redline | hxxps://cdn[.]devolutions[.]net/download/Setup[.]RemoteDesktopManager[.]2023[.]2[.]22[.]0[.]exe

Analysis

max time kernel
519s
max time network
524s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
18/08/2023, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.devolutions.net/download/Setup.RemoteDesktopManager.2023.2.22.0.exe

Score

10^/10

redline https://devolutions.net/data/hubimporterchangehistoryupdate.htm{0}infostealer persistence

Malware Config

Extracted

Family

redline

Botnet

https://devolutions.net/data/HubImporterChangeHistoryUpdate.htm{0}

https://devolutions.net/data/HubImporterChangeHistoryBetaUpdate.htm{0}

Signatures

RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
infostealer redline
Downloads MZ/PE file

Sets file execution options in registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MicrosoftEdgeUpdate.exe\DisableExceptionChainValidation = "0"	MicrosoftEdgeUpdate.exe

Executes dropped EXE 33 IoCs

pid	Process
3168	Setup.RemoteDesktopManager.2023.2.22.0.exe
4648	MicrosoftEdgeWebview2Setup.exe
4092	MicrosoftEdgeUpdate.exe
4764	MicrosoftEdgeUpdate.exe
740	MicrosoftEdgeUpdate.exe
5092	MicrosoftEdgeUpdateComRegisterShell64.exe
3372	MicrosoftEdgeUpdateComRegisterShell64.exe
4892	MicrosoftEdgeUpdateComRegisterShell64.exe
4332	MicrosoftEdgeUpdate.exe
2132	MicrosoftEdgeUpdate.exe
5068	MicrosoftEdgeUpdate.exe
4436	MicrosoftEdgeUpdate.exe
3592	MicrosoftEdge_X64_115.0.1901.203.exe
4680	setup.exe
4920	MicrosoftEdgeUpdate.exe
1920	Setup.RemoteDesktopManager.2023.2.22.0.exe
4332	Devolutions.Updater.exe
3972	RemoteDesktopManager.exe
4068	msedgewebview2.exe
4728	msedgewebview2.exe
4484	msedgewebview2.exe
3280	msedgewebview2.exe
4916	msedgewebview2.exe
1244	msedgewebview2.exe
3528	msedgewebview2.exe
4104	msedgewebview2.exe
4384	msedgewebview2.exe
4640	msedgewebview2.exe
4128	msedgewebview2.exe
5068	msedgewebview2.exe
4512	msedgewebview2.exe
1636	msedgewebview2.exe
2724	MicrosoftEdgeUpdate.exe

Loads dropped DLL 64 IoCs

pid	Process
2572	MsiExec.exe
2572	MsiExec.exe
4092	MicrosoftEdgeUpdate.exe
4764	MicrosoftEdgeUpdate.exe
740	MicrosoftEdgeUpdate.exe
5092	MicrosoftEdgeUpdateComRegisterShell64.exe
740	MicrosoftEdgeUpdate.exe
3372	MicrosoftEdgeUpdateComRegisterShell64.exe
740	MicrosoftEdgeUpdate.exe
4892	MicrosoftEdgeUpdateComRegisterShell64.exe
740	MicrosoftEdgeUpdate.exe
4332	MicrosoftEdgeUpdate.exe
2132	MicrosoftEdgeUpdate.exe
5068	MicrosoftEdgeUpdate.exe
5068	MicrosoftEdgeUpdate.exe
2132	MicrosoftEdgeUpdate.exe
4436	MicrosoftEdgeUpdate.exe
4920	MicrosoftEdgeUpdate.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4976	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
4932	MsiExec.exe
560	MsiExec.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
4068	msedgewebview2.exe
4728	msedgewebview2.exe
4068	msedgewebview2.exe
4068	msedgewebview2.exe
3280	msedgewebview2.exe
3280	msedgewebview2.exe
4484	msedgewebview2.exe
4484	msedgewebview2.exe
4916	msedgewebview2.exe
4916	msedgewebview2.exe
4484	msedgewebview2.exe
4484	msedgewebview2.exe
4484	msedgewebview2.exe
1244	msedgewebview2.exe
4484	msedgewebview2.exe
1244	msedgewebview2.exe
1244	msedgewebview2.exe
3972	RemoteDesktopManager.exe

Registers COM server for autorun 1 TTPs 33 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\INPROCSERVER32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdateComRegisterShell64.exe

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\W:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\L:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\Z:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\A:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\I:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\J:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\G:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\M:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\S:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\O:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\W:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\S:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\E:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\J:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\K:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\P:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\U:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\V:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\G:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\X:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\R:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\Z:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\H:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\U:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\B:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\L:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\N:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\T:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\V:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\P:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\T:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\A:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\E:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\H:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\I:	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened (read-only)	\??\M:	Setup.RemoteDesktopManager.2023.2.22.0.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\Locales\cs.pak	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Itenso.Rtf.Interpreter.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_sq.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\VisualElements\LogoBeta.png	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\fr\Devolutions.resources.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdate.exe	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\msedge.dll.sig	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SamplePhone.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleWebServer.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Pdf.v22.2.Core.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Utils.v22.2.dll	msiexec.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ca.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Locales\lo.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\v8_context_snapshot.bin	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-arm64\native\wt\defaults.json	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\System.Text.Encodings.Web.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ml.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\dual_engine_adapter_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Trust Protection Lists\Mu\Analytics	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\MEIPreload\manifest.json	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.Business.XmlSerializers.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleSession.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleWeb.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Zxcvbn.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.Cryptography.ProtectedData.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Data.v22.2.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.PivotGrid.v22.2.Core.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\identity_proxy\stable.identity_helper.exe.manifest	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleLocation.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-x64\native\wt\ProfileIcons\{0caa0dad-35be-5f56-a8ff-afceeeaa6101}.scale-100.png	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Http.Extensions.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ca-Es-VALENCIA.dll	MicrosoftEdgeWebview2Setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\Trust Protection Lists\Sigma\Advertising	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleFavorite1.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleSync.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleDeployment.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Nager.PublicSuffix.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_cs.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\identity_proxy\win11\identity_helper.Sparse.Beta.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-arm64\native\wt\WindowsTerminalShellExt.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\PdfPreview\PdfPreviewHandler.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\resources.pak	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\OpenSource\CPOL.htm	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\System.Numerics.Vectors.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.CodeAnalysis.CSharp.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fi.dll	MicrosoftEdgeWebview2Setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\Locales\et.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\Locales\ko.pak	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Newtonsoft.Json.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-x64\native\wt\elevate-shim.exe	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.RichEdit.v22.2.Export.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleCart.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-x64\native\DevolutionsVnc.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\delegatedWebFeatures.sccd	setup.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\System.Drawing.Common.dll	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\Images\Svg\SampleServerFarmB.svg	msiexec.exe
File created	C:\Program Files\Devolutions\Remote Desktop Manager\runtimes\win-arm64\native\SQLite.Interop.dll	msiexec.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\edge_feedback\mf_trace.wprp	setup.exe

Drops file in Windows directory 45 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\Pro5F5A.tmp	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSI22EB.tmp	msiexec.exe
File created	C:\Windows\Installer\e5de4c5.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5375.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\exclamic	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\repairic	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\tabback	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\info	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\cmdlinkarrow	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\rdmfreebanner.gif	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened for modification	C:\Windows\Installer\MSIE959.tmp	msiexec.exe
File created	C:\Windows\Installer\{48D88C84-829E-41ED-B6C4-C24F009E8D2C}\Application.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI59B2.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\removico	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\completi	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\custicon	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\Up	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\SourceHash{48D88C84-829E-41ED-B6C4-C24F009E8D2C}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5EA5.tmp	msiexec.exe
File opened for modification	C:\Windows\SystemTemp	msedgewebview2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\banner.jpg	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened for modification	C:\Windows\Installer\e5de4c5.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA26.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEA75.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI35D8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI383A.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\NetFirewall.dll	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\New	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened for modification	C:\Windows\SystemTemp\shiE34E.tmp	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\Installer\{48D88C84-829E-41ED-B6C4-C24F009E8D2C}\ext.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{48D88C84-829E-41ED-B6C4-C24F009E8D2C}\ext.exe	msiexec.exe
File opened for modification	C:\Windows\Installer\{48D88C84-829E-41ED-B6C4-C24F009E8D2C}\Application.exe	msiexec.exe
File opened for modification	C:\Windows\SystemTemp\shiB576.tmp	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\insticon	Setup.RemoteDesktopManager.2023.2.22.0.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\lzmaextractor.dll	Setup.RemoteDesktopManager.2023.2.22.0.exe
File opened for modification	C:\Windows\Installer\MSIEA06.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI387A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI551C.tmp	msiexec.exe
File created	C:\Windows\Installer\e5de4c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5963.tmp	msiexec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\dialog.jpg	Setup.RemoteDesktopManager.2023.2.22.0.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 47 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WINDOW_RESTRICTIONS	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_VALIDATE_NAVIGATE_URL	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SCRIPTURL_MITIGATION\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SPELLCHECKING	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_STATUS_BAR_THROTTLING	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WINDOW_RESTRICTIONS\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_GPU_RENDERING	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_SCRIPTURL_MITIGATION	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_XMLHTTP	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\RemoteDesktopManager.exe = "11000"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_AJAX_CONNECTIONEVENTS	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_OBJECT	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DOMSTORAGE	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_ADDON_MANAGEMENT	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DISABLE_LEGACY_COMPRESSION	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DOMSTORAGE\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_TABBED_BROWSING	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_DOCUMENT_ZOOM	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ADDON_MANAGEMENT\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_IVIEWOBJECTDRAW_DMLT9_WITH_GDI\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_MANAGE_SCRIPT_CIRCULAR_REFS	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_SPELLCHECKING\RemoteDesktopManager.exe = "0"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBOC_MOVESIZECHILD\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBSOCKET	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_DISABLE_NAVIGATION_SOUNDS\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_ENABLE_CLIPCHILDREN_OPTIMIZATION\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_STATUS_BAR_THROTTLING\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_WEBOC_POPUPMANAGEMENT	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_GPU_RENDERING\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_XMLHTTP\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_BLOCK_LMZ_SCRIPT	RemoteDesktopManager.exe
Key created	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_LOCALMACHINE_LOCKDOWN	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_TABBED_BROWSING\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1420546310-613437930-2990200354-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_WEBSOCKET\RemoteDesktopManager.exe = "1"	RemoteDesktopManager.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\dnsapi.dll,-103 = "Domain Name System (DNS) Server Trust"	Devolutions.Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133368651709005018"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E	Devolutions.Updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\NgcRecovery.dll,-100 = "Windows Hello Recovery Key Encryption"	Devolutions.Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-843 = "BitLocker Drive Encryption"	Devolutions.Updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\fveui.dll,-844 = "BitLocker Data Recovery Agent"	Devolutions.Updater.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\system32\WindowsPowerShell\v1.0\powershell.exe,-124 = "Document Encryption"	Devolutions.Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\EdgeUpdate\ClientState	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\wuaueng.dll,-400 = "Windows Update"	Devolutions.Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f\52C64B7E\@%SystemRoot%\System32\ci.dll,-101 = "Enclave"	Devolutions.Updater.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	powershell.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	MicrosoftEdgeUpdate.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{9E8F1B36-249F-4FC3-9994-974AFAA07B26}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6DFFE7FE-3153-4AF1-95D8-F8FCCA97E56B}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{08D832B9-D2FD-481F-98CF-904D00DF63CC}\VersionIndependentProgID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\ELEVATION	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{FCE48F77-C677-4012-8A1A-54D2E2BC07BD}\NumMethods\ = "4"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7E29BE61-5809-443F-9B5D-CF22156694EB}\NumMethods\ = "12"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.Update3WebMachineFallback.1.0\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.PolicyStatusMachine.1.0\CLSID\ = "{B5977F34-9264-4AC3-9B31-1224827FF6E8}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.ProcessLauncher\CLSID\ = "{08D832B9-D2FD-481F-98CF-904D00DF63CC}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{2EC826CB-5478-4533-9015-7580B3B5E03A}\ProxyStubClsid32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\ProxyStubClsid32\ = "{B4A02D72-2A34-41DB-B37F-05DFDB27E933}"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods\ = "16"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rdmj	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{A6B716CB-028B-404D-B72C-50E153DD68DA}\VERSIONINDEPENDENTPROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{EADE5C79-5190-49C1-AA39-AFF5E19DE0A2}\InprocHandler32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7B3B7A69-7D88-4847-A6BC-90E246A41F69}\ = "IAppVersion"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\ = "IAppCommand"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{9A6B447A-35E2-4F6B-A87B-5DEEBBFDAD17}\NumMethods	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5F9C80B5-9E50-43C9-887C-7C6412E110DF}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{1B9063E4-3882-485E-8797-F28A0240782F}\NumMethods\ = "4"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MicrosoftEdgeUpdate.CoreClass.1\CLSID\ = "{8F09CD6C-5964-4573-82E3-EBFF7702865B}"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{2603C88B-F971-4167-9DE1-871EE4A3DC84}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Devolutions inc..Remote Desktop Manager.rdp\shell\Edit\command\ = "mstsc.exe -edit \"%1\""	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{195A2EB3-21EE-43CA-9F23-93C2C9934E2E}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rdd\ = "Devolutions inc..Remote Desktop Manager"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C06EE550-7248-488E-971E-B60C0AB3A6E4}	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}\ = "IJobObserver2"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\48C88D84E928DE146B4C2CF400E9D8C2\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{99F8E195-1042-4F89-A28C-89CDB74A14AE}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rdm\Devolutions inc..Remote Desktop Manager	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rdmj\Devolutions inc..Remote Desktop Manager\ShellNew	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8F09CD6C-5964-4573-82E3-EBFF7702865B}\VersionIndependentProgID\ = "MicrosoftEdgeUpdate.CoreClass"	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C853632E-36CA-4999-B992-EC0D408CF5AB}\NumMethods	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{7584D24A-E056-4EB1-8E7B-632F2B0ADC69}\ = "IPolicyStatusValue"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3E102DC6-1EDB-46A1-8488-61F71B35ED5F}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{AB4F4A7E-977C-4E23-AD8F-626A491715DF}\NumMethods\ = "41"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{837E40DA-EB1B-440C-8623-0F14DF158DC0}\NumMethods\ = "24"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine_64.dll"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3A49F783-1C7D-4D35-8F63-5C1C206B9B6E}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E421557C-0628-43FB-BF2B-7C9F8A4D067C}\ = "Microsoft Edge Update Update3Web"	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{CECDDD22-2E72-4832-9606-A9B0E5E344B2}\PROGID	MicrosoftEdgeUpdate.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\MicrosoftEdgeUpdate.exe	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32\ThreadingModel = "Both"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B4A02D72-2A34-41DB-B37F-05DFDB27E933}\InProcServer32\ = "C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\psmachine.dll"	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\ = "IPolicyStatus"	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{450CF5FF-95C4-4679-BECA-22680389ECB9}\NumMethods\ = "10"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A2F5CB38-265F-4A02-9D1E-F25B664968AB}\InprocServer32	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{D9AA3288-4EA7-4E67-AE60-D18EADCB923D}	MicrosoftEdgeUpdate.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A6556DFF-AB15-4DC3-A890-AB54120BEAEC}\NumMethods\ = "7"	MicrosoftEdgeUpdateComRegisterShell64.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EA92A799-267E-4DF5-A6ED-6A7E0684BB8A}	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{FEA2518F-758F-4B95-A59F-97FCEEF1F5D0}\NumMethods	MicrosoftEdgeUpdateComRegisterShell64.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\CLASSES\WOW6432NODE\CLSID\{D1E8B1A6-32CE-443C-8E2E-EBA90C481353}\PROGID	MicrosoftEdgeUpdate.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E4518371-7326-4865-87F8-D9D3F3B287A3}\ProxyStubClsid32	MicrosoftEdgeUpdateComRegisterShell64.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{FF419FF9-90BE-4D9F-B410-A789F90E5A7C}\Elevation\IconReference = "@C:\\Program Files (x86)\\Microsoft\\EdgeUpdate\\1.3.153.53\\msedgeupdate.dll,-1004"	MicrosoftEdgeUpdate.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.RemoteDesktopManager.2023.2.22.0.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.RemoteDesktopManager.2023.2.22.0.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d4304000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	Setup.RemoteDesktopManager.2023.2.22.0.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
4092	MicrosoftEdgeUpdate.exe
4092	MicrosoftEdgeUpdate.exe
5068	MicrosoftEdgeUpdate.exe
5068	MicrosoftEdgeUpdate.exe
4436	MicrosoftEdgeUpdate.exe
4436	MicrosoftEdgeUpdate.exe
4092	MicrosoftEdgeUpdate.exe
4092	MicrosoftEdgeUpdate.exe
4092	MicrosoftEdgeUpdate.exe
4092	MicrosoftEdgeUpdate.exe
4920	MicrosoftEdgeUpdate.exe
4920	MicrosoftEdgeUpdate.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
560	MsiExec.exe
3860	msiexec.exe
3860	msiexec.exe
4968	powershell.exe
4968	powershell.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
2724	MicrosoftEdgeUpdate.exe
2724	MicrosoftEdgeUpdate.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
4968	powershell.exe
3972	RemoteDesktopManager.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
4068	msedgewebview2.exe
3528	msedgewebview2.exe
3528	msedgewebview2.exe
3528	msedgewebview2.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe
Token: SeShutdownPrivilege	5096	chrome.exe
Token: SeCreatePagefilePrivilege	5096	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
5096	chrome.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe

Suspicious use of SetWindowsHookEx 9 IoCs

pid	Process
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe
3972	RemoteDesktopManager.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 1176	5096	chrome.exe	83
PID 5096 wrote to memory of 1176	5096	chrome.exe	83
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 3748	5096	chrome.exe	85
PID 5096 wrote to memory of 4008	5096	chrome.exe	86
PID 5096 wrote to memory of 4008	5096	chrome.exe	86
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87
PID 5096 wrote to memory of 4104	5096	chrome.exe	87

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\DataCollection	msedgewebview2.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://cdn.devolutions.net/download/Setup.RemoteDesktopManager.2023.2.22.0.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff85eb29758,0x7ff85eb29768,0x7ff85eb29778
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1664 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:2
  2⤵
  PID:3748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2260 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:4104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3004 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:1
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3012 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:1
  2⤵
  PID:4768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5168 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5520 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:4524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5292 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:764
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5344 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:2960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5400 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:4128
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 --field-trial-handle=1880,i,6853334479680212739,7698447844312518695,131072 /prefetch:8
  2⤵
  PID:576
- C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe
  "C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe"
  2⤵
  PID:224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3596

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2844

C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe
"C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
PID:3168
- C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe
  "C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  PID:4648
- - C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdate.exe
    "C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdate.exe" /installsource taggedmi /install "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true"
    3⤵
    - Sets file execution options in registry
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4092
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regsvc
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:4764
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /regserver
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Modifies registry class
      PID:740
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:5092
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:3372
    - - C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe
        
        "C:\Program Files (x86)\Microsoft\EdgeUpdate\1.3.153.53\MicrosoftEdgeUpdateComRegisterShell64.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Registers COM server for autorun
        Modifies registry class
        
        PID:4892
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDFCNzgxNDQtMkFFRC00QjdGLUI5RTYtQzEwNjAzREZCRTc2fSIgdXNlcmlkPSJ7RDJDMjg0QTItN0JBMS00RDIxLTkxRTgtM0M4MDA4Mjc5RENBfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0ie0Q1OTJGRUIwLUI4QUEtNDZEQi1CM0UwLTY4QjJGQzhDOUQzOH0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3FXSlN6V3dQZmRjTFIrWEdJdjZ4clpmaVlPeGhQVTJzMU5XbWpXY2FGUGc9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzQzRGRTAwLUVGRDUtNDAzQi05NTY5LTM5OEEyMEYxQkE0QX0iIHZlcnNpb249IjEuMy4xNzUuMjkiIG5leHR2ZXJzaW9uPSIxLjMuMTUzLjUzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIj48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIiBpbnN0YWxsX3RpbWVfbXM9IjEwMzEiLz48L2FwcD48L3JlcXVlc3Q-
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4332
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /handoff "appguid={F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}&appname=Microsoft%20Edge%20Webview2%20Runtime&needsadmin=true" /installsource taggedmi /sessionid "{D1B78144-2AED-4B7F-B9E6-C10603DFBE76}"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:2132
- C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe
  "C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe" /i "C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\install\09E8D2C\Setup.RemoteDesktopManager.2023.2.22.0.msi" AI_EUIMSI=1 SHORTCUTDIR="C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Remote Desktop Manager" APPDIR="C:\Program Files\Devolutions\Remote Desktop Manager" SECONDSEQUENCE="1" CLIENTPROCESSID="3168" CHAINERUIPROCESSID="3168Chainer" ACTION="INSTALL" EXECUTEACTION="INSTALL" CLIENTUILEVEL="0" ADDLOCAL="MainFeature" INSTALLLEVEL="1000" PRIMARYFOLDER="APPDIR" ROOTDRIVE="F:\" AI_MISSING_PREREQS="Microsoft Edge WebView2 Runtime (web installer)" AI_DETECTED_DOTNET_VERSION="4.8" AI_SETUPEXEPATH="C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe" SETUPEXEDIR="C:\Users\Admin\Downloads\" EXE_CMD_LINE="/exenoupdates /forcecleanup /wintime 1692150941 " TARGETDIR="F:\" AI_SETUPEXEPATH_ORIGINAL="C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe" AI_INSTALL="1"
  2⤵
  - Executes dropped EXE
  - Enumerates connected drives
  - Drops file in Windows directory
  PID:1920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3860
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 9089C0D92A1A918E7E87EDD7ED7E20A5 C
  2⤵
  - Loads dropped DLL
  PID:2572
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 999CD76FF5DCBCCEDDA2D6353EE28FB6 C
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 14664543B6D3B09EF4209BAF2C7FECBE
  2⤵
  - Loads dropped DLL
  PID:4976
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B6C577D1CA386C696D36DEC4F4506344 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  PID:4932
- - C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Program Files\Devolutions\Remote Desktop Manager\pss5F49.ps1" -propFile "C:\Program Files\Devolutions\Remote Desktop Manager\msi5F26.txt" -scriptFile "C:\Program Files\Devolutions\Remote Desktop Manager\scr5F27.ps1" -scriptArgsFile "C:\Program Files\Devolutions\Remote Desktop Manager\scr5F28.txt" -propSep " :<->: " -lineSep " <<:>> " -testPrefix "_testValue."
    3⤵
    - Modifies data under HKEY_USERS
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    PID:4968
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\1rprj2p3\1rprj2p3.cmdline"
      4⤵
      PID:4356
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES689B.tmp" "c:\Users\Admin\AppData\Local\Temp\1rprj2p3\CSCEBA7FAB045D946A1A739AF86F4B3B020.TMP"
        5⤵
        
        PID:4524
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3680
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Hosting.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Hosting.Server.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Http.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Http.Extensions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.Http.Features.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.AspNetCore.StaticFiles.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Bcl.AsyncInterfaces.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Bcl.HashCode.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.CodeAnalysis.CSharp.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1548
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.CodeAnalysis.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4352
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Data.Edm.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1220
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Data.OData.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Data.Services.Client.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3604
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Data.SqlClient.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2280
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Configuration.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3528
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Configuration.Binder.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Configuration.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.DependencyInjection.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2420
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.FileProviders.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Hosting.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1648
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Logging.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4856
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Logging.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Options.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.Primitives.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1544
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Extensions.WebEncoders.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4820
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Identity.Client.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Identity.Client.Extensions.Msal.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Abstractions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Clients.ActiveDirectory.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.JsonWebTokens.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Logging.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Protocols.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Protocols.OpenIdConnect.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4660
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.IdentityModel.Tokens.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Net.Http.Headers.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Office.Interop.Outlook.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Web.WebView2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Web.WebView2.WinForms.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Microsoft.Web.WebView2.Wpf.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Buffers.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3136
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Collections.Immutable.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3852
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ComponentModel.Annotations.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Configuration.ConfigurationManager.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Data.SQLite.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Diagnostics.DiagnosticSource.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Drawing.Common.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3096
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.IdentityModel.Tokens.Jwt.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.IO.Hashing.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.IO.Ports.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Management.Automation.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Memory.Data.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Memory.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Net.Http.WinHttpHandler.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1488
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Numerics.Vectors.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Reactive.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Reflection.Metadata.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3692
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Reflection.TypeExtensions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3364
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Resources.Extensions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Runtime.CompilerServices.Unsafe.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4132
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.AccessControl.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.Cryptography.Cng.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.Cryptography.ProtectedData.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4564
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.Permissions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Security.Principal.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3516
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ServiceModel.Duplex.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2672
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ServiceModel.Http.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ServiceModel.NetTcp.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4640
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ServiceModel.Primitives.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ServiceModel.Security.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4128
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Spatial.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Text.Encoding.CodePages.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Text.Encodings.Web.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Text.Json.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.Threading.Tasks.Extensions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\System.ValueTuple.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.AMTProxy.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:320
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Analytics.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3180
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Az.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Cadeau.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Cloud.ApiWrapper.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Compression.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Crypto.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.DatabaseUpgrade.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.DatabaseUpgrade.Interface.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1392
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.DNSManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1164
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Gateway.Client.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:572
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Hub.Clients.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3748
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Hub.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1704
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.HubPersonal.Clients.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.IdentityModel.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1564
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Images.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3604
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Ipc.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Licorice.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.ModelGenerator.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.MsRdpEx.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.NativeMessaging.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.NetworkManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:648
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.OnePasswordManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1812
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Otp.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:236
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Picky.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4916
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.PowerShellMaml.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1820
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Protocols.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2112
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Rdp.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3904
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.RemoteManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2100
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.RemoteManagement.XmlSerializers.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2932
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Renderer.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Rpc.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Server.ApiWrapper.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Sessions.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5032
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.SMB.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2252
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.SpiceworksManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3520
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.TeamPassManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5056
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Utils.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:232
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Utils.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.VimApi.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4660
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.VimApi.XmlSerializers.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.VirtualDesktop.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4168
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.VMwareManagement.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3864
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Vnc.Windows.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4148
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Zxcvbn.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4184
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Charts.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:500
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.CodeParser.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3136
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Data.Desktop.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3852
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Data.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1720
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.DataAccess.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1980
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.DataAccess.v22.2.UI.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2116
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.DataVisualization.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:868
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Diagram.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3096
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Dialogs.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Drawing.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Images.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Office.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Pdf.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3924
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Pdf.v22.2.Drawing.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.PivotGrid.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2540
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Printing.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3596
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.RichEdit.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1296
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.RichEdit.v22.2.Export.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:816
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Sparkline.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4912
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Spreadsheet.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4676
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.TreeMap.v22.2.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Utils.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:384
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Utils.v22.2.UI.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1876
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.Xpo.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1800
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraBars.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4564
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraCharts.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1560
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraCharts.v22.2.Extensions.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3516
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraCharts.v22.2.UI.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2672
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraCharts.v22.2.Wizard.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3036
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraDiagram.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4640
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraDialogs.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5012
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraEditors.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4128
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraGrid.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:644
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraLayout.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3768
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraNavBar.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3896
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraPivotGrid.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:460
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraPrinting.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraRichEdit.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:372
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraSpreadsheet.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:320
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraTreeList.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3180
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraTreeMap.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraVerticalGrid.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4412
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\DevExpress.XtraWizard.v22.2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3584
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AxInterop.MSTSCLib.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4340
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AxInterop.UltraVncAx.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2580
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Interop.MSTSCLib.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4328
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Interop.ULTRAVNCAXLib.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4788
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3608
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.Identity.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4440
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.ResourceManager.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4228
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.ResourceManager.Network.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4484
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.Security.KeyVault.Secrets.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:452
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.Storage.Blobs.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:3436
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Azure.Storage.Common.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.Core.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:1804
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.EC2.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:2732
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.Route53.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:432
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.Route53Domains.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4624
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.Route53Resolver.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:5000
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\AWSSDK.S3.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:4120
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe" install "C:\Program Files\Devolutions\Remote Desktop Manager\Newtonsoft.Json.dll" /NoLogo /silent /queue:2 "/ExeConfig:C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
      4⤵
      PID:716
- C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Updater.exe
  "C:\Program Files\Devolutions\Remote Desktop Manager\Devolutions.Updater.exe" /custominstaller /decode "C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\install\09E8D2C\Setup.RemoteDesktopManager.2023.2.22.0.msi" "C:\Program Files\Devolutions\Remote Desktop Manager\\"
  2⤵
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  PID:4332

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /svc
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
PID:5068
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDFCNzgxNDQtMkFFRC00QjdGLUI5RTYtQzEwNjAzREZCRTc2fSIgdXNlcmlkPSJ7RDJDMjg0QTItN0JBMS00RDIxLTkxRTgtM0M4MDA4Mjc5RENBfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezNDNzE2NTQ4LThEMjktNDYzNC1BNDJGLUExOTA5NDMyOTIwQ30iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O3I0NTJ0MStrMlRncS9IWHpqdkZOQlJob3BCV1I5c2JqWHhxZVVESDl1WDA9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0iezhBNjlEMzQ1LUQ1NjQtNDYzYy1BRkYxLUE2OUQ5RTUzMEY5Nn0iIHZlcnNpb249IjEwNi4wLjUyNDkuMTE5IiBuZXh0dmVyc2lvbj0iMTA2LjAuNTI0OS4xMTkiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQ2IiBpbnN0YWxsZGF0ZT0iLTQiIGluc3RhbGxkYXRldGltZT0iMTY4ODM4ODQ1MyI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjUiLz48L2FwcD48L3JlcXVlc3Q-
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4436
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1F875374-5F30-49EF-8683-8AE2302B79C3}\MicrosoftEdge_X64_115.0.1901.203.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1F875374-5F30-49EF-8683-8AE2302B79C3}\MicrosoftEdge_X64_115.0.1901.203.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
  2⤵
  - Executes dropped EXE
  PID:3592
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1F875374-5F30-49EF-8683-8AE2302B79C3}\EDGEMITMP_65F0E.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1F875374-5F30-49EF-8683-8AE2302B79C3}\EDGEMITMP_65F0E.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{1F875374-5F30-49EF-8683-8AE2302B79C3}\MicrosoftEdge_X64_115.0.1901.203.exe" --msedgewebview --verbose-logging --do-not-launch-msedge --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    PID:4680
- C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xNTMuNTMiIHNoZWxsX3ZlcnNpb249IjEuMy4xNTMuNTMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7RDFCNzgxNDQtMkFFRC00QjdGLUI5RTYtQzEwNjAzREZCRTc2fSIgdXNlcmlkPSJ7RDJDMjg0QTItN0JBMS00RDIxLTkxRTgtM0M4MDA4Mjc5RENBfSIgaW5zdGFsbHNvdXJjZT0idGFnZ2VkbWkiIHJlcXVlc3RpZD0iezkxMjZCQUI2LTJFODUtNDlBMC1BREU2LUNCQjJDMEM2MUIxOX0iIGRlZHVwPSJjciIgZG9tYWluam9pbmVkPSIwIj48aHcgbG9naWNhbF9jcHVzPSI4IiBwaHlzbWVtb3J5PSI4IiBkaXNrX3R5cGU9IjIiIHNzZT0iMSIgc3NlMj0iMSIgc3NlMz0iMSIgc3NzZTM9IjEiIHNzZTQxPSIxIiBzc2U0Mj0iMSIgYXZ4PSIxIi8-PG9zIHBsYXRmb3JtPSJ3aW4iIHZlcnNpb249IjEwLjAuMTkwNDEuMTI4OCIgc3A9IiIgYXJjaD0ieDY0Ii8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iREFEWSIgcHJvZHVjdF9uYW1lPSJTdGFuZGFyZCBQQyAoUTM1ICsgSUNIOSwgMjAwOSkiLz48ZXhwIGV0YWc9IiZxdW90O1ZQUW9QMUYrZnExNXdSemgxa1BMNFBNcFdoOE9STUI1aXp2ck9DL2NoalE9JnF1b3Q7Ii8-PGFwcCBhcHBpZD0ie0YzMDE3MjI2LUZFMkEtNDI5NS04QkRGLTAwQzNBOUE3RTRDNX0iIHZlcnNpb249IiIgbmV4dHZlcnNpb249IjExNS4wLjE5MDEuMjAzIiBsYW5nPSIiIGJyYW5kPSIiIGNsaWVudD0iIiBleHBlcmltZW50cz0iY29uc2VudD1mYWxzZSIgaW5zdGFsbGFnZT0iLTEiIGluc3RhbGxkYXRlPSItMSI-PHVwZGF0ZWNoZWNrLz48ZXZlbnQgZXZlbnR0eXBlPSI5IiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIwIi8-PGV2ZW50IGV2ZW50dHlwZT0iNSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIvPjxldmVudCBldmVudHR5cGU9IjEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvd25sb2FkZXI9ImJpdHMiIHVybD0iaHR0cDovL21zZWRnZS5mLnRsdS5kbC5kZWxpdmVyeS5tcC5taWNyb3NvZnQuY29tL2ZpbGVzdHJlYW1pbmdzZXJ2aWNlL2ZpbGVzL2M1ODU4YWEyLThkYjUtNDE2MC1iYmI5LWE3MWY5MWMxMjJhZT9QMT0xNjkyOTk2NTkwJmFtcDtQMj00MDQmYW1wO1AzPTImYW1wO1A0PVA1MFFzTEQlMmJrVmVNSUZ5MEh5SGswd2pQYTJsTiUyZldhaTE4a1FoN2ttZkJYSmd5JTJidlcxZ1NYMWRYNFNkVm96c2hTUVRkVjRmdmN0OFpPTzg1RGJKRWx3JTNkJTNkIiBzZXJ2ZXJfaXBfaGludD0iIiBjZG5fY2lkPSItMSIgY2RuX2NjYz0iIiBkb3dubG9hZGVkPSIxNTE0MTg4MzIiIHRvdGFsPSIxNTE0MTg4MzIiIGRvd25sb2FkX3RpbWVfbXM9IjUzNzg5Ii8-PGV2ZW50IGV2ZW50dHlwZT0iMSIgZXZlbnRyZXN1bHQ9IjEiIGVycm9yY29kZT0iMCIgZXh0cmFjb2RlMT0iMCIgc291cmNlX3VybF9pbmRleD0iMCIvPjxldmVudCBldmVudHR5cGU9IjYiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjAiLz48ZXZlbnQgZXZlbnR0eXBlPSIyIiBldmVudHJlc3VsdD0iMSIgZXJyb3Jjb2RlPSIwIiBleHRyYWNvZGUxPSIxOTY2MDkiIHNvdXJjZV91cmxfaW5kZXg9IjAiIGRvbmVfYmVmb3JlX29vYmVfY29tcGxldGU9IjAiIHVwZGF0ZV9jaGVja190aW1lX21zPSI4NDQiIGRvd25sb2FkX3RpbWVfbXM9IjYyMzg2IiBkb3dubG9hZGVkPSIxNTE0MTg4MzIiIHRvdGFsPSIxNTE0MTg4MzIiIHBhY2thZ2VfY2FjaGVfcmVzdWx0PSIwIiBpbnN0YWxsX3RpbWVfbXM9IjI2MjY0Ii8-PC9hcHA-PC9yZXF1ZXN0Pg
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  PID:4920

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{E2B3C97F-6AE1-41AC-817A-F6F92166D7DD}
1⤵
PID:4300

C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe
"C:\Program Files\Devolutions\Remote Desktop Manager\RemoteDesktopManager.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3972
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3972.1552.8107463529471514276
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - System policy modification
  PID:4068
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1796 --field-trial-handle=1800,i,11524878587446988630,6284332587747347479,262144 --enable-features=MojoIpcz /prefetch:2
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4484
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-platform-channel-handle=1880 --field-trial-handle=1800,i,11524878587446988630,6284332587747347479,262144 --enable-features=MojoIpcz /prefetch:3
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:3280
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3580 --field-trial-handle=1800,i,11524878587446988630,6284332587747347479,262144 --enable-features=MojoIpcz /prefetch:1
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:1244
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-platform-channel-handle=3164 --field-trial-handle=1800,i,11524878587446988630,6284332587747347479,262144 --enable-features=MojoIpcz /prefetch:8
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4916
- C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
  "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --embedded-browser-webview=1 --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --noerrdialogs --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --enable-features=MojoIpcz --mojo-named-platform-channel-pipe=3972.1552.15345352122753722146
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - System policy modification
  PID:3528
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=115.0.5790.171 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=115.0.1901.203 --initial-client-data=0x184,0x188,0x18c,0x160,0x1d4,0x7ff84328d310,0x7ff84328d320,0x7ff84328d330
    3⤵
    - Executes dropped EXE
    PID:4104
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=gpu-process --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1832 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:2
    3⤵
    - Executes dropped EXE
    PID:4384
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-platform-channel-handle=3060 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:8
    3⤵
    - Executes dropped EXE
    PID:4128
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --mojo-platform-channel-handle=2128 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:3
    3⤵
    - Executes dropped EXE
    PID:4640
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3368 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:5068
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=3532 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:4512
- - C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
    "C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=renderer --noerrdialogs --user-data-dir="C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView" --webview-exe-name=RemoteDesktopManager.exe --webview-exe-version=2023.2.22.0 --embedded-browser-webview=1 --embedded-browser-webview-dpi-awareness=1 --edge-webview-custom-scheme --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --js-flags="--harmony-weak-refs-with-cleanup-some --expose-gc --ms-user-locale=" --mojo-platform-channel-handle=4116 --field-trial-handle=1836,i,10373725668038631704,15531119701362849314,262144 --enable-features=MojoIpcz /prefetch:1
    3⤵
    - Executes dropped EXE
    PID:1636

C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe
"C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --type=crashpad-handler --user-data-dir=C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=115.0.5790.171 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeWebView\Application\115.0.1901.203\msedgewebview2.exe" --annotation=plat=Win64 "--annotation=prod=Edge WebView2" --annotation=ver=115.0.1901.203 --initial-client-data=0x180,0x184,0x188,0x15c,0x1c4,0x7ff84328d310,0x7ff84328d320,0x7ff84328d330
1⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4728

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ua /installsource scheduler
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e5de4c6.rbs

Filesize
2.3MB

MD5
a315122a12526abb374620e28d8e0660

SHA1
478814f1ce0560555bf306e1c56f2c007e152228

SHA256
0f0a660af9dd319ca1ff93e1409b074105d31c6efb38092028b8607cdad09403

SHA512
03492eebae726e29cccf566878e64f902148d0cec615569e852e150a0e98afe351ace97be7a1103a896140eace8886009ae917d8d3cac46960adb1168f6b6a7e

Download Submit
C:\Program Files (x86)\Microsoft\EdgeCore\115.0.1901.203\Installer\setup.exe

Filesize
3.5MB

MD5
c7645f29dd120d88267e5086790d0833

SHA1
7157d3406cb0aa4add402db04ac11d64e9fa21ad

SHA256
04f0c327aca916474cc9462dacc2aa519ddc2f7113673ffc16d7d2d2e25ae3cd

SHA512
e7188b8dc1f58e5b980c13c80b4e50a3b49edcdf9053fcdf84d521726253b93832bdb1b667e477bd51be9aab1e0e62f751af59d9651a401da8277fa8a05e0a23

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\Download\{F3017226-FE2A-4295-8BDF-00C3A9A7E4C5}\115.0.1901.203\MicrosoftEdge_X64_115.0.1901.203.exe

Filesize
144.4MB

MD5
d570ce7edf851d97067aacc7a08dfc58

SHA1
097172f7663696c768299d2f956740497b647adb

SHA256
52695a998c0aabd5ef2e39b05ec27073a44a3e0efc65eed1bd252f92e9f2c0e1

SHA512
f6125052f959dd485a361b634b588e178cf46fe4b8ecbd417b4e07affa30b849c09764b570bca16860dadce38e9b1e98c1b2a7c4574fb2bcfc9b36d23f9232f4

Download Submit
C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe

Filesize
209KB

MD5
a40025702cce661c4fb1e77c449d7be1

SHA1
214a5af47d68293ba1670852718e67213feeac4f

SHA256
025df5c7a2b0afa43d54fc53a0a21f2ddf6df03db03a5032ee7ac0360e284185

SHA512
6a6c9e4d40a2afdafc65cad26a1448c44e4a488d16d1856235f575c47603aa5615ab062736d7988fe6e882aa4fa1b943649a28c9e74dc926151023cfa21a02d3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\EdgeUpdate.dat

Filesize
12KB

MD5
369bbc37cff290adb8963dc5e518b9b8

SHA1
de0ef569f7ef55032e4b18d3a03542cc2bbac191

SHA256
3d7ec761bef1b1af418b909f1c81ce577c769722957713fdafbc8131b0a0c7d3

SHA512
4f8ec1fd4de8d373a4973513aa95e646dfc5b1069549fafe0d125614116c902bfc04b0e6afd12554cc13ca6c53e1f258a3b14e54ac811f6b06ed50c9ac9890b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeComRegisterShellARM64.exe

Filesize
160KB

MD5
ffb6702956d281b3a6ba56038072584b

SHA1
0b6e2cbee6e297d8afbd0503ff00b53e30dcfa0b

SHA256
8bca492fb1f5dddca9722dd18dad4a7ee75599644f06eb46bf281bbeec4ac1aa

SHA512
402556c91f0537badc3fb7f75ed39c460838bf43ed64dfabd0a588ec6da9681e15f909e4fd5af66c9ed3c4e100a726423443f685b13dcf4e492d52ef19c1a771

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdate.exe

Filesize
209KB

MD5
a40025702cce661c4fb1e77c449d7be1

SHA1
214a5af47d68293ba1670852718e67213feeac4f

SHA256
025df5c7a2b0afa43d54fc53a0a21f2ddf6df03db03a5032ee7ac0360e284185

SHA512
6a6c9e4d40a2afdafc65cad26a1448c44e4a488d16d1856235f575c47603aa5615ab062736d7988fe6e882aa4fa1b943649a28c9e74dc926151023cfa21a02d3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdate.exe

Filesize
209KB

MD5
a40025702cce661c4fb1e77c449d7be1

SHA1
214a5af47d68293ba1670852718e67213feeac4f

SHA256
025df5c7a2b0afa43d54fc53a0a21f2ddf6df03db03a5032ee7ac0360e284185

SHA512
6a6c9e4d40a2afdafc65cad26a1448c44e4a488d16d1856235f575c47603aa5615ab062736d7988fe6e882aa4fa1b943649a28c9e74dc926151023cfa21a02d3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdateComRegisterShell64.exe

Filesize
203KB

MD5
4c8680365aaf2610a945923fadd1e7da

SHA1
77f3ad34bb0f3e4861d4c644544138642e4a9e62

SHA256
860222a28c334c17bcbcbdfa258926fda0dbf64b42101e5a6ceea86c304fac57

SHA512
0dd6db0f4f26c408a241490b21fa75c8829fe11c85d0dad22888f7bbfb925a081087e535f35fade3df3950eec3cd8fcb4689cab99e86d3a404d157051c0c1c48

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\MicrosoftEdgeUpdateCore.exe

Filesize
241KB

MD5
2d07dcf260df835d11c805f2e7f8c159

SHA1
25c8284b4b097da369349b39af3dabce2cc97802

SHA256
68a568252382db530607116076df3a26082efe67d216547bcc688a8b478957a6

SHA512
adfec8cc759e9fbbc51295c356eb4e90f26d9ee7d759ab5e9f740a55ab79fe14265c447ec20275ba8c8054a750087f717f27397566db1c4ee5cac2a76f513fcb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\NOTICE.TXT

Filesize
4KB

MD5
6dd5bf0743f2366a0bdd37e302783bcd

SHA1
e5ff6e044c40c02b1fc78304804fe1f993fed2e6

SHA256
91d3fc490565ded7621ff5198960e501b6db857d5dd45af2fe7c3ecd141145f5

SHA512
f546c1dff8902a3353c0b7c10ca9f69bb77ebd276e4d5217da9e0823a0d8d506a5267773f789343d8c56b41a0ee6a97d4470a44bbd81ceaa8529e5e818f4951e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdate.dll

Filesize
2.4MB

MD5
6cfb1cd81b4c65e3a0b3e7d6d8c8cee5

SHA1
a413c36ba58cb1aae06523da8751cb2984b67c9c

SHA256
ac21842fa444ab5fe6f677565a2a6734e0c798633da9dfdc434ba5bcbae6bb22

SHA512
042466d8a606a1b1085ccdddee43cdb90607348179478d42f1fd71e89053ae7f482b9353268afab3fc3e44cc798614d6ad1364bd65040df406d5761eb8a8c307

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdate.dll

Filesize
2.4MB

MD5
6cfb1cd81b4c65e3a0b3e7d6d8c8cee5

SHA1
a413c36ba58cb1aae06523da8751cb2984b67c9c

SHA256
ac21842fa444ab5fe6f677565a2a6734e0c798633da9dfdc434ba5bcbae6bb22

SHA512
042466d8a606a1b1085ccdddee43cdb90607348179478d42f1fd71e89053ae7f482b9353268afab3fc3e44cc798614d6ad1364bd65040df406d5761eb8a8c307

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_af.dll

Filesize
27KB

MD5
96b7c2e7488555b0ea74a55a6eb08fc7

SHA1
5fba1ef4332f00a9ac1e0a95dd92719d11e931bf

SHA256
ead92721fee00699e3878a51c2432a6de4f1de55405d07e486d7458ccadd57a6

SHA512
9c4f68b6c6f029ae2ffd33bb40bb4f12a59872613006f19766a9dc2c2c7704e9b33b4b6a6ec44c02920c71bba11cbf245f93816a7659fc11394e43771cbddffd

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_am.dll

Filesize
23KB

MD5
993a9ea0056417c22996d273c4cfe0d3

SHA1
2fd91e16c17f50624581b47eee47929e86e37715

SHA256
f1f2c1070f8523636107eb86c53dd3b4ac60bbf0ccea99d8e536ee8ce6e45b85

SHA512
0fd9b9446a4296023d55a821a9b0b84c3b5fd2d2d6da231325acae1b3696fa659b44f54b1d814a271724fba24e72b79dd33994a8ce96e2fde9aa97e04a09814c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ar.dll

Filesize
25KB

MD5
ae6f01dff13f3f346d3e7fab70b94c86

SHA1
977c9797fa3500bb199bce84d26ba6b78d4c38d7

SHA256
243d3369b2379ced25bb650cfccd2723c3caaaa1cd35bb557dbffac861e6717b

SHA512
8dbdf32315d4e276199b5fdeb9ec4364da0d0d5dd851f07228fc5d21ce6f9764e3983f0221119f294a4e76c11fa72368f2df9e9684bc274cbe7adea5c020e9f4

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_as.dll

Filesize
27KB

MD5
d060a6b214167b36b600084a1fce6d7b

SHA1
2060742691912bb7ef7b76f5e7a6f14efb310291

SHA256
1a9d6e3afa58a2fbb63e6489ae1ab1fea3d8976771d61a128457b80d3e0a64cf

SHA512
e96d9652d35d67860d9857785e2d798dbd28c34b508734e6e804a6352ced6d0dbe89aeeb95f1254e7fe690a6c13dd08e61044315153f813aaff1bb2a3a1cd23f

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_az.dll

Filesize
28KB

MD5
ef8fbcb5b232d1863f8201389113aadc

SHA1
9ee80f6f0d9cc36b0b5b312c8d0a062aaa3c655c

SHA256
d84e5be67107e893601cf5ab4f2448db392972e00772139df50dc432a9a262cb

SHA512
09935f8b769f9542ce135df8d9d9598057f72ef4ef795a6d1e95aa554cebcf9b783d233cf6250cc7c7396316034d9ad02c69f6d816ac44a5528100a0d6e35da0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_bg.dll

Filesize
28KB

MD5
40f5673b792aedfcce328502d559203d

SHA1
3e8c73e8333b32cff92997dd22907b3a0ab13cbd

SHA256
f4d9599d52dd7b1336b9f0f00195df3f51d9b4403f76ad35f6bc27066bbcf257

SHA512
8c83d624ce5745ffb107c7e67690406ccb074c2e9d0e260c0952960b8f49fb3650299abf5ea52f1e2b963387f011fe60bf24ba8957dfad50c912ba9bdf6a461d

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_bn-IN.dll

Filesize
28KB

MD5
6b551185c4abb67cd6c84129c9b169a4

SHA1
68cef1ff1578f23dfaf1d4c86f9d39d37a1e92a4

SHA256
5a908e3b82b303bdb9665560ef67c3c8613f0d04bc98ceebbff313cb1a0df49e

SHA512
a27632e5c0de0d7d0d67b8ce28f7dc9c4756b5985e544f640981451b32d2471fd746cf49074c559fa19ffa8d684e445749be3751a4e72a22e68204c046f85074

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_bn.dll

Filesize
28KB

MD5
c9604aad7d1e68654d7f8c030061c7ed

SHA1
227fec1594f6f34d576e16e911014b677a631c6d

SHA256
c7f9587526477bf146c67c823e2e26afbca370db294c9f1edb0ef6570d419dd5

SHA512
71e8b5eebdae271887e22af7873d98028ce096fc0e35f3b6091f7f3a4ba5121f1a13030d8e2ba735df5dc17fe4f336e8193f1a3921b8af46ceca3b7b53155ef5

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_bs.dll

Filesize
27KB

MD5
46c1c90fd9c2aff9ecbaaddf76b05947

SHA1
1eefe8b225b3b2db68cc39462a876d71b1f3eaa3

SHA256
f2ef06b1ca06ba8c5ba1cc335ecb3b64454d825d88093fcdcfd444319ce4dc86

SHA512
6c5f3a2522f62bd597a5cbeead95aa18f70ab11cf383f9f8880900c64438f1db1e89e97e62b147a24d3a804665e89cc135b86adaf599222c628626f5c2b02770

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ca-Es-VALENCIA.dll

Filesize
28KB

MD5
11b32b750c88b34c745ea1969b948a56

SHA1
f3adb0f85f2f963c6d29df65807291bd5272cd28

SHA256
c53f9d293c6cda95a2fabe165f7232b2a3506ba35e9d4e18b1ac00309e25b126

SHA512
2edf47c4bbbd429c86bf1ee4707706fbcfccc5f13b08687d6530d90a74b05b81b49704568df1045f3b98b677ca38a4c7e3efef08ec3ec86a5bd97a4a25dc5ce6

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ca.dll

Filesize
28KB

MD5
1a9382add72a8b65cfdc4383febab107

SHA1
4b00e4df3f0b02e28f7e9a3a07281f798480adfa

SHA256
3b0a5335c17434a0c30fa8c52bc8af15b1c7702aea554edefb19184442fd26fb

SHA512
6b296efbf1c73c8d7a3510f5e7c2c1ac83415c3cc905398199ee5c1b70939512ccd8cfe5e8a8fb60ceb4899272dd9b4367e8c5f4c7e2f04a5754800147681032

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_cs.dll

Filesize
27KB

MD5
2bfd3ce1a1bcf3d116df5414faa5d285

SHA1
e85c3588a98ecab7c3d21a96534222bb063dae7d

SHA256
8a0367576591cf6261e3fcaf7e52e266b6c325e22d7f94441b9002f18f604461

SHA512
6c69a7271777277f9ee1c98bd680904296427c00fd67c64c567877bd50650b891ac18544143b0f4b3c2a839325d3eba63b23ad63fa7d58b2469cc0ed64a06083

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_cy.dll

Filesize
27KB

MD5
3c8bbfdbd4817d02a9954307107211f1

SHA1
7cb746d9dbde0bb6a35d75ffce42bb1c3cb8ba98

SHA256
f0e0ef1f82643fea9db0f79c727f1a7e3ead52ef209162258e7c37323e3214e7

SHA512
365eb28dde451d164624ced721dc099ef290bbef5fbfc054558d9f43447fb1ae1dcfedf910260c972f12c35f7f27d05e23bd90590ebc6d3f1e70acbb5de8092c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_da.dll

Filesize
27KB

MD5
f7fd3e001cc1191ab201c1dfb25ddd6e

SHA1
064fb4e941a6c487e792240fecc186b4bf79355a

SHA256
a57e2258e5422b8d89248ce541bbaed5e47063b70a16b446af1ad210094cb64c

SHA512
0f4870ce742e2cbc39ee504906426d768829d25dda6bf31afc5bbffc0ac3b4808f7a7b98d952ea977f10d27ae3c5e1ff5d05f65c61364f851d67e68a6b8189cb

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_de.dll

Filesize
29KB

MD5
87e0d2b50a90fdcc1861f8a066403bff

SHA1
abf39bdc5e5687b798340f7b3c8fa7940966cf4a

SHA256
a5d33e98b7c72aa3d954f811541af524a5f3c4123efd196e36ac52e383e08894

SHA512
4d5434c423156e5ac5d2cd8d492940cc9564e661f39ad1dca8cd1830e04868d081f7ed0e75086dcc6dd551039f12125ceea49fab3b6959e5ed49f37d69423124

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_el.dll

Filesize
29KB

MD5
ce6442e0f9614988b2e37b649101e9a9

SHA1
8e5b9587d94874c7d1e6881c5c40f814d48460f7

SHA256
b519b9a3938807243cece58809b47036243ca81c957075a6eee65c0605383862

SHA512
bad75f04b5b16b41c23f6a1b58fae303f513f72ad37be0ee969436ab736a7bf56944cd61774d87861ea0ca128f5b48ea11e6c54f2116f1b7a674e025520c8238

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_en-GB.dll

Filesize
26KB

MD5
86766127a8e0dc547f0f64598db92691

SHA1
cfb56cec1cbb4f1685aef8699579d6035e086a2a

SHA256
a889dda8a51ce9c84ea1071512fc5e05b0fcc782fc45843feebe2470a0f7ffbf

SHA512
3131e2b9a84f315e075de9b77c576265b1043dec70ed3d40955307819935bc2d90caaf92d4b3cfb1023a40fd14402c3952121ba86f714be9ed0db049a1de54b3

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_en.dll

Filesize
26KB

MD5
0be55d32cfb7eab185a7fa7fd7f8f260

SHA1
5b1c47b1bf0c82432b31f83d7d9a67df324851d2

SHA256
77c36d4a9ac2dc5ba64b69d4e8686bc79de101e0ae45da1738c9cc467ac968ce

SHA512
f1534b4763b8895b20aaede5132cf3cfb21196631287c801362879459dd8e6073ecf4715cd1aa3fa91c46fdb35255695741a10158c0b7d9fe074893938c0aa2c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_es-419.dll

Filesize
27KB

MD5
715b1e3f1879ff94374185f3c31f935d

SHA1
0448afd9435f08469a167f061c7e6470cef5f664

SHA256
98b381350573b9345545f36de57d556aaeb18e83428380427aa78398475be828

SHA512
13ca2cd2e53db6c28958dd76eea9f4989ef4a2ec1d7708bcf458ee40e668b3394b0efabd0dc48918c1ab773119afa4abfa74ccbe276a8a01855ed4041215089b

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_es.dll

Filesize
27KB

MD5
8aa2eeee9867a78cd9d24a9d7efa65de

SHA1
c5a38858e63b3b95621810493c8c78d81519b963

SHA256
47dce4d04ca263d68c7b9818c9ffedd8bb194262e93f002f20af095c4420d555

SHA512
693ed6d248a1f903ed706e63c27a03ec17ca607b2f525b2e412e9efccf48bcad7dc1481aaa08f91abed09a2b63039502275e369e8a8393f6ed5799534cb80d15

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_et.dll

Filesize
26KB

MD5
4a0ded6b7238876524f1543bf9c1b08e

SHA1
53d2dc8b6fad79cc65aab1086c8b33aafc9fabec

SHA256
c11959f8f8f4b7a14b6c6019f9cad639aa674a47edcc87e7ec3864d8ff20e9aa

SHA512
7168a00f2533fa3bed484dd6fd34341972fae019e377b02aafbbcb01ac276b6d713bfdd7972d0b6b3aa03b4e59575f98a36154b20cfce2b51dd5bcfbe814ffd0

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_eu.dll

Filesize
27KB

MD5
75419454882991170ed13b9590edec87

SHA1
942ad256bc23b134a34dcf70d510d09c8cb1d8ed

SHA256
01b2b710cf2d8c41120f265c97456d64b81fc5de557c263e3a41069019784c5d

SHA512
040dc9cec4e0b8d08fa27c5159c589ee45a9b7d763bce8e7e409d6b3152f0642dbc1b8cf55c8392f5efb502c6fe14e82f2458daa0fa5600fb12e55500042f96c

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fa.dll

Filesize
26KB

MD5
3af6730f373e7a1355ec9cab1eebec28

SHA1
58b7c7c0818622208d0a9124d2da8f65d0d2a35f

SHA256
6726b22df72da907dde5bd897835bb747c2df4235859d20ffc6ecf1594b72bea

SHA512
a138cef9c76c224471692042a95fecf61e97fdd26d9e5d468698454436e1ca4fc68c15a6d7b346a901b0bb187f27b5dc6388b7da8a53268439e8f45719c6a6b1

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fi.dll

Filesize
27KB

MD5
c67e2f456859e3b747e49ca40d303a96

SHA1
82a1fc90adeea44453859a7a3dc445a64b71ca80

SHA256
328ddbaeee9fea6d2aee8d2bbd286af178b2a088cce24c9c774afbf035f6bfd5

SHA512
ea381f0ad307b8ff7c8e89a3c9b09a1ae88bea3cf7bfa0d9f09b28a732a7fca09f7bc6dd60f8f950fad8e8bca5a0c12909c844d2fa25b1524ce4767af53b0457

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fil.dll

Filesize
28KB

MD5
e6ab658d70f9cc88657d6d18c59312ed

SHA1
1049ae82bd6786b4cb458141067d49f99c6d8a2e

SHA256
f9dabd8dedfa0f6c80dad7b86ec7ceb5bbad6b461d67534db9428ab59cee3fd7

SHA512
ffec0ab77b6b6e2751d6a0ba2d26d5739603895e3ab7fb390f899ff8ec743894a5def906910979ac805485cbecb2da2a6ae02e50905631084e580dbbcd23dc76

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fr-CA.dll

Filesize
29KB

MD5
125fd51b300c821536548cbfe72bbf84

SHA1
b4b3b84870f08120da8ec88900b28fc8eab3c2e7

SHA256
486e193ec46ce4d8f9f925d73564e9a3b68d39f3c2f9c00302fd8fd4c6810711

SHA512
57f310589a034bcacb42d91cc0c7a53f128b3804ea50fa2b461cfc322c824dbece5d67c67f4ade66177d687af8595efeb8283fc7925b3d644612f5998c5bd48e

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_fr.dll

Filesize
29KB

MD5
a1723bf780c3af8bae9e01f525884dd5

SHA1
b827f0f52e002ece363da5f44b20e55199617af7

SHA256
7edde6ac3346e654b66a0621c30626f8d1720608b4c107e78b1c6e42595b14d8

SHA512
26147ad565d8694a244b923ce907ff0d9d26dda7cc7bb3d2e755f91bdaa9455b75bbac959ee4481ca009967b849223400efc6d72ed9106bf684c2bfeead2cd71

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_ga.dll

Filesize
27KB

MD5
564024e243e97f89d3acb6eca15c81ae

SHA1
42f0898d40f8782ce9c4b848baabd3c97b760a22

SHA256
015f5318a47dcfb6db4cfa41394118d0b6a6a09cb972fbbff7549e144c445816

SHA512
487d5f737e79bd40c73dbd75ec8cd57b90884ab18d1659a79e7c2ed657fd2f96045a65276397850108315adaeb2a70e2acd5a2dfd1f61437fe5d69cd0f51d183

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_gd.dll

Filesize
29KB

MD5
81d4b648b3c3de7833fed0dfe0cad957

SHA1
a073986a290ba878a0f4b605af27c5f551a01a2d

SHA256
55b107edd473adc897edb619006b867c1cb3e32f6b29631315a46764a95e96ec

SHA512
125eab74e8f760095914a4a9285aa645375896b7b2d7f957f317b289a4cea512d4f8b64c65832ff9bc1541f2b3d91b9233d6278e20a07f97acbef04429371085

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_gl.dll

Filesize
27KB

MD5
a8ce04e1e7cbaa613443c12c16104b8f

SHA1
d990a50a58449eeb7a0439f831b60848acf15034

SHA256
db1e17395400cb402a1d75ac51351af2b5100794dfa2cc11befc5cf6bd87505c

SHA512
a126b03a6c913621e89448bc53be25bf0e29e2743cfa015933b0d0180da421941b359f9fb2fb525e122a4924a78e51abd450e3459a9bcaaf8ccd7c301d5d9609

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_gu.dll

Filesize
27KB

MD5
876cfa7452ebd6908e9190603f34969d

SHA1
5cdbc3e4a8c7ed9c615f64f1a72a64bdc4c33f38

SHA256
ecbe933cf5548e47eeda04b843eaf7bc1259777bf7de79c99b6a9365fed5a679

SHA512
a5cbccb0b78c56c12f9121c4a64d110d4ffa41ae42e5581146978497cbc0ffe4d97640676e08a6b7317fcb216e3e18649306ef53e1f6892201f320b4fe5bccfc

Download Submit
C:\Program Files (x86)\Microsoft\Temp\EUF1F3.tmp\msedgeupdateres_hi.dll

Filesize
27KB

MD5
72e08ac0ccaf23b9c8930a2f3095231e

SHA1
ed5e67be12f2abde36d03b4d91c65fe65b62350d

SHA256
dbf1f92547a16d44694195efb846d92fe1c9d458de86fc193558cdf6ad7f11d8

SHA512
c72097cd918ac1d1742e6fb6fe966cac4fcb4b96ae39e116314383e65424c64e5ee3340b07295c1a98b1c0797b4ba8f8387e7e0d27c9fef077b2b69726311bfa

Download Submit
C:\Program Files\Devolutions\Remote Desktop Manager\OpenSource\DiffPlex - License.txt

Filesize
8KB

MD5
56631ac22d86ae79c7fc3149c21a8683

SHA1
d83acd7895fe83997ed9a501063e000944afc1a2

SHA256
e3481b4f313a0c8a23e73e5163d923e96741e393e576c39d73b06979cf87a5ab

SHA512
2898aa6207bdd2ea6075b2affd76d9a33ee2d54a1457a95aca791c2f8e4d50a4095577711744ed316556ab07e8c969c9f970116f0e2bb839c8f35c4429e52ea6

Download Submit
C:\ProgramData\Microsoft\EdgeUpdate\Log\MicrosoftEdgeUpdate.log

Filesize
122KB

MD5
31a56ff95d5841389974d963d6430ec4

SHA1
94756e4ecfd5fc449c5d357666b2aab93e71f804

SHA256
c253e5e0e3c229f6f7a553cac6c17576fbf091b301caf9e2bf721713756f8d0a

SHA512
01196dc293a0ad9368a44db6f1f2b3ed166b65bc53fca52b82720a4ed546b670aeef23e971181b25d964bbaa7c294808baba00c0c0152639609def65155115af

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\Connections.db

Filesize
12KB

MD5
72e5d3fb759a57a32cf33e36838129cc

SHA1
11325c85806e94c584c634cdab535363c15cb8a4

SHA256
154babab86569658c41e614e3dd64096cfcc89bba2fd5a7b7115598a764c8649

SHA512
b68339a0214e8b289c2658f9bcc43012625a61508870e8339ecd8deaf262379e53578d551857ee51aabd406ddb8d91ec9258efda9161e3aba062818238bff544

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\Connections.db

Filesize
168KB

MD5
b1f25596d0db1b4e76b6473207e690cb

SHA1
ec2b5038766a0a9a3c80dd267403900efc58bc0e

SHA256
78125ac4fae0a2ea5d6da13cfa67ca20c2c719ebb55b45043e9815169f6c0622

SHA512
273790e624e2c7e470124c5e8601535fb46af77bd458b2f17f3de8a79d499711f92959f21bce77c8a9e091d1b0be8bc32aad63f600787e642fcab35837f2bfda

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\Connections.db

Filesize
176KB

MD5
07ba3e3166ee4d2ee3ffb3430edf6584

SHA1
7e8a4623198db1cf4a3589e4bb755508c404be68

SHA256
e738f64808d3cb664bb1eec389f674278c55b3194e2e36553068ecfa071b7e04

SHA512
28cb62f753b3ce38434a2506d790c27c2d3a3e26fc26619234d7272224b245fe2e80fa141b4ee82457bc3d3510542cd4f1e694f94bcf0d08db1c545104ab43d8

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.cfg

Filesize
6KB

MD5
b12d6bb1c92e049e10aea6a17489862d

SHA1
714cf9005167e5a8e10e7a24ed4e7f45426cf891

SHA256
6379e4f5a56644a9e8ee927adc94506f9e6b785591ebc745714f9b4fef4d7b2c

SHA512
b8cf0dac5937446b24757aa2eba84619f197d4ef70b3001a2bb9427723ae0dbe68cbfda9878fbe0b392730192629a78b2c30d83d1f444ebaca4aeabe0c55e3f0

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.enc

Filesize
146B

MD5
b9211ed50aebc590b87191aff33f56e0

SHA1
27bffd56abfae900fdcd3f5006bb83fac8050ce1

SHA256
df8ef24095d3ccb015cc90b688de4f29b0184ba262ad3603ab2972f5f588a164

SHA512
9729ebc56024ff42a5b333b6cee57c62e417bf38f40f42c4786eb1af860bdf18573ae682635d4a71f8221fbef12001458be9a823d16dea0841c5ae54e30ae92e

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.ext

Filesize
870B

MD5
82d742dfd092ab41550a75393ee3b603

SHA1
0b166f339a7cb33119ff32347a66e5791b115f75

SHA256
f645c00aafa0c44657d1d4a47d9e6c5a08821d5ed15c4f766d81bac2fdb3d6f8

SHA512
91b31d63cbca3d6cc99a2670fba8d7b67af14ff441d786db3a0fc4e186132fd5807f38e14f9ae62b884cd22c43eddb71e8d2dfb6dcb19d7f5df420e8c09dd2f4

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\RemoteDesktopManager.ext

Filesize
1KB

MD5
ecb443be68e17bb6d2956abd066f8d4b

SHA1
42c077d9c801b330293b26c4f4dbac330444a27b

SHA256
ab2168c0752b01b27f0b78731f203f4a7dfd1391c58079a0682a53d4a954e4a0

SHA512
9ec0cc589f98c78ee79b4c4dcc8500dc10534c10677b3cc21efa04d196d52bdbb03163a4d1cb202c2fbf1bc719b8f04ed9bc2261e2f436fc7c97375eb9635ae1

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
0d626fb8aa1ff757faff2f2656a44d9f

SHA1
615d35c69485a858c03fc9ad1a7b8d1f7d57e12d

SHA256
e217ef44f5fb80d60cd65e12992f3f485bdbde3f38f738aa354fb841796bafa6

SHA512
c50a66c2d503d05e83e2d5872cd8c897d9f6ed757371c9dc6fed5f1a0e262a9b4a64411d0496dabd4a1e5435c4568d94fda95f03e4800fd81c52e228c7a3c5be

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
3f3ef264d0f73f1fb2b3d312e847a853

SHA1
c307aed363d20d58a97322ad0f5fa513ac12f5b9

SHA256
676376597174a165b795b901694a6fa6b17270cc857621e3c24ab31ea03f502f

SHA512
43d1e934120e71c7a0f2cb2c77bf0ddddbc4732ab874f26d2dcb6e18ee3b11df7b9b3cda4c5c91920d940007b9fdc0e621f0c329f467add9af78f4db76eaa6f5

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
17b4bde1f598e34286a31277251e2c72

SHA1
cf05993828bf9dd2dc1b15a7667fce91257d4094

SHA256
608866bd3c2e93b5d9106d23a47f6923324d6e1e5f8a5775bdebe8e26ccd6488

SHA512
bb1f45ebbc957f3652d54b0198f670303eef1e4605ad2758d3b7fc0f93d13cce1b5059b87b6ab0d62a4ec874299014163ccdc6714d2fec3fd3bdb2c8fc036122

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
2a831a0910d01790c356c275726c859d

SHA1
35dc0222285c428505cbb9db534788a4738a1ac3

SHA256
26502e88605b43fbba047363b386eed40e64756f43d549533904ae22b2da18ff

SHA512
623e15b84c619eecd8f78fe35c01ea8b3d66030f877314fc0462ff53a21c5ce1d098a2b98db0640de216220d3ceef1f18bd043d9a31b16ea3b77fb6f3fed701d

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Crashpad\settings.dat

Filesize
280B

MD5
2fca132967f7f610233a7898294baa5b

SHA1
a72ba08cac1df9b0c400da454eaac3080e73cc97

SHA256
9a7abd4c906249fa52f55ecacbd97bc71f9a8e367609a57e57dbbcabebb997a3

SHA512
95e1939f0efaa80acdae8cd283d94b21f4b0561e8c98e1f3a942d9c3cf5a826f5e087d520873e7bb59825cd2624767f00681e9740ea89f4ba58a2d042897975a

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Cache\Cache_Data\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
6078566e492e94e9b96d6b737dab0876

SHA1
97cd82844f283cd56d5bb90d52cc2f44c74e567d

SHA256
dc85237f20ce366d9f7ca71fafd09381a1cbb2747f133d1b2f9417064e4d2348

SHA512
3d9245ba63fd22e08714cb388297bb1c9742bf414b6bc80924688bb4faf0a1c8c5a25d48e805f0c62050cdc861632ca5df63717c03c38cfb9c0df1d05d349e95

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Extension Rules\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Network\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Network\Network Persistent State

Filesize
1KB

MD5
5fbd20cab5b267e6e58560d4c3e6aa5b

SHA1
98aee94713e24beb9375410a19f660d5825496bd

SHA256
c44ea23184ca9a48861c0c2b35fec4847763a41620642f64eda5911f0b211603

SHA512
fadd2563bd7115669fa6fe8822d1c84d3886517f1d664ff979baf338c9669ba41830b3322b328224cf548ceedd188634af1b385fbae40b66e39a20bd35cabc01

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Network\Network Persistent State~RFe5f2a26.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Network\TransportSecurity

Filesize
523B

MD5
88bd96a943fe33168ec1220acd313dcb

SHA1
415a23140769a61b5d99fb38043b6d6460bef47d

SHA256
4c993f18e2d4594a68f011f762ec31ea544c402623729de089842a8fe4e99d61

SHA512
7c45889cc487db6d75f5c30f1d669c068711743791f51a61e393a153576660ce8a6728d6a3cb9be8906c29d9c9d5282229d62840a58d3589d41afa11fde37b91

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Preferences

Filesize
5KB

MD5
82a9fa6c502b39b5dae191effcd20ea8

SHA1
0e494a016fe7887588a4bffde66a502daeb9ca4a

SHA256
bec50471c5af527b736b7af89a9c1290d62bd0cb7dabf497a29e4308cd3f3508

SHA512
9e21e9a2dedab28a467ca54753f705b61e8ea62a87a760f62b35f108a502cc7f74a33af0c737a368ac5b443fcc9a8d03f4a49c26fe0e197d152abc971a4d58e9

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Preferences

Filesize
7KB

MD5
9c743a619a4b11b487bbabd58f5f8d28

SHA1
7571b7b0866ca00413b4deca7e99cae1e5e47ee0

SHA256
a2c8def7b64d196bde04a0012c962a3f9ee761efd9979d6946d4f505b110cb96

SHA512
def0f7768bf8a03ac04f0dd66774c61b52cf7bc45267327bc9c85b007269c82ee4f34300dce24198ad7dea46509e9a08189e678ba80b5aa6a8f2a6d0569b7e22

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Preferences

Filesize
7KB

MD5
1aee336185d7e5a2090d755f1522b0a7

SHA1
539280f7cbbd03d942ff0ae2595d4dc8670954d4

SHA256
f8899a5999f009e2002729ed7932ef6305379c1a04b2689b7d03d7eb8bb3424d

SHA512
56653a2c3fb5e99d2fe8f87448b07d69c969b0334045f312a194f163df8cd10da38ac767290952e583d668ca932463f2cbc0b0c41defbc669fe959061efd6cad

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Preferences

Filesize
7KB

MD5
ea64414a87e61c8873ee5ccf07df4505

SHA1
29f44431a6536411087281d4f332d5ea89da1481

SHA256
d7165e6b34f12f1e63e1e7922db73e6fb7f13eda8201c8d336de2f35580ecb07

SHA512
e00b8af846cd236fae38227d6e1b8ab03c26919ad82f6cce3bb02c9ccbf177ed1c72c4cedb7f92ab4d15b299f39e70cc29acc2d6af3fc70d6796237a2883b780

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Default\Preferences~RFe5f1edb.TMP

Filesize
5KB

MD5
831295e29ebedc50e4114136d3d2688f

SHA1
9d8c2f8ae04444d7e141d718bf780eab4394d72a

SHA256
d6b64f7ddb6f6726cdf1e6980e92fc42e7e360b1a8cf96b53e455044dced63cf

SHA512
c78109a519643ac925038e1fb92be9043f9bb62751ca2c5c8a33a8aac01d3014d4e2a284fc0bd4de26addb79eebaac41da26016f2e24f7e6020cb08dba0af0c2

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Local State

Filesize
15KB

MD5
edc49fd336736f372a266dfef0987e27

SHA1
b86d38ee13cbbb91b4ae45af3272790b52fae735

SHA256
af1b624dd8fffee172049c4e061e2e55ab5d8b9629d99827552b3d21dfd4187e

SHA512
a38187beb14bf787ca513f7d942e64ef66f10eafdebeb0071b84ea09a5461d6f2841ec4306e119275021143a303998d8cf53128b7e65c2b2239d2d2fc631835b

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Local State

Filesize
15KB

MD5
382d1cf89666a0a55c09273fdabaebe5

SHA1
28f85da48d71e2fd5aac3226e000d4e33195bdf1

SHA256
9f5b0c619a25173a5fd22508c18b9c42bc1ade47ddd3a6ff8c918d619ea315ac

SHA512
6b2e5f7bd13ad13033f0f4a2aa187fff34bf2882b68811b3a424ea027af534437b1afd57043d2665129c662e1c6a72e1943f3ad600b4d9c0f40772c5023df458

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Local State

Filesize
1KB

MD5
04edf4ddcbefce8f3c7eff55026fd7a5

SHA1
86e761b68a95a6b01b8edc1281c4cd869bef5d76

SHA256
6f4d19b00e8dfa8b300c8baf84287f8b563436bb6a386bea588d2420c1a159de

SHA512
244d2d40eaa64163675c521ddd596cc61ff28aae8be452f8d0e7dedb6d978fe616ee024812ad61875a67b0839af662d0c0984086d311df5681bb464943849740

Download Submit
C:\Users\Admin\AppData\Local\Devolutions\RemoteDesktopManager\WebView2.Cache\UI\EBWebView\Local State~RFe5ed000.TMP

Filesize
929B

MD5
c4bd18c0bb37ce526d092bcf8fbf21f8

SHA1
2f76d53239b68f63511a28e7b7ddbd13030b4c44

SHA256
5ad33501393c27c1dd981985378045ee1c405920cd92059c5908a78591c3037a

SHA512
44718ae8a72c1ed8cf21e84701d60c4127c8ac42d3918f57e28c3c6417dbff1ee62c897366c92d54f09eb5b1d90d76bdc8466ed5db4782dd97b06c75b3870b40

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
901B

MD5
5974c01efd62bdf999eaa84b0b05a73d

SHA1
2a8b244307a94801e79f02eb008db3a01732b694

SHA256
f6a9871fd0337220e0e2be402a804542b3930635fbec05c3b9ad7ef1742597bb

SHA512
5284a3c952269bf54cff50ed6450bcf2d8a3c3d4156d4df6454db2cc59df4465c74e2593f49de353b1326a1fe6b870b06927949b59bfe407b62444bc29bf8cd7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
36dd99c5bdd38119fb306fdb77dff031

SHA1
16397d58940b4baaae44192d8858905617d3e976

SHA256
6a2c32fe32baa9fc6e85542f6c65322d1e7a82f0aec12f331e4c9e859abc0694

SHA512
efa0ee304261f1f572252e398d5086017f46608d839f099fcea7516c21c7a18cf16c7419085b38084a13336d0bbb1b156705b5d5e19a454e9dfd2738e22a868f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
d9f05446ec07c10011fe9ac2865d3cbf

SHA1
84644167f7e21a0ecdbd8daa9d7b84fb0f94bb57

SHA256
25deb870dbfaec448c63dff1ce814a3620d131aa6e92956890be7c666765904d

SHA512
387c05dbfe94b5b8fa17ec02371d27e7d622b50ad96352e9043f6930ec4b866dc5a020d1a36fef9ee1c6f675bab1d17cfeb3b9a78305c3b138ab94f239408e41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
87651fe3394b68634f17ec2e7c82587c

SHA1
1cbd990411e12e4e08863256381657f544b9a2df

SHA256
131dfc3e9679a475471ea934eee28ee19513c5e9fe16822dae8fedf060541999

SHA512
4b44c6dde1683fb17b0810405f2cc37052ce19ffd8c7bf04de934b839b6cc96f9b0cf5f5677b2f398f7d3c8c26b496d43da7a64d4f08f8215e6f60605f73ed09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
109KB

MD5
3979446ca7090539254d2c75139a681b

SHA1
be3bfcc8ec6a5762404ce44d5f0fbb8586113f3d

SHA256
2140b24f80f66ee57cd5a7d8a7a9ac1f5ca77314e6a18359c623cf8591f303a0

SHA512
cfd49f95bbf6a489174e9cf9549bff1463fdc9077dd4bbe1d83edad239d0d7e771e9f519278b2230f0fd4cb70708d7766b626fa1f0e6e3778a2aafaf36f7f544

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
e0f4b70d21ccb9d8712b1cdc1a770707

SHA1
b8bfa88355d81d93f58227eb9315157543103f37

SHA256
725a9ad79babff9e28b7b54ba8ad0a9bf7578f6d795d80930bdfdce72eba6eb1

SHA512
59e86959ee5bb77ad71eae3520ec27a8096908e8a1d89dc15c9137cfa9514e459b52c4f382c8a3c3861effcc4fc77ec0d39437dd97cf938cba67baf899769678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
94KB

MD5
0282a98de225284f8b8fbfe80a1ccb4b

SHA1
76813ac59cd4182aaf0f7e92a949ddc1244af07e

SHA256
e7161775b6c85f65b74b8746e9f51936be71f595ef3ffcc7a2b1525e48eea095

SHA512
075369ea3a142d6f0d14275469be5e25ba390e87ed915f7c76d1346d8ededfb3df0d214dfd108455933059f0f692cb9748c0b68dd36057b156b4c0149a693a9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
f180518a894672d7371a4165c3f4e2f9

SHA1
0e504e7787421a1f144fdbb56db93b72ede9e2cb

SHA256
4fe04ca8256b821d76d087ee229af2231cf9fe3dc0cf2342f2f83c9b14e56d3f

SHA512
b04aabaa2750dffdf0bd9d17e12d8f6a72541effe18f1b151746fddec9c6acbd80d46826a93a30f592eabef657de1568659af6bdcd560ffa09e189ac8a2b8c7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
5628fc67d427b3d9cce5ec474002144c

SHA1
0dfd5c478ae7bcd33b3e6918be4ce95ae02dd2c6

SHA256
3c40afa9314bd3052a96fe154429693eeaaa6da7f8048166fb25d3426a6cd6d8

SHA512
a76c93c89dc769c8f8b07463c751a68c370d011be28b94bb6d69ba015e13dda8dd5a8d8cf96e794c00087894f68643b2f969a00abfe6424a1bd0da61ef91e5c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
89KB

MD5
db02577a0a3602b70ab5bc25a4afa35d

SHA1
935e8d648ce8b36baa2b66b78a7af5c852a9edeb

SHA256
589f5234bce377adab9e7625e3efe561c9b6d98b48501a29eb6fe8d9e4c1f4e7

SHA512
eb68d22b4c5bd1cd657b8c23e0ff992cd3b38062ad56e8040f7b891c29848f11f23ea85f5c1138e8c89905d3d2ada8dee8758d34e88fd97ed5a45e4c648a5f44

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
46043738c3ed9f71b7c90a958112795f

SHA1
3288f5b56061c0f03a191a85818005f4371f4a8a

SHA256
5a7d26d05eedbd56ad2e9558458de7d08679dc787a9db3dbc6f53a71c1343525

SHA512
03fecb0170cdecb13ea4d3b3e089d3297b6a46dc85ca3650d513a3ef95fb468434d4c902408f687cf4daf13005dfb395c3f4b1bf5dc19e721e400b9eb23076b8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI7079.tmp

Filesize
555KB

MD5
4d436978faaef6c90ad5b208102fa0b4

SHA1
08930ae826c426ebfc3f96c324319bd9384472c0

SHA256
6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

SHA512
692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB597.tmp

Filesize
555KB

MD5
4d436978faaef6c90ad5b208102fa0b4

SHA1
08930ae826c426ebfc3f96c324319bd9384472c0

SHA256
6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

SHA512
692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB597.tmp

Filesize
555KB

MD5
4d436978faaef6c90ad5b208102fa0b4

SHA1
08930ae826c426ebfc3f96c324319bd9384472c0

SHA256
6cb47f74d25952c087bd9f04eea54e0c0e80cc9e6b052f2bdc1d8a328ac955be

SHA512
692073337de46817d6deac61b462d22cfc8f5126936f3858bca938c3bfd205ea2ae55b89589bc61453bfe826feec8b4e251d4d5bdc68c9149a18ceacd7e1f153

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB6A1.tmp

Filesize
1.0MB

MD5
ad746298a5b92360db0a60114f13b2a1

SHA1
d981e47956a2e130048e0c02fb2054cf13b866c6

SHA256
c0d56b0f0c349640018865d8509732d573c95beef69c1d78565487f83e70cc0b

SHA512
4a467e28ff69ae0d8bda1af1f1eddb14cb7f5e7156b9661e1e9f8243bdc4320b054480672653f385d16fa2a7ca053acc6dbc71dfeace40bbd2ec1bd5a6abe238

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIB6A1.tmp

Filesize
1.0MB

MD5
ad746298a5b92360db0a60114f13b2a1

SHA1
d981e47956a2e130048e0c02fb2054cf13b866c6

SHA256
c0d56b0f0c349640018865d8509732d573c95beef69c1d78565487f83e70cc0b

SHA512
4a467e28ff69ae0d8bda1af1f1eddb14cb7f5e7156b9661e1e9f8243bdc4320b054480672653f385d16fa2a7ca053acc6dbc71dfeace40bbd2ec1bd5a6abe238

Download Submit
C:\Users\Admin\AppData\Local\Temp\RDM\HtmlAssets\240617e4-540e-4500-b3ea-96305be1094b.htm

Filesize
57KB

MD5
be7e8a3bd47324b9726275313e66ab2b

SHA1
d43ce263ff6513ad9dac365e0cce085de2e1b2c1

SHA256
5328368c942d0aca2f62b8e60255d611cae57e3d893d9101ca79211c41a13783

SHA512
2a7a3e82055d6f354a90ad61f7e6324ef46ff8e755f455f70c4bcb24018bb3d663b2c9569c28388fcde7ad673531a292674163121aa8d72387255ee05ffeccbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_0zjnry4t.daf.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\install\09E8D2C\Setup.RemoteDesktopManager.2023.2.22.0.msi

Filesize
9.9MB

MD5
9bbdbaa859974cb4c6b88d1aad0e9770

SHA1
d82365ba28310b79457f4da54ea44dc4f62e849d

SHA256
860c02f4484b5b2dda81c3dec9bfe21cd3e3e0d983737946984daf2a6704e87f

SHA512
5de76d78b2b612fc9c9a9857905318ad32da99a4384da4fd5344001fcf3d4e1f82f553b2232733b222a3a48b1c70136c19cf173aefd5d83625bec316d058395a

Download Submit
C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe

Filesize
1.7MB

MD5
b97ff6d43d00ae1df8b45f13c3348c0e

SHA1
25c34e3cdafbf5ae0b920d03a19022cf88908888

SHA256
0568839c9f95b04b863f292589f930c63f0375e6db462b38b6aae7410ce02584

SHA512
161541bd608f99cd2471d0b0f42e06feb9ce5cd68be2725f2aa61db2b6a3e78320545dd67bf5427065408b8b2fb761f88ae9518b05b4df4f891d984d6b6b39dd

Download Submit
C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe

Filesize
1.7MB

MD5
b97ff6d43d00ae1df8b45f13c3348c0e

SHA1
25c34e3cdafbf5ae0b920d03a19022cf88908888

SHA256
0568839c9f95b04b863f292589f930c63f0375e6db462b38b6aae7410ce02584

SHA512
161541bd608f99cd2471d0b0f42e06feb9ce5cd68be2725f2aa61db2b6a3e78320545dd67bf5427065408b8b2fb761f88ae9518b05b4df4f891d984d6b6b39dd

Download Submit
C:\Users\Admin\AppData\Roaming\Devolutions inc\Remote Desktop Manager\prerequisites\WebView2\MicrosoftEdgeWebview2Setup.exe

Filesize
1.7MB

MD5
b97ff6d43d00ae1df8b45f13c3348c0e

SHA1
25c34e3cdafbf5ae0b920d03a19022cf88908888

SHA256
0568839c9f95b04b863f292589f930c63f0375e6db462b38b6aae7410ce02584

SHA512
161541bd608f99cd2471d0b0f42e06feb9ce5cd68be2725f2aa61db2b6a3e78320545dd67bf5427065408b8b2fb761f88ae9518b05b4df4f891d984d6b6b39dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
2KB

MD5
06071ef9e4cbeed8eef5c402c82b0daa

SHA1
d16f0ed7142a6113dc6386744fc7de45507bfe7a

SHA256
9990bdf9a73b7d56faec1697b5a6e927a874832b0f991567e6049ebc23226917

SHA512
d84022e68fcce5631e802d35f2b369d2aad4dd43ae7c96595debdd05a7c35264a2985ff7e503e45cad4c3a19d2db0838a56374733dfb77448f597d4c14cf3b62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
2KB

MD5
7df26545182452061f344dcc1bcc4f5e

SHA1
00fea79c20b36aa4a0699486212cba1c5887102b

SHA256
2d18acc8dfe78ad8b83864fe4583d8479dfe1d38844a4d5de6430e61b2662160

SHA512
63f69f51cafe70cf94d98890d7dcc4aa23fca4b30ab4dff69aad0de2a51dac3d5ab2a9cf5ff101c544abf8be429f9f187576425e06dfa9dfcac5cb20a2605ac3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
2KB

MD5
314fdd38922b2a2a805c611730628b0e

SHA1
e964f5f5eeddc5bd3874c6d5d54dce1490b88e76

SHA256
d28267d43e5da2bde9db105c6fc8289838b4924944992e0f75e99d33fdc68eda

SHA512
1f03c3ea4fbec9a6c2de245150016046a3c5cad322d6d4d85de8fb8681428e2c2a96d7e35f4140f0377668e7cbe941d4d0383f1f721bb56eafcaf0aabed80218

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
2KB

MD5
d2533b511c5181ba2fe4b6efc135b2d0

SHA1
5b30f8fa8b6d8b5c9478203d8ed7c8fd13ce33bc

SHA256
1a459af1c6f3e2ff95799e58a0e56d95dd257cc822fa882e9e1c119d306b0008

SHA512
fa5cfa9431f568a80612088bd627abcb82a17f7a7a9887f9bf853a48b21ff5c3c7119a00f4f0acde5c840a97b73bfae25b6872564a6613faa2eb9b12ba0e00f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
12B

MD5
e4a1661c2c886ebb688dec494532431c

SHA1
a2ae2a7db83b33dc95396607258f553114c9183c

SHA256
b76875c50ef704dbbf7f02c982445971d1bbd61aebe2e4b28ddc58a1d66317d5

SHA512
efdcb76fb40482bc94e37eae3701e844bf22c7d74d53aef93ac7b6ae1c1094ba2f853875d2c66a49a7075ea8c69f5a348b786d6ee0fa711669279d04adaac22c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9ff657bea2eafa68.customDestinations-ms

Filesize
2KB

MD5
5ef81da5c50c95c0b2c5061cdbc4eab6

SHA1
d8e154415bb5e9ed5f48a05537089c2aca23e6b8

SHA256
21996780ab87d0d6aa5eb1886e26295195225fe287e256a3c97b357f079c75d5

SHA512
8e999044d4b81e2eb097ab51666fec960d44e110d2e66366c89c0b8d1bdf4b11f4b194678d96f47029392746a6c65b83e0a38ab2d5ab2107269bf92b704f70c0

Download Submit
C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe

Filesize
225.9MB

MD5
5c31b9dc9d07fc0c5adf9c18caa87222

SHA1
3185a04ddbb87a341d23ebb0648167df98dd7ce8

SHA256
a94b30dfec6f42d3b7cf4c9bd9259bf88f03271c2ddc81db26ea23307d4a1827

SHA512
21468bc1d6b9a1b30054c7c86a1654fbc11f9d04ac5dfd91470c9a64a859bbda9ed9ec1852f1eba3de7bf16e2695d3bb8dca14827fdccee7eb6a53a7131253cc

Download Submit
C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe

Filesize
225.9MB

MD5
5c31b9dc9d07fc0c5adf9c18caa87222

SHA1
3185a04ddbb87a341d23ebb0648167df98dd7ce8

SHA256
a94b30dfec6f42d3b7cf4c9bd9259bf88f03271c2ddc81db26ea23307d4a1827

SHA512
21468bc1d6b9a1b30054c7c86a1654fbc11f9d04ac5dfd91470c9a64a859bbda9ed9ec1852f1eba3de7bf16e2695d3bb8dca14827fdccee7eb6a53a7131253cc

Download Submit
C:\Users\Admin\Downloads\Setup.RemoteDesktopManager.2023.2.22.0.exe

Filesize
225.9MB

MD5
5c31b9dc9d07fc0c5adf9c18caa87222

SHA1
3185a04ddbb87a341d23ebb0648167df98dd7ce8

SHA256
a94b30dfec6f42d3b7cf4c9bd9259bf88f03271c2ddc81db26ea23307d4a1827

SHA512
21468bc1d6b9a1b30054c7c86a1654fbc11f9d04ac5dfd91470c9a64a859bbda9ed9ec1852f1eba3de7bf16e2695d3bb8dca14827fdccee7eb6a53a7131253cc

Download Submit
C:\Windows\Installer\MSI5375.tmp

Filesize
615KB

MD5
10d55ee48669a2f605ebcdb532601903

SHA1
5088596de5e5feb133342f36e21bc35f2f1f00e6

SHA256
4ceb724853520f91f90c1c798358b212a3eaf7d8a28fb06c8fca081a61745068

SHA512
41b7f81fcf29d4518eda65efab28b58716b36aa932d8ed6204f33af68a96c4744dcc993da617810a9d4c1438ec6458b01432978f99832468706b07efff81ae57

Download Submit
C:\Windows\Installer\MSI551C.tmp

Filesize
329KB

MD5
c03b76f392f97d9b3f9d043b11340f70

SHA1
f81d115f6a682af5b4584ce10d759b392e8c7203

SHA256
6975354e6cc25f6eb1a372c1aa7a8f18b0a85bf48c7d05e0c548358265ee4515

SHA512
8963c733e9fecdba843ca9ce40c33adf0f62351e165991907cb9f0aef0089dc74c3254579f93ba6d22e78633ef40eb8d97fa5c876161397005feb21d598a7b20

Download Submit
C:\Windows\Installer\MSIEA75.tmp

Filesize
703KB

MD5
64db9cc618b0922ab26a8d0509bc5b01

SHA1
39447313e4cdeba534af06c5836512fe33e427ad

SHA256
312ed3b483ce2aa7762d80a895d3326476958b2538933a8e04ec6bd5f67e28f3

SHA512
2231047c1da0cff56a3e3baecb98b86792cbe6e2381169327542fcbef15f77dd1214af8c0b961c7385dca924b9bc8e59e17adfd8c775ecaf5173e106c2f8256f

Download Submit
C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\banner.jpg

Filesize
7KB

MD5
5983357ad5e4aa7b0f10b5c8f420cab3

SHA1
51c95ab2fb06506b91d5c7d33bf8eedda7838672

SHA256
a3758a05fe3fac138f623284f2aaaa404146b2cfe2639f6e6080e85189c0cb82

SHA512
9a5d0f29215f46b003618e6ac22004bc225b93e9c92dbdc8aadc0cff59740e0068ebafdd912551b4f3e648288f35d2dd2f34ba79752eb5b387353c937b0decf6

Download Submit
C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\dialog.jpg

Filesize
25KB

MD5
3d0ece14bc5feee9d007aaf841c85b41

SHA1
0543484ba1227c149add438ff8dbd12b6cfa53cf

SHA256
40ce475fba2d0016b56665c8291128f1249082752e149b8a1f3532f53eeb4ffb

SHA512
ae76cf2766479b591da57ed3dbbc89c70ffae52bbf05a285b25fed13e588635bc7aa78f785f88a2f0efc2fbcb6efb09d7cbe389a843aeac76d4c632c9bb13c9a

Download Submit
C:\Windows\SystemTemp\AI_EXTUI_BIN_3168\rdmfreebanner.gif

Filesize
189KB

MD5
bcd360323fdcf8368b9178f8ae8e97be

SHA1
214966667b5ab2c3788bc7be7794020ff3b7a273

SHA256
261d0ce2f2127947f8ad41b6d34dd8ff4969455975091785ff617b0c61eef532

SHA512
3821926947efe90bf5c915855aed514a99ca34add69b4182859da33f31f796101016a3773086c091426cd31ed60ce9c7b4b0b9d95c34a07e8d074325e69a6bad

Download Submit
C:\Windows\SystemTemp\shiE34E.tmp

Filesize
4.8MB

MD5
77d6c08c6448071b47f02b41fa18ed37

SHA1
e7fdb62abdb6d4131c00398f92bc72a3b9b34668

SHA256
047e2df9ccf0ce298508ee7f0db0abcb2ff9cff9916b6e8a1fbd806b7a9d064b

SHA512
e1aeb8e8b441d755a119f45a465ca5660678f4131984322252bfb6d2cec52e7ee54d65a64b98429b23915eb5707b04b5cd62a85446c60de8842314130a926dbd

Download Submit
memory/1244-2198-0x00007FF86BAE0000-0x00007FF86BAE1000-memory.dmp

Filesize
4KB

Download
memory/3972-2001-0x000001D8799C0000-0x000001D8799E4000-memory.dmp

Filesize
144KB

Download
memory/3972-2034-0x000001D87C620000-0x000001D87C6BC000-memory.dmp

Filesize
624KB

Download
memory/3972-2049-0x000001D87BFE0000-0x000001D87BFF2000-memory.dmp

Filesize
72KB

Download
memory/3972-2050-0x000001D87C0C0000-0x000001D87C0E6000-memory.dmp

Filesize
152KB

Download
memory/3972-2051-0x000001D87B780000-0x000001D87B788000-memory.dmp

Filesize
32KB

Download
memory/3972-2052-0x000001D87C1F0000-0x000001D87C20E000-memory.dmp

Filesize
120KB

Download
memory/3972-2053-0x000001D87BF80000-0x000001D87BF8A000-memory.dmp

Filesize
40KB

Download
memory/3972-2054-0x000001D87C580000-0x000001D87C5A4000-memory.dmp

Filesize
144KB

Download
memory/3972-2055-0x000001D880680000-0x000001D880732000-memory.dmp

Filesize
712KB

Download
memory/3972-2056-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2057-0x000001D87C210000-0x000001D87C230000-memory.dmp

Filesize
128KB

Download
memory/3972-2058-0x000001D882490000-0x000001D882916000-memory.dmp

Filesize
4.5MB

Download
memory/3972-2059-0x000001D880740000-0x000001D8807EA000-memory.dmp

Filesize
680KB

Download
memory/3972-2060-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/3972-2046-0x000001D87BFB0000-0x000001D87BFD6000-memory.dmp

Filesize
152KB

Download
memory/3972-2045-0x000001D87B760000-0x000001D87B76E000-memory.dmp

Filesize
56KB

Download
memory/3972-2044-0x000001D87B700000-0x000001D87B708000-memory.dmp

Filesize
32KB

Download
memory/3972-2083-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2084-0x000001D87BF90000-0x000001D87BF9A000-memory.dmp

Filesize
40KB

Download
memory/3972-2085-0x000001D87C960000-0x000001D87C9DE000-memory.dmp

Filesize
504KB

Download
memory/3972-2087-0x000001D87BFA0000-0x000001D87BFAE000-memory.dmp

Filesize
56KB

Download
memory/3972-2086-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2042-0x000001D8813F0000-0x000001D8816AE000-memory.dmp

Filesize
2.7MB

Download
memory/3972-2041-0x000001D87B6D0000-0x000001D87B6DE000-memory.dmp

Filesize
56KB

Download
memory/3972-2040-0x000001D87B6C0000-0x000001D87B6CA000-memory.dmp

Filesize
40KB

Download
memory/3972-2000-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/3972-2039-0x000001D87D7B0000-0x000001D87D89C000-memory.dmp

Filesize
944KB

Download
memory/3972-2038-0x000001D881040000-0x000001D8813E6000-memory.dmp

Filesize
3.6MB

Download
memory/3972-2037-0x000001D881820000-0x000001D881FF6000-memory.dmp

Filesize
7.8MB

Download
memory/3972-2036-0x000001D87CA20000-0x000001D87CBBA000-memory.dmp

Filesize
1.6MB

Download
memory/3972-2018-0x000001D87D8B0000-0x000001D87F2F2000-memory.dmp

Filesize
26.3MB

Download
memory/3972-2035-0x000001D880B60000-0x000001D881036000-memory.dmp

Filesize
4.8MB

Download
memory/3972-2019-0x000001D87C240000-0x000001D87C518000-memory.dmp

Filesize
2.8MB

Download
memory/3972-2221-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2047-0x000001D87C880000-0x000001D87C8DE000-memory.dmp

Filesize
376KB

Download
memory/3972-2033-0x000001D87BF60000-0x000001D87BF74000-memory.dmp

Filesize
80KB

Download
memory/3972-2245-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2248-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2032-0x000001D87C520000-0x000001D87C578000-memory.dmp

Filesize
352KB

Download
memory/3972-2031-0x000001D87B6E0000-0x000001D87B6FA000-memory.dmp

Filesize
104KB

Download
memory/3972-2030-0x000001D879F40000-0x000001D879F4A000-memory.dmp

Filesize
40KB

Download
memory/3972-2029-0x000001D87C010000-0x000001D87C0C0000-memory.dmp

Filesize
704KB

Download
memory/3972-2028-0x000001D87C100000-0x000001D87C1E8000-memory.dmp

Filesize
928KB

Download
memory/3972-2027-0x000001D87C0F0000-0x000001D87C100000-memory.dmp

Filesize
64KB

Download
memory/3972-2314-0x000001D882000000-0x000001D8822F8000-memory.dmp

Filesize
3.0MB

Download
memory/3972-2026-0x000001D879F70000-0x000001D879F8A000-memory.dmp

Filesize
104KB

Download
memory/3972-2025-0x000001D87B710000-0x000001D87B75C000-memory.dmp

Filesize
304KB

Download
memory/3972-2024-0x000001D879F50000-0x000001D879F6C000-memory.dmp

Filesize
112KB

Download
memory/3972-2359-0x000001D87C000000-0x000001D87C00C000-memory.dmp

Filesize
48KB

Download
memory/3972-2023-0x000001D87C6D0000-0x000001D87C87A000-memory.dmp

Filesize
1.7MB

Download
memory/3972-2022-0x000001D87D280000-0x000001D87D7A6000-memory.dmp

Filesize
5.1MB

Download
memory/3972-2021-0x000001D87CBD0000-0x000001D87D272000-memory.dmp

Filesize
6.6MB

Download
memory/3972-2020-0x000001D87F300000-0x000001D880680000-memory.dmp

Filesize
19.5MB

Download
memory/4332-1951-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/4332-1946-0x000002367EAE0000-0x000002367EB18000-memory.dmp

Filesize
224KB

Download
memory/4332-1947-0x000002367F300000-0x000002367F350000-memory.dmp

Filesize
320KB

Download
memory/4332-1948-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/4332-1949-0x000002367FCB0000-0x000002367FCC0000-memory.dmp

Filesize
64KB

Download
memory/4484-2182-0x00007FF86BAE0000-0x00007FF86BAE1000-memory.dmp

Filesize
4KB

Download
memory/4916-2199-0x00007FF86D520000-0x00007FF86D521000-memory.dmp

Filesize
4KB

Download
memory/4916-2200-0x00007FF86D100000-0x00007FF86D101000-memory.dmp

Filesize
4KB

Download
memory/4968-1981-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/4968-1956-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download
memory/4968-1957-0x00000227C9660000-0x00000227C9670000-memory.dmp

Filesize
64KB

Download
memory/4968-1963-0x00000227C9660000-0x00000227C9670000-memory.dmp

Filesize
64KB

Download
memory/4968-1964-0x00000227E3550000-0x00000227E3572000-memory.dmp

Filesize
136KB

Download
memory/4968-1977-0x00007FF84EC40000-0x00007FF84F701000-memory.dmp

Filesize
10.8MB

Download