4-BD6F-F41D93ABC336}	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

YAPM.exemsedge.exemsedge.exemsedge.exeidentity_helper.exe

pid process

2948 YAPM.exe
2948 YAPM.exe
1688 msedge.exe
1688 msedge.exe
4880 msedge.exe
4880 msedge.exe
4316 msedge.exe
4316 msedge.exe
4388 identity_helper.exe
4388 identity_helper.exe

pid	process
2948	YAPM.exe
2948	YAPM.exe
1688	msedge.exe
1688	msedge.exe
4880	msedge.exe
4880	msedge.exe
4316	msedge.exe
4316	msedge.exe
4388	identity_helper.exe
4388	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

Processes:

msedge.exe

pid	process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

YAPM.exe

description pid process

Token: SeDebugPrivilege 2948 YAPM.exe
Token: SeShutdownPrivilege 2948 YAPM.exe

description	pid	process
Token: SeDebugPrivilege	2948	YAPM.exe
Token: SeShutdownPrivilege	2948	YAPM.exe

Suspicious use of FindShellTrayWindow 28 IoCs

Processes:

YAPM-v2.4.1-Setup.tmpmsedge.exe

pid	process
5052	YAPM-v2.4.1-Setup.tmp
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

Processes:

msedge.exe

pid	process
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe
4880	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

YAPM.exe

pid process

2948 YAPM.exe
2948 YAPM.exe
2948 YAPM.exe
2948 YAPM.exe

pid	process
2948	YAPM.exe
2948	YAPM.exe
2948	YAPM.exe
2948	YAPM.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

YAPM-v2.4.1-Setup.exeYAPM-v2.4.1-Setup.tmpngen.exe

description	pid	process	target process
PID 1816 wrote to memory of 5052	1816	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 1816 wrote to memory of 5052	1816	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 1816 wrote to memory of 5052	1816	YAPM-v2.4.1-Setup.exe	YAPM-v2.4.1-Setup.tmp
PID 5052 wrote to memory of 3616	5052	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 5052 wrote to memory of 3616	5052	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 5052 wrote to memory of 3616	5052	YAPM-v2.4.1-Setup.tmp	ngen.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3328	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3328	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3328	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4420	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4420	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4420	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 640	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 640	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 640	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4676	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4676	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4676	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3128	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3128	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3128	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3248	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3248	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3248	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 5036	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 5036	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 5036	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4344	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4344	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4344	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 408	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 408	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 408	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4412	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4412	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4412	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4812	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4812	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4812	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4584	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4584	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4584	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 4004	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1924	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1924	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1924	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 876	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 876	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 876	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 696	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 696	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 696	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3896	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3896	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 3896	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1500	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1500	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1500	3616	ngen.exe	mscorsvw.exe
PID 3616 wrote to memory of 1488	3616	ngen.exe	mscorsvw.exe

C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe
"C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1816

C:\Users\Admin\AppData\Local\Temp\is-UHGPP.tmp\YAPM-v2.4.1-Setup.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UHGPP.tmp\YAPM-v2.4.1-Setup.tmp" /SL5="$8014C,873450,187904,C:\Users\Admin\AppData\Local\Temp\YAPM-v2.4.1-Setup.exe"
2⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe
"C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.exe" install "C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
3⤵
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:3616

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 234 -InterruptEvent 0 -NGENProcess 21c -Pipe 230 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2bc -Pipe 2d0 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3328

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2d4 -Pipe 234 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4420

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2dc -Pipe 2cc -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
PID:640

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ac -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2f0 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4676

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2b4 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3128

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 224 -InterruptEvent 0 -NGENProcess 2f4 -Pipe 2ac -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:3248

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d8 -InterruptEvent 0 -NGENProcess 2ec -Pipe 224 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:5036

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2d8 -Pipe 2fc -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4344

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 30c -InterruptEvent 0 -NGENProcess 304 -Pipe 308 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:408

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 310 -InterruptEvent 0 -NGENProcess 31c -Pipe 300 -Comment "NGen Worker Process"
4⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:4412

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2f8 -Pipe 21c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4812

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2e8 -InterruptEvent 0 -NGENProcess 2e4 -Pipe 2d8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4584

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 2d4 -Pipe 2f8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4004

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 22c -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2e4 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 304 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2e0 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:876

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2f4 -Pipe 22c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:696

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 31c -Pipe 318 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3896

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2d4 -InterruptEvent 0 -NGENProcess 2ec -Pipe 310 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1500

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 304 -Pipe 2e8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:1488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2c8 -InterruptEvent 0 -NGENProcess 2b8 -Pipe 31c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:4532

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2b8 -Pipe 2f4 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2632

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 334 -InterruptEvent 0 -NGENProcess 30c -Pipe 330 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3608

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 304 -Pipe 324 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:736

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 320 -InterruptEvent 0 -NGENProcess 328 -Pipe 314 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:684

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2dc -InterruptEvent 0 -NGENProcess 2d4 -Pipe 328 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:208

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 2dc -Pipe 2b8 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2488

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 0 -NGENProcess 2ec -Pipe 34c -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 2ec -InterruptEvent 0 -NGENProcess 350 -Pipe 364 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:2960

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe -StartupEvent 348 -InterruptEvent 0 -NGENProcess 358 -Pipe 350 -Comment "NGen Worker Process"
4⤵
- Drops file in Windows directory
PID:3648

C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
"C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3988

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4880

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffc60e946f8,0x7ffc60e94708,0x7ffc60e94718
2⤵
PID:3764

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
2⤵
PID:2760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1688

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2708 /prefetch:8
2⤵
PID:1516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
2⤵
PID:1736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
2⤵
PID:368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
2⤵
PID:2916

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4964 /prefetch:1
2⤵
PID:220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4664 /prefetch:1
2⤵
PID:4344

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5212 /prefetch:1
2⤵
PID:4496

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3512 /prefetch:1
2⤵
PID:1780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
2⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5612 /prefetch:8
2⤵
PID:424

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5624 /prefetch:8
2⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4316

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
2⤵
PID:4736

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5840 /prefetch:8
2⤵
PID:3280

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:1
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
PID:2204

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6236 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4388

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5344 /prefetch:1
2⤵
PID:1980

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
2⤵
PID:4896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
2⤵
PID:1048

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,9609222634236585813,13995454280690326492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
2⤵
PID:1692

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4368

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Yet Another (remote) Process Monitor\Help\help_static.html
Filesize
36KB

MD5
077f62da6c357a22cc1df92d9c2b74ed

SHA1
f46e6c74f40a29607fde42e08f2957af71e7e248

SHA256
24f88ce719a05cd976a02b75e926b2596a35462c04148655dc4453ac55b0af41

SHA512
72f5518c46f1f663bc0ae9555fb2566de19e7d9467c6426600b186222811129f74ceb69bec858298baa4e44b12f66dde685b9341f55631e64a5865d8d588f006

Download Submit
C:\Program Files (x86)\Yet Another (remote) Process Monitor\YAPM.exe
Filesize
2.8MB

MD5
377184a9da8cbfbb154c82da78abc172

SHA1
6af4a6668711a52e9d49a717e9fdfea80acf411a

SHA256
9a6702cc0aa6c783c7ed5888b814ed49f6e03412f8f3b7d88b0c9217ba35c638

SHA512
8efa7af98fad460da685c47d04af9a2ad7ec2bec945a1f8950768a99a9da5fd1d170470a887a0317ea08c78ddf9909e0ec9884673fe5f44659a280c10c9e9b20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017
Filesize
204KB

MD5
081c4aa5292d279891a28a6520fdc047

SHA1
c3dbb6c15f3555487c7b327f4f62235ddb568b84

SHA256
12cc87773068d1cd7105463287447561740be1cf4caefd563d0664da1f5f995f

SHA512
9a78ec4c2709c9f1b7e12fd9105552b1b5a2b033507de0c876d9a55d31678e6b81cec20e01cf0a9e536b013cdb862816601a79ce0a2bb92cb860d267501c0b69

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
2KB

MD5
a89d83e59373436ffe4de216251aa724

SHA1
d1337f6d64e1d5cf26fd7cbf6ec6942f58067ed9

SHA256
4d1a07a36732cceb4ce28c514f4dfde7c2c13beaa25a059a79789c0a89c7973d

SHA512
d42f0ca0013815e5f2fc9fc74f11a2cc151f9752f50818744f2d840889bdf47589cc348c75a1c09f719aa607ae1e688af039e241e26dd8a45fddf079871796b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
88569afe3194a32c98193cb0b589e9ac

SHA1
6e73d416f2d909e832edbbe15ce671bd8149a367

SHA256
e8f9701adce360830351f2f462318b94d083568f1d5e8e0db4fdae8656b4da98

SHA512
14427e1b8a17c5c20c69855675d25e2c6e39a29f81b873c6fe57319eb5087edbbf0972429fa3b08350047d4317113e8775b4adce95dc9a212f1c63991d91e980

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
6dcea9dd96001974eb42ee3f4918220a

SHA1
235fa724df914bdd8c06dbdbaae50a990d19980f

SHA256
f415407fd404a993217e862cee3d476267b99345be2da0fd32bd16809405355c

SHA512
a59be2a91cfeaa866f3a61b73718319ce230510b2a495f29b50b63b1abff2d0fd51bdcbf39650c7d8ea14d99e7e98440133c482c7720f2ef6ddcd8a557dcc4d1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
41f592252c85926c53b4b5dad199ace1

SHA1
21952c60a22add39112646827d4a8003cf95b16d

SHA256
045f5bf84a3beb74c55469a9926eaa06cfa61d0e945c784be99d6ffa547563fa

SHA512
383804a3222688861342b5cab8b0789b33b2454e53532fb83e093dabf78b8b7aa6284d5a694cac94b8c7406caba0e53fa3727a77cffd5cb61b1ef2dea503de5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
360cd67b380e076d62a2fff19a3188a4

SHA1
c8cd59398ae1b8c800787f9b65de0568ee58b1eb

SHA256
c302819dd9afd38e4920951ee2cc8391975ccfac135ab3ea929e7fb405167e4d

SHA512
079127f07ed15b09b9700b68cf24bd97f4de853731c3b1255e67bed23a402d50206db8cba80ba3ca7136597d3e203dbc442c1804b59cce2f51e7a9b391b507e1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
e7c9cf10a9f28db402b64cbab4cef56d

SHA1
70067eb20ca5e2e7c6753a696edb5f1bbb958308

SHA256
7143d8549e788f928231ebd93c9f4e340cca770c60db5c83fc4e07a6b61a8b38

SHA512
205a147ce4e4594322c6d64cfe7f6830f6ffbf83ea360425bcb8ef6c8e0dd3f2fe88e80ccc188a7fec1cf317eda77846490e48465e6abdcbef5b11c95f1bb2d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58c7a0.TMP
Filesize
48B

MD5
cc0e0f8f4ae594345697ead4baac0aa7

SHA1
df93999accba7c4065c7daa385cd1d29c3cec5b5

SHA256
7a391663e87a1c2ba166da71712949c28ff8d479f39b6f2f2ba74abc8670ea1c

SHA512
02471719df0bd45a442119dba66cb12626c09fbb180cc9de7220f90d8c29c39b468195985e503696233a839cdf4fd07f9c9519eae2e8bda7801049459932a16d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
ea3aca3e34af5b3222f53b0a859c394f

SHA1
3e0b9895e7bd484a0ebbf559e4d32fac73e8cb3a

SHA256
0212e9736c165f3e540ed9bf0a3f9036996bc40afb6299021f45990476e786fb

SHA512
93a5dc0eb6e112fdc084f03b67fe408a8f88f92dff4f5924a23b4e27afce7bf12124a025b861b7d327059e96dac55f88b63f69a7c3bcb59e20b86841c4578062

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
23fe9761cd05208a620a0c1a8958786f

SHA1
a589e98b35b3c6b3e1a969f0674f305e7cf45682

SHA256
70ede977592bd3964d7b6cae912b1e572021c291f21aa3d228226be96f4ed861

SHA512
e33006fd1b6fde781e217b3bb0c2217869356dfab6bcbd639c736df3e35e653454132712b03586cb6d89677f1497f8903ec8240fce15324f6c4a46bf5ec31ed8

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UHGPP.tmp\YAPM-v2.4.1-Setup.tmp
Filesize
1.2MB

MD5
4bbb6af20037ff0a429b494c9cc3b922

SHA1
d3a400c2627460bc4c5d6b686dc0a7d6f7842be9

SHA256
fd1ec145fec2ae61e534951ce597597537cf4c775c464a9d8793667131f305d7

SHA512
31995b56d53377f2cd53ef42e6d9f32287409fdf054d8beb8725ea7e46046ec1f8b2df74fd9780e1c7a53feb08c93f4b550e7e07e550b382cdf60235490abca8

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log
Filesize
45KB

MD5
2e2e594aa7c01ccc311028b63d94e05f

SHA1
c8867eee4422cd09dc1381de20ab025a4cd7bc0c

SHA256
c8b43037c26250b6d8751bec6d704f56feeee72eb714405d73cd1cc6c32da5f3

SHA512
628886ffcf0c50688bd61a8cd169183839ca5d6fa65a4ee250b32c59bc502f0cfc9ff2ef9144a27ed57310803b6d7d3570e13a4528f78c4c6d5bb190d090902b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Accessibility\2c68539db75e583ae627fdd72a15be71\Accessibility.ni.dll
Filesize
25KB

MD5
c8c7a383ceb4c4d1df55308ba44f75fd

SHA1
7a90edf7bd4488ec42efaabb51f5c9c3560db8e2

SHA256
55588bf1f5b0979b2efb09a755d5c6827946040e0ff8a118d8003377c26d03d8

SHA512
669b5adf2bdaa29449bd771cb5ee2aa5b48ea8bf67ab7a1b76ff8c31942bb4e39a86b7b8d173624538bd5ef8998976b6ace905894cf68f14c3da841520ee4fa9

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.JScript\1235d1a10b2c1bccdf118819cb279c5f\Microsoft.JScript.ni.dll
Filesize
2.2MB

MD5
b37c20d91e5baff2d30b0d636a2c209c

SHA1
84483060e49c319714273dafbde20fb0d576867b

SHA256
e2b7cde044da1dfdb4aeb3f225dbca6c53ae0524fb4b6cd49fea31521f2db5e9

SHA512
2c3b6df4e0d354b73434b03065d8cc1706b224b027c03bc5e17614ffec0c6a79e3c02735d3099349130d2c0f3df7aaffbd5de0ac388dc8a5e7a49875f15d35d8

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.VisualC\574e82db6b0f08cfa6c354a8c530eee2\Microsoft.VisualC.ni.dll
Filesize
15KB

MD5
01d23f6812fe23c0ce53c3fd1e1d1f34

SHA1
943b6ad66eae548473d9e093a35290e421de7a7d

SHA256
32a2b9d92ec3446635a6f9cb21acfb662ba5a1f1b5e725d6ec763438426a9962

SHA512
7df32aa18e90d856e982c555d040e7ceabada7e127a927ac7962d6276079d3e1ab9a1e9a824c67b7a0805ed3c4015de41b9f6b133af956def360dd8485cb9e7e

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Microsoft.Vsa\10e71e68c34b88d218ba4d0f66afcd97\Microsoft.Vsa.ni.dll
Filesize
54KB

MD5
ef7cf928defeb6d39276044d3d826d79

SHA1
8c7b0947f5c6ab529806e9f7cc7e3ebcfd433739

SHA256
34d9d84e4beadaa8621973d2d3a0a0e86f65f0119c6495edc37ebb764cbdef24

SHA512
3b5727d8d8b8d07de3d341f969e37c78287341c1af7df88d13988fc4a7a7ac142ad28e8f63980506b657f9208eb6b783e2179e08f5f5e33dd05c39108c9eb4bb

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Configuratio#\611ffd8fff7c0284ff774f1020615bfa\System.Configuration.Install.ni.dll
Filesize
138KB

MD5
e038d64d34bc584a554a6281edc8c228

SHA1
ad4c9d87357531c1978ec5855023bd80a37a7895

SHA256
3fe4993755e07639419a3905f331abb6dc156968c6f2e49bcd14156d6bf729e5

SHA512
f09c55227ab5863d0688a53fef584266f690c60d1d16fec5e60f9561dd14862059a59778975a143fbc8725f61b173efdcad90f6b3e6636c20c72fc6a543e1385

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data.OracleC#\0e0f9e36df1c27f4678f09942864c9af\System.Data.OracleClient.ni.dll
Filesize
1.1MB

MD5
0ec47acd4f820931ab96d7ebc524e9ef

SHA1
7305e6b9de6dbcda8b0d9ec9aceb33f35181c03e

SHA256
5d24f91ebb1824af1d1b61ec43d3d50f025678570b5bf3f873f41e0640e36dae

SHA512
28f59fb366caf78afbe149c2a612b9aa618b2667b3f93da814f3b848dd17ca9490fd5154a1ca64a12d62033bbcd5be6b777a3b6861b9c7eb52fe1ab5796a8547

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Data\eaae44035dbd83a24255786d2aa9eef1\System.Data.ni.dll
Filesize
6.3MB

MD5
0e5ef58a5c1ef441d6203b9646569ae7

SHA1
65874e3a59eeec9bb8147e4f459a303de91c4100

SHA256
548f3755733ca180ea1a4e7782dcbc17006922b80586e9208b413be95d2154da

SHA512
a1537470ad190ffe22bbd08d330bf3123a9ab20fce35270588c0bd23dec475c8a64acea1c4872c47d6f3dfdaca42886890e05d8f822373fca0236fc5762089da

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Design\b345b1f734ea3aea3540caf55869215a\System.Design.ni.dll
Filesize
10.2MB

MD5
29fe4a231b7fadd9b66a1b59e7876033

SHA1
aa596d8d462dab324a10a812831d1bb7ede8adfc

SHA256
7a1135452728669b1cb452c58a969a9c30f5e5cadc048d4b03a21f99adf6528d

SHA512
c1e0195c546afb894d12f34b072c67e79bbe1f4dda500a7d821fb3d2010824f51d836794cd9484d4e2f1673486e5ab122cf88125cb2ac58a23f88207ed086514

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\16ebe8df2036040bf7b16fbb0b441d63\System.DirectoryServices.ni.dll
Filesize
1.1MB

MD5
83549945235b83efb6078a1bb43a5ddc

SHA1
eb3b8496948c891b07376222a058f7ed2f863799

SHA256
f8cca9ed968d1f6244dda022faa84032e6ebec36168d4fb396ad8d01597f356a

SHA512
e55e4baf49291b160f0dce9ef68ee1328496d3263a0469c4c65b7626d6f1a67fa2798f4b47d1991201743033c95421c83fc3ff836aca7b1e65c18bd073eb0f79

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.DirectorySer#\2d96546698256d818114d8a17215f513\System.DirectoryServices.Protocols.ni.dll
Filesize
444KB

MD5
ec4f188e5ea5045a76ec135a2b1871cf

SHA1
e82130863879e52e9833aeb34e8a8d613d0926aa

SHA256
7dddd2359338f8c5e8879d64c4a8583c930fa98b079fc6edad0e96e3d027cbcd

SHA512
69cada3a6274863b524ee160848c99f2b0979b6e9ba5a205266604382cf5e3ae26277d216c1cb15302782fe15c84f3238ba98b0f0a1d15c054848c78da18df38

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing.Desi#\30bacfb052519296a25d585d62d65f0e\System.Drawing.Design.ni.dll
Filesize
203KB

MD5
ad8de415732fcf19dcb2df89ddfe3159

SHA1
7ab07013e4d4a6f0a23e9571b1b175d9e65d7652

SHA256
7aba2361cde5cf74436533f0da387b83c7e47ed254c2a92fdc9085445e20739e

SHA512
81c8bc4af3bc9d0ce42f903f58456f411f6f5ac31cb569391c31cf5274181a618b2b01f086fc8e39bb24a763accf3c1e3660d4129ad40f53c968f83e5a9ecab5

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Drawing\14ad09938f3197fce462d47b2194bd45\System.Drawing.ni.dll
Filesize
1.5MB

MD5
1777b41cb2741762a6fceefd99bba158

SHA1
3dd8eee460a20e52689a116103cfa3a43b159d19

SHA256
a549546bdf9b32979033c151fe1ca370f2661570f4637d21138ac4ace369a73a

SHA512
554322ba20e331bd96268842294f71acdbec70765d8c82c51d06c9261a4c284578b26af7efbeec4b072f1ea5b50514a6bcc290343fc12c87b1afa7597ec543f6

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.EnterpriseSe#\bd2663637d8b93a187e67959328f54fe\System.EnterpriseServices.ni.dll
Filesize
613KB

MD5
0314d12a843f739fe5cd750fdff0289c

SHA1
61d925baf5f080132b62cafd3d1ff8a76ce6a477

SHA256
90f1074270765c0908c6527ca8a86d4199b241e87f2dc5c84ada42c5d966776e

SHA512
997a22727aae924fb467a057a484975d5b3b460f2070b5acfcbc86f8cb8a0d19ee682332d3aa3b2281c63eb7a91b98399ab5a64fc8476fba79d6c10adc5f458c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Management\72c9cb72b835b7c30c4f78fe745aaf81\System.Management.ni.dll
Filesize
1.0MB

MD5
4a00b10826c6299d6018d765185f8cda

SHA1
3e7403d0e7a4ea3eac6c44caf8ca175c61b1b223

SHA256
417dec98ef88be4290ff79dc716552ff3546a1eef29b5c8efd21bdae514d98a1

SHA512
42c1d6ce3a6a5fd584360a3c73b35dfa413ab64897a4f781f4eea0c961161e1ee1155d417ee67dc5b67aa22bf0645990937fd3087a2837692ca963e04c6afee4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Remo#\b7f272c19ef36ca26a6716b3ce65ba06\System.Runtime.Remoting.ni.dll
Filesize
756KB

MD5
1ca868c0ac37fc6cff2e1ed835a38cd6

SHA1
34f7a8b37af4e35d7ee07eaaca4aa06422e739ff

SHA256
d3e76742f3c6266a039769e51a4b5f419f5d016a1d68b70e8bb136bd2dd590e4

SHA512
fcd95cbe91b768620c74c53b1cb5365ff40fde039a525835572322c48e3750e79a8920f797a32e709b4bea4cf6a77a65d5210cbc2e8e1b4363c3c0d22abb4f5d

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Runtime.Seri#\bfa1161e5e8a708ebafb06503d3ea591\System.Runtime.Serialization.Formatters.Soap.ni.dll
Filesize
303KB

MD5
81116a8852efd011051d9891498970ad

SHA1
784bdae7ec804a5757405287bd5e1b4a2817a730

SHA256
8f8dd22755618fc224856a4a116f9434bac9aa3b1ad023fba70233f74d4a760e

SHA512
f5e2b282c7ef29f91ea43e5f0c935315ca78663f0068e656c422ea622f4ff05150f6ff97764f39ce40246fb8e0f01f430ca3e23c7d15f87883180c18bd718e6c

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Security\6358a966b003f859eb24e6c49d3bb7fa\System.Security.ni.dll
Filesize
705KB

MD5
9f33792c2dd85df9f6f356ac2761d5a9

SHA1
52236ee0a57ac0b135fa68e70adb8f1582b979a1

SHA256
497a442b45d20a888bd7f57b2bd3b39867752b1304109a414ccca565f1bdd9eb

SHA512
0d8d7ca85b6f68bb890391c0490bedf80efd2360fdc9e861038dedf5cff43519ec77ec6b7c5a9976f427d9690e2e94d96572b29f9fdffb4abe46d62c94a4458f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.ServiceProce#\abc482a81715bf779d3138355f99283f\System.ServiceProcess.ni.dll
Filesize
219KB

MD5
594ecb1346fa642970e336852647a24b

SHA1
296fb9e6aa2b62e58562397d0b815fe3b5593c2e

SHA256
043568069f8dd1438c3d5f9e93f02329c25793e614dd39acf0ad1322e8175f9f

SHA512
554fa415ea52a6250d1f0a40c6e905ce1c096114f6480d94fdb95716f3a1f9434a69e93383ebfd8dc8fe27cb54e668395c3d763847220fbaf9e663050736a7d0

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Transactions\391b0d05b44d909e89c784995e964aa1\System.Transactions.ni.dll
Filesize
612KB

MD5
cd0552ae9ef192595a77292a45b87e21

SHA1
29dc417a2547f08b2aa1b537e63429a12d88d662

SHA256
b728af1b74b97e7ca828c7eaf297a100b384ad1d90df35304cd56a6e28580849

SHA512
ed222c33ce9fb01be88430f63ca1fd6fd46d10d6df2573128497e8e9e493a6b328944edd66793da1f9151aea0b1a4e0d1c89e85260d3a6763584b2e872d18142

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.RegularE#\01d6f732622814b1e863a201924278f0\System.Web.RegularExpressions.ni.dll
Filesize
248KB

MD5
1bafe0bd53dbe522e0a8a99937b00b54

SHA1
872a705244b421c966500bf964d0302069d065f2

SHA256
90c450b59896e2a0996cb3405e87ba053465ff26fe7a4099fc521398f282e796

SHA512
147ed06e64e9d68501231ff6cc1ca8c1ce621f39be1c198e85ac172ab8d933cb2f0a6005eb24b1713b2a7cf24dac5744e68720a3728a810b80c79279fee0e423

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web.Services\4c1da9372aeef07827689ca3afe5d28e\System.Web.Services.ni.dll
Filesize
1.8MB

MD5
5584d2a9ef894cadfc271215e4fc84ff

SHA1
24cbddcd375c61708c43deeec5b0446257b535e6

SHA256
985d5c5e0781573a6bcc50bef8eaa624303cee239b0ed8b6921f570d4e21b336

SHA512
62f70cd7a6b5e1b3d5186349ff1b9033631df6e2647b4a036888c6486db7dd97ab52a54ce1d8d6803c0e95a36c595d0a93b5581ca35232a9832f079b1d5e56f7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\System.Web\e2dbd9e164bfad626e4b00b772242ecc\System.Web.ni.dll
Filesize
11.4MB

MD5
2eaa2acb0b3adca1d5431bcf352ef222

SHA1
513e01dbce727afa548f37aa7e4c1e3d30227cda

SHA256
9df42ff477f9b36e0c2f116182239953c6476b9cc019a9ab4912294926108538

SHA512
586d20cf97750ce83ce2417810fb036319fdd5e05a0f4318d2b704f8c46f40c63c92a3593198ffdd528b5a9cf70a1114bb81430f92263ba886e5ed1a21a7af65

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP6E0C.tmp\YAPM.exe
Filesize
7.6MB

MD5
6c88d2a0fc90b4e895fd5a9571ad9694

SHA1
7fda0d683b59ab0ab493e51fcaee9e67e03c11f0

SHA256
31fd83cb31ebfa7833f1c4760ecd3e6873ed6c0c03f0b7f16714eb31feee26b7

SHA512
3ca78a29ac1397cbf7f358b19e530b2c39d997ec2874bda41ca921f975c489bfa18d44b8641bbe80d5a49e9138a2a7ea2efba252b6a597e774546b996a0c0a86

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7ADD.tmp\Microsoft.VisualBasic.dll
Filesize
1.6MB

MD5
8170c36f6c32051d14dc22444ccc2b8b

SHA1
345ab95abe39683d55b2debab953c00154edf739

SHA256
92b2b0cef502a43ea7ca0f2cc55e9fa4a30309fda7db4d23418b1fd77288fd98

SHA512
cc1bbdb44208f96173721b883cf29f890be07e1c4699c8a5dde5efb44f7cd22465981eea21c54ff0014f782751debaa5d441eb3ffd6f3deb4017c289a3281c17

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP7CC1.tmp\System.Deployment.dll
Filesize
1.6MB

MD5
858999ee084d930465c568a31bad0fc1

SHA1
9715cceab0b7341646d15000394924481a157c2d

SHA256
9cd9d565f993759fd579bd153782d66332a6df9d4f38668fc0612d5fd6c3efbf

SHA512
8348d3c78ec084f18a906d5a17a1bb169b4bd28fc31de413f0340cd12bc94427a23d410a81ae952bce5a5abe837f0210dae778d95ec8ec23098d204badc563d4

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP803C.tmp\System.Configuration.dll
Filesize
955KB

MD5
4990dd6603ba3479ecc73fa52da8b155

SHA1
8bdc7e58144a9714537f7415ff14bd47b0b15f21

SHA256
88d7bf86a81d78d6cc26e3e740cb2552b0daab107a6fe57ff29b3a8b4c765d01

SHA512
7c5ab15c8c5dc5c210ec49a56b422a53fd648d805f4e6211ff0f66a81a78dc32f33d4f026f9d7b8b116eb3c0a6d5aafeed4749054b8238d14fb6258b27172dc7

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP824F.tmp\System.Xml.dll
Filesize
5.2MB

MD5
aadbe0249d57d7e9a3be8f38b2eefac5

SHA1
5c58bb8a226b7348dd2e066041a80472751cee00

SHA256
1d669ecca4017e8be44b1dafb52155a77d5632acdda10ad94688abe5f06f6480

SHA512
835c206b482c1610d70bcf1d60810c8eef696491eb9cc9d11ee411c6f98d53a9ae120edfe52ef0998541adee7bf1c286db0ff103cac7d68804dfff4a400b193f

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP8916.tmp\System.Data.SqlXml.dll
Filesize
2.4MB

MD5
fd8567cee64f4ce0a2e379c07adfe6e3

SHA1
7f46520023013b7563004bd2dac830816029b9e3

SHA256
e2db1ccf6218e8aef23603a2672348161351ece68b78f5e1b74301bf2a9f354f

SHA512
35ec5d23548c8e6d367eba031c62b933b56cc269f917e726e74d2ff1c077a88e08bf76ba2a2122d7146fcb950ccf6765c99b4112e5ff11edbac5a6b855ea729b

Download Submit
C:\Windows\assembly\NativeImages_v2.0.50727_32\Temp\ZAP91A1.tmp\System.Windows.Forms.dll
Filesize
11.9MB

MD5
7504e4158cdca056f7b7ec0c2d99337e

SHA1
9a0feb906318f65d0be06d682ce191525124ad30

SHA256
6f83ea368ba764c5f2832ba4975c0cb2ffc000708c1ecf603f3130016e39d142

SHA512
ba4e9e2a1f0c9532787519620f1d714c5b27cb5eddb5513a137c284062ce15e7122ab37d07363a75567b9d2a849d0f64ffeaa997fa5ca9e3f9eb414ca8943128

Download Submit
memory/1816-2-0x0000000000401000-0x0000000000417000-memory.dmp

Filesize
88KB

Download
memory/1816-46-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1816-0-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/1816-328-0x0000000000400000-0x000000000043A000-memory.dmp

Filesize
232KB

Download
memory/2948-333-0x00000000013B0000-0x00000000013B8000-memory.dmp

Filesize
32KB

Download
memory/2948-332-0x000000001C3E0000-0x000000001C486000-memory.dmp

Filesize
664KB

Download
memory/2948-331-0x000000001BE60000-0x000000001C32E000-memory.dmp

Filesize
4.8MB

Download
memory/2948-330-0x000000001B970000-0x000000001B990000-memory.dmp

Filesize
128KB

Download
memory/2948-329-0x000000001B8A0000-0x000000001B93C000-memory.dmp

Filesize
624KB

Download
memory/4004-53-0x00000000730B0000-0x0000000073661000-memory.dmp

Filesize
5.7MB

Download
memory/4004-52-0x00000000730B0000-0x0000000073661000-memory.dmp

Filesize
5.7MB

Download
memory/4004-51-0x00000000730B0000-0x0000000073661000-memory.dmp

Filesize
5.7MB

Download
memory/4004-48-0x00000000730B2000-0x00000000730B3000-memory.dmp

Filesize
4KB

Download
memory/5052-327-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/5052-47-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download
memory/5052-7-0x0000000000400000-0x0000000000544000-memory.dmp

Filesize
1.3MB

Download