Analysis
-
max time kernel
581s -
max time network
571s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
17-04-2021 17:08
Static task
static1
Behavioral task
behavioral1
Sample
NS/nipperstudio-2.9.1-win64.exe
Resource
win10v20210408
General
-
Target
NS/nipperstudio-2.9.1-win64.exe
-
Size
136.1MB
-
MD5
cbf70f826ccdee520631f1d73cec854c
-
SHA1
d4bca4aa0f8d116d1ccb5b10e5e16856630d5755
-
SHA256
043659ccabb62e37b7ac1341c34418ea8202ab4b3b663ed4382b319ffde2abd4
-
SHA512
51304f30b97648439f7f2f3e716d506f50abd752ba9954279a142de4e887823a57c638c09c6d49b810ae185c8df0dcff84931d9d9719a885d9046c2087f2e96e
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
msiexec.exeflow pid process 16 2064 msiexec.exe -
Executes dropped EXE 13 IoCs
Processes:
vc2010redist_x86.exeSetup.exevc2013redist_x64.exevc2013redist_x64.exevc2017redist_x86.exevc2017redist_x86.exevc2017redist_x64.exevc2017redist_x64.exerm-update-nipper.exenipperstudio.exeQtWebEngineProcess.exenipperstudio.exeQtWebEngineProcess.exepid process 2300 vc2010redist_x86.exe 3908 Setup.exe 3180 vc2013redist_x64.exe 3184 vc2013redist_x64.exe 2060 vc2017redist_x86.exe 1340 vc2017redist_x86.exe 3968 vc2017redist_x64.exe 3160 vc2017redist_x64.exe 3836 rm-update-nipper.exe 3648 nipperstudio.exe 4072 QtWebEngineProcess.exe 704 nipperstudio.exe 2000 QtWebEngineProcess.exe -
Processes:
resource yara_rule \??\c:\fd1930c243832266cf9759ad9ba9\vc_red.msi office_xlm_macros C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\vcRuntimeMinimum_x86 office_xlm_macros C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\vcRuntimeAdditional_x86 office_xlm_macros -
Loads dropped DLL 64 IoCs
Processes:
nipperstudio-2.9.1-win64.exeSetup.exevc2013redist_x64.exevc2017redist_x86.exevc2017redist_x64.exerm-update-nipper.exenipperstudio.exepid process 804 nipperstudio-2.9.1-win64.exe 804 nipperstudio-2.9.1-win64.exe 804 nipperstudio-2.9.1-win64.exe 804 nipperstudio-2.9.1-win64.exe 3908 Setup.exe 3908 Setup.exe 3184 vc2013redist_x64.exe 1340 vc2017redist_x86.exe 3160 vc2017redist_x64.exe 3836 rm-update-nipper.exe 3836 rm-update-nipper.exe 3836 rm-update-nipper.exe 3836 rm-update-nipper.exe 3836 rm-update-nipper.exe 804 nipperstudio-2.9.1-win64.exe 804 nipperstudio-2.9.1-win64.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe -
Modifies file permissions 1 TTPs 4 IoCs
Processes:
icacls.exeicacls.exeicacls.exeicacls.exepid process 1492 icacls.exe 200 icacls.exe 2216 icacls.exe 1088 icacls.exe -
Adds Run key to start application 2 TTPs 4 IoCs
Processes:
vc2013redist_x64.exevc2017redist_x86.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{050d4fc8-5d48-4b8f-8972-47c82c46020f} = "\"C:\\ProgramData\\Package Cache\\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\\vcredist_x64.exe\" /burn.runonce" vc2013redist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vc2017redist_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{c239cea1-d49e-4e16-8e87-8c055765f7ec} = "\"C:\\ProgramData\\Package Cache\\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\\VC_redist.x86.exe\" /burn.runonce" vc2017redist_x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce vc2013redist_x64.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 32 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process File created C:\Windows\SysWOW64\mfc140rus.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100cht.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100enu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140deu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140esn.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140ita.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfcm100u.dll msiexec.exe File created \??\c:\Windows\SysWOW64\vcomp100.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140cht.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140u.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140.dll msiexec.exe File created C:\Windows\SysWOW64\mfcm140u.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100chs.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100fra.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100ita.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100kor.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100esn.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100jpn.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140chs.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfcm100.dll msiexec.exe File created C:\Windows\SysWOW64\vcomp140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140enu.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140jpn.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100u.dll msiexec.exe File created C:\Windows\SysWOW64\vcamp140.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140fra.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100deu.dll msiexec.exe File created \??\c:\Windows\SysWOW64\mfc100rus.dll msiexec.exe File created \??\c:\Windows\SysWOW64\atl100.dll msiexec.exe File created C:\Windows\SysWOW64\mfc140kor.dll msiexec.exe -
Drops file in Program Files directory 64 IoCs
Processes:
nipperstudio-2.9.1-win64.exerm-update-nipper.exedescription ioc process File created C:\Program Files\NipperStudio\ssh.dll nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\Word Lists\large-dict.txt nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\bearer\qgenericbearer.dll nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\security-audit.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\xml.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\gettingstarted.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\hp-comware7-1.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\network-device-certificate.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\device-certificate-wizard.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\Qt5QuickWidgets.dll nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\Connection Info\titania-connection-database.json rm-update-nipper.exe File created C:\Program Files\NipperStudio\plugins\extreme-alpine-extremeware.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\juniper-junos-j-series.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\watchguard-xtmv.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\configs-nortel-passport.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\cis2.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\titania-iu-nipper.exe nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\CPE\official-cpe-dictionary_v2.3.xml nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\NVD\nvdcve-1.1-2016.json nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\Qt5Core.dll nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\CSS\classic-theme.css nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\STIG\U_Network_Perimeter_Router_Cisco_STIG_V8R32_Manual-xccdf.xml rm-update-nipper.exe File created C:\Program Files\NipperStudio\plugins\nortel-routing-switch-8000-series.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\demo-files\Juniper_SRX_10.txt nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\filter-baseline-6.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\linux_logo.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\juniperidp-2.jpg nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\Qt5Gui.dll nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\CSS\grayscale-theme.css rm-update-nipper.exe File opened for modification C:\Program Files\NipperStudio\resources\Oval\oval.xml rm-update-nipper.exe File created C:\Program Files\NipperStudio\plugins\extreme-summit-extremeware.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\filtering-baseline.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\demo-files\Checkpoint_T110\fwauth.NDB nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\audit-scheduling.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\configs-bluecoat-proxysg.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\imageformats\qgif.dll nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\rmdb.xml rm-update-nipper.exe File created C:\Program Files\NipperStudio\libtitania.dll nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\Connection Info\checkpoint-r80-connection-script.js nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\PSIRT\CiscoPSIRT.json nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\versions.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\NVD\nvdcve-1.1-2011.json nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\Issue Notes\issuenotes.db rm-update-nipper.exe File created C:\Program Files\NipperStudio\plugins\cisco-catalyst-nmp.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\bigip-f5-v9-3.jpg nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\device-certificate-wizard-store.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\nvd-resources.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\audit-scheduling-10.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\brocade-fastironedge4.jpg nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\filter-baseline-3.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\pix-command.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\foundry-serveriron.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\stig-compliance.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\demo-files\Checkpoint_T110\rulebases_5_0.fws nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\configs-juniperidp.html nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\NVD\nvdcve-1.1-2002.json nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\juniperconfig1.png nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\2.9.1\resources\Word Lists\small-dict.txt nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\brocade-icx.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\cisco-css.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\plugins\nokia-ip-firewall.2.9.1.plugin nipperstudio-2.9.1-win64.exe File created C:\Program Files\NipperStudio\help\nipperstudio\configs-bluecoat-filter800.html nipperstudio-2.9.1-win64.exe File opened for modification C:\Program Files\NipperStudio\resources\STIG\U_Network_Devices_STIG_V8R23_Manual-xccdf.xml rm-update-nipper.exe File created C:\Program Files\NipperStudio\help\nipperstudio\images\3com-5500.jpg nipperstudio-2.9.1-win64.exe -
Drops file in Windows directory 37 IoCs
Processes:
msiexec.exemsiexec.exedescription ioc process File created C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\vcruntime140.dll msiexec.exe File created C:\Windows\Installer\f75c52c.msi msiexec.exe File opened for modification \??\c:\Windows\Installer\f755600.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSI5CB7.tmp msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E msiexec.exe File opened for modification C:\Windows\Installer\f75c529.msi msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319 msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\concrt140.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\msvcp140.dll msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\vcruntime140.dll msiexec.exe File created \??\c:\Windows\Installer\f755600.msi msiexec.exe File created C:\Windows\Installer\SourceHash{196BB40D-1578-3D01-B289-BEFC77A11A1E} msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86 msiexec.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcr100_x86 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\concrt140.dll msiexec.exe File opened for modification \??\c:\Windows\Installer\ msiexec.exe File created \??\c:\Windows\Installer\f755603.msi msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\vccorlib140.dll msiexec.exe File created C:\Windows\Installer\SourceHash{E6222D59-608C-3018-B86B-69BD241ACDE5} msiexec.exe File opened for modification C:\Windows\Installer\f75c525.msi msiexec.exe File created C:\Windows\Installer\f75c528.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1\10.0.30319\F_CENTRAL_msvcp100_x86 msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008 msiexec.exe File created C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\msvcp140.dll msiexec.exe File created C:\Windows\Installer\f75c529.msi msiexec.exe File opened for modification \??\c:\Windows\Installer\$PatchCache$\Managed\D04BB691875110D32B98EBCF771AA1E1 msiexec.exe File created C:\Windows\Installer\f75c525.msi msiexec.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\865ADC6C19DC0AC3E9EDAD9DA8316D1E\14.10.25008\vccorlib140.dll msiexec.exe File created C:\Windows\Installer\SourceHash{C6CDA568-CD91-3CA0-9EDE-DAD98A13D6E1} msiexec.exe File opened for modification C:\Windows\Installer\MSIC8BF.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSICDC4.tmp msiexec.exe -
Launches sc.exe
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 64 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
svchost.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareID svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\CompatibleIDs svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\DeviceDesc svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilities svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018 svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002 svchost.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Setup.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Setup.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Setup.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
msiexec.exesvchost.exemsiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\16\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache svchost.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\17\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\18 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\19 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\16 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\17 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\18 msiexec.exe -
Modifies registry class 64 IoCs
Processes:
msiexec.exenipperstudio.exemsiexec.exevc2017redist_x86.exevc2013redist_x64.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50\95D2226EC80681038BB696DB42A1DC5E msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14\Version = "14.10.25008" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU nipperstudio.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\Shell\SniffedFolderType = "Generic" nipperstudio.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance nipperstudio.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\,,x86,14.0,bundle\DisplayName = "Microsoft Visual C++ 2017 Redistributable (x86) - 14.10.25008" vc2017redist_x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\,,x86,14.0,bundle\Dependents\{c239cea1-d49e-4e16-8e87-8c055765f7ec} vc2017redist_x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E\SourceList\Media msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 nipperstudio.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1" nipperstudio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\Dependents vc2013redist_x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95D2226EC80681038BB696DB42A1DC5E\VC_Runtime_Additional msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\SniffedFolderType = "Generic" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\SourceList\Media\1 = ";1" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\ProductName = "Microsoft Visual C++ 2017 x86 Minimum Runtime - 14.10.25008" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\60DB5E5629367203C8625813703DFCA1 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" nipperstudio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v12 vc2013redist_x64.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95D2226EC80681038BB696DB42A1DC5E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\15E8B87C56C0E773581D82F286F95E50 msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\1 nipperstudio.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7 nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\PackageCode = "C1DA530F3C54661468F52C7FDC94851B" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\ = "{050d4fc8-5d48-4b8f-8972-47c82c46020f}" vc2013redist_x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000007800000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 nipperstudio.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_x86,v14\DisplayName = "Microsoft Visual C++ 2017 x86 Additional Runtime - 14.10.25008" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\Shell\KnownFolderDerivedFolderType = "{57807898-8C4F-4462-BB63-71042380B109}" nipperstudio.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D04BB691875110D32B98EBCF771AA1E1\Servicing_Key msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings nipperstudio.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E\Assignment = "1" msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202020202020202 nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257" nipperstudio.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\8\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\SourceList\Net\1 = "c:\\fd1930c243832266cf9759ad9ba9\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\,,x86,14.0,bundle\Dependents vc2017redist_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_x86,v14 vc2017redist_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95D2226EC80681038BB696DB42A1DC5E\Servicing_Key msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\7\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\D04BB691875110D32B98EBCF771AA1E1\VC_RED_enu_x86_net_SETUP msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\,,x86,14.0,bundle\ = "{c239cea1-d49e-4e16-8e87-8c055765f7ec}" vc2017redist_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\95D2226EC80681038BB696DB42A1DC5E\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 nipperstudio.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D04BB691875110D32B98EBCF771AA1E1\ProductName = "Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{C6CDA568-CD91-3CA0-9EDE-DAD98A13D6E1}v14.10.25008\\packages\\vcRuntimeMinimum_x86\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\865ADC6C19DC0AC3E9EDAD9DA8316D1E\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\95D2226EC80681038BB696DB42A1DC5E\Provider msiexec.exe -
Suspicious behavior: AddClipboardFormatListener 2 IoCs
Processes:
nipperstudio.exenipperstudio.exepid process 3648 nipperstudio.exe 704 nipperstudio.exe -
Suspicious behavior: EnumeratesProcesses 30 IoCs
Processes:
Setup.exemsiexec.exemsiexec.exeNSkeygen.exenipperstudio.exeQtWebEngineProcess.exenipperstudio.exeQtWebEngineProcess.exepid process 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 3908 Setup.exe 2064 msiexec.exe 2064 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 2936 msiexec.exe 860 NSkeygen.exe 860 NSkeygen.exe 860 NSkeygen.exe 860 NSkeygen.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 4072 QtWebEngineProcess.exe 4072 QtWebEngineProcess.exe 704 nipperstudio.exe 704 nipperstudio.exe 2000 QtWebEngineProcess.exe 2000 QtWebEngineProcess.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
nipperstudio.exeOpenWith.exepid process 3648 nipperstudio.exe 2580 OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
Setup.exemsiexec.exedescription pid process Token: SeShutdownPrivilege 3908 Setup.exe Token: SeIncreaseQuotaPrivilege 3908 Setup.exe Token: SeSecurityPrivilege 2064 msiexec.exe Token: SeCreateTokenPrivilege 3908 Setup.exe Token: SeAssignPrimaryTokenPrivilege 3908 Setup.exe Token: SeLockMemoryPrivilege 3908 Setup.exe Token: SeIncreaseQuotaPrivilege 3908 Setup.exe Token: SeMachineAccountPrivilege 3908 Setup.exe Token: SeTcbPrivilege 3908 Setup.exe Token: SeSecurityPrivilege 3908 Setup.exe Token: SeTakeOwnershipPrivilege 3908 Setup.exe Token: SeLoadDriverPrivilege 3908 Setup.exe Token: SeSystemProfilePrivilege 3908 Setup.exe Token: SeSystemtimePrivilege 3908 Setup.exe Token: SeProfSingleProcessPrivilege 3908 Setup.exe Token: SeIncBasePriorityPrivilege 3908 Setup.exe Token: SeCreatePagefilePrivilege 3908 Setup.exe Token: SeCreatePermanentPrivilege 3908 Setup.exe Token: SeBackupPrivilege 3908 Setup.exe Token: SeRestorePrivilege 3908 Setup.exe Token: SeShutdownPrivilege 3908 Setup.exe Token: SeDebugPrivilege 3908 Setup.exe Token: SeAuditPrivilege 3908 Setup.exe Token: SeSystemEnvironmentPrivilege 3908 Setup.exe Token: SeChangeNotifyPrivilege 3908 Setup.exe Token: SeRemoteShutdownPrivilege 3908 Setup.exe Token: SeUndockPrivilege 3908 Setup.exe Token: SeSyncAgentPrivilege 3908 Setup.exe Token: SeEnableDelegationPrivilege 3908 Setup.exe Token: SeManageVolumePrivilege 3908 Setup.exe Token: SeImpersonatePrivilege 3908 Setup.exe Token: SeCreateGlobalPrivilege 3908 Setup.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe Token: SeRestorePrivilege 2064 msiexec.exe Token: SeTakeOwnershipPrivilege 2064 msiexec.exe -
Suspicious use of FindShellTrayWindow 12 IoCs
Processes:
nipperstudio.exenipperstudio.exepid process 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe -
Suspicious use of SendNotifyMessage 8 IoCs
Processes:
nipperstudio.exenipperstudio.exepid process 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
Processes:
NSkeygen.exenipperstudio.exeOpenWith.exenipperstudio.exepid process 860 NSkeygen.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 2580 OpenWith.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 3648 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe 704 nipperstudio.exe -
Suspicious use of WriteProcessMemory 50 IoCs
Processes:
nipperstudio-2.9.1-win64.exevc2010redist_x86.exevc2013redist_x64.exevc2017redist_x86.exevc2017redist_x64.exerm-update-nipper.execmd.exenipperstudio.execmd.exeOpenWith.exenipperstudio.execmd.exedescription pid process target process PID 804 wrote to memory of 2300 804 nipperstudio-2.9.1-win64.exe vc2010redist_x86.exe PID 804 wrote to memory of 2300 804 nipperstudio-2.9.1-win64.exe vc2010redist_x86.exe PID 804 wrote to memory of 2300 804 nipperstudio-2.9.1-win64.exe vc2010redist_x86.exe PID 2300 wrote to memory of 3908 2300 vc2010redist_x86.exe Setup.exe PID 2300 wrote to memory of 3908 2300 vc2010redist_x86.exe Setup.exe PID 2300 wrote to memory of 3908 2300 vc2010redist_x86.exe Setup.exe PID 804 wrote to memory of 3180 804 nipperstudio-2.9.1-win64.exe vc2013redist_x64.exe PID 804 wrote to memory of 3180 804 nipperstudio-2.9.1-win64.exe vc2013redist_x64.exe PID 804 wrote to memory of 3180 804 nipperstudio-2.9.1-win64.exe vc2013redist_x64.exe PID 3180 wrote to memory of 3184 3180 vc2013redist_x64.exe vc2013redist_x64.exe PID 3180 wrote to memory of 3184 3180 vc2013redist_x64.exe vc2013redist_x64.exe PID 3180 wrote to memory of 3184 3180 vc2013redist_x64.exe vc2013redist_x64.exe PID 804 wrote to memory of 2060 804 nipperstudio-2.9.1-win64.exe vc2017redist_x86.exe PID 804 wrote to memory of 2060 804 nipperstudio-2.9.1-win64.exe vc2017redist_x86.exe PID 804 wrote to memory of 2060 804 nipperstudio-2.9.1-win64.exe vc2017redist_x86.exe PID 2060 wrote to memory of 1340 2060 vc2017redist_x86.exe vc2017redist_x86.exe PID 2060 wrote to memory of 1340 2060 vc2017redist_x86.exe vc2017redist_x86.exe PID 2060 wrote to memory of 1340 2060 vc2017redist_x86.exe vc2017redist_x86.exe PID 804 wrote to memory of 3968 804 nipperstudio-2.9.1-win64.exe vc2017redist_x64.exe PID 804 wrote to memory of 3968 804 nipperstudio-2.9.1-win64.exe vc2017redist_x64.exe PID 804 wrote to memory of 3968 804 nipperstudio-2.9.1-win64.exe vc2017redist_x64.exe PID 3968 wrote to memory of 3160 3968 vc2017redist_x64.exe vc2017redist_x64.exe PID 3968 wrote to memory of 3160 3968 vc2017redist_x64.exe vc2017redist_x64.exe PID 3968 wrote to memory of 3160 3968 vc2017redist_x64.exe vc2017redist_x64.exe PID 804 wrote to memory of 3836 804 nipperstudio-2.9.1-win64.exe rm-update-nipper.exe PID 804 wrote to memory of 3836 804 nipperstudio-2.9.1-win64.exe rm-update-nipper.exe PID 3836 wrote to memory of 4040 3836 rm-update-nipper.exe cmd.exe PID 3836 wrote to memory of 4040 3836 rm-update-nipper.exe cmd.exe PID 4040 wrote to memory of 1492 4040 cmd.exe icacls.exe PID 4040 wrote to memory of 1492 4040 cmd.exe icacls.exe PID 804 wrote to memory of 200 804 nipperstudio-2.9.1-win64.exe icacls.exe PID 804 wrote to memory of 200 804 nipperstudio-2.9.1-win64.exe icacls.exe PID 804 wrote to memory of 200 804 nipperstudio-2.9.1-win64.exe icacls.exe PID 804 wrote to memory of 2816 804 nipperstudio-2.9.1-win64.exe sc.exe PID 804 wrote to memory of 2816 804 nipperstudio-2.9.1-win64.exe sc.exe PID 804 wrote to memory of 2816 804 nipperstudio-2.9.1-win64.exe sc.exe PID 3648 wrote to memory of 3140 3648 nipperstudio.exe cmd.exe PID 3648 wrote to memory of 3140 3648 nipperstudio.exe cmd.exe PID 3140 wrote to memory of 2216 3140 cmd.exe icacls.exe PID 3140 wrote to memory of 2216 3140 cmd.exe icacls.exe PID 2580 wrote to memory of 1308 2580 OpenWith.exe NOTEPAD.EXE PID 2580 wrote to memory of 1308 2580 OpenWith.exe NOTEPAD.EXE PID 3648 wrote to memory of 4072 3648 nipperstudio.exe QtWebEngineProcess.exe PID 3648 wrote to memory of 4072 3648 nipperstudio.exe QtWebEngineProcess.exe PID 704 wrote to memory of 3144 704 nipperstudio.exe cmd.exe PID 704 wrote to memory of 3144 704 nipperstudio.exe cmd.exe PID 3144 wrote to memory of 1088 3144 cmd.exe icacls.exe PID 3144 wrote to memory of 1088 3144 cmd.exe icacls.exe PID 704 wrote to memory of 2000 704 nipperstudio.exe QtWebEngineProcess.exe PID 704 wrote to memory of 2000 704 nipperstudio.exe QtWebEngineProcess.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\NS\nipperstudio-2.9.1-win64.exe"C:\Users\Admin\AppData\Local\Temp\NS\nipperstudio-2.9.1-win64.exe"1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:804 -
C:\Program Files\NipperStudio\vc2010redist_x86.exe"C:\Program Files\NipperStudio\vc2010redist_x86.exe" /q2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:2300 -
\??\c:\fd1930c243832266cf9759ad9ba9\Setup.exec:\fd1930c243832266cf9759ad9ba9\Setup.exe /q3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3908 -
C:\Program Files\NipperStudio\vc2013redist_x64.exe"C:\Program Files\NipperStudio\vc2013redist_x64.exe" /q2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3180 -
C:\Program Files\NipperStudio\vc2013redist_x64.exe"C:\Program Files\NipperStudio\vc2013redist_x64.exe" /q -burn.unelevated BurnPipe.{E01D408F-0D60-4949-94A4-919BBE4209E0} {09E0D8B0-9177-4F0A-9493-02A5F039A810} 31803⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3184 -
C:\Program Files\NipperStudio\vc2017redist_x86.exe"C:\Program Files\NipperStudio\vc2017redist_x86.exe" /q /norestart2⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Program Files\NipperStudio\vc2017redist_x86.exe"C:\Program Files\NipperStudio\vc2017redist_x86.exe" /q /norestart -burn.unelevated BurnPipe.{1640E446-A434-471B-A2E7-51A07365E153} {C35F7838-0A39-44AC-8BF2-CAA88A3AC0F7} 20603⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1340 -
C:\Program Files\NipperStudio\vc2017redist_x64.exe"C:\Program Files\NipperStudio\vc2017redist_x64.exe" /q /norestart2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:3968 -
C:\Program Files\NipperStudio\vc2017redist_x64.exe"C:\Program Files\NipperStudio\vc2017redist_x64.exe" /q /norestart -burn.unelevated BurnPipe.{0481ABE9-5296-4026-981F-969191B99A93} {6777DD01-1CD4-4E78-AFEB-0A5A18A3C9FE} 39683⤵
- Executes dropped EXE
- Loads dropped DLL
PID:3160 -
C:\Program Files\NipperStudio\rm-update-nipper.exe"C:\Program Files\NipperStudio\rm-update-nipper.exe" --organization="Titania" --application="Nipper" --update-db="C:\Program Files\NipperStudio/2.9.1/resources/rmdb.xml" --default-db="C:\Program Files\NipperStudio/resources/rmdb.xml" /q2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:3836 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hp3836.bat" "3⤵
- Suspicious use of WriteProcessMemory
PID:4040 -
C:\Windows\system32\icacls.exeicacls C:/Program Files/NipperStudio/resources/rmdb.xml /grant "everyone":M4⤵
- Modifies file permissions
PID:1492 -
C:\Windows\SysWOW64\icacls.exeicacls "C:\Program Files\NipperStudio\resources\rmdb.xml" /grant "everyone":M2⤵
- Modifies file permissions
PID:200 -
C:\Windows\SysWOW64\sc.exesc start nipperd2⤵PID:2816
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2064
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2820
-
\??\c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k netsvcs -s DsmSvc1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:68
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵PID:2192
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:2936
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2444
-
C:\Users\Admin\AppData\Local\Temp\NS\NSkeygen.exe"C:\Users\Admin\AppData\Local\Temp\NS\NSkeygen.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:860
-
C:\Program Files\NipperStudio\nipperstudio.exe"C:\Program Files\NipperStudio\nipperstudio.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hp3648.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3140 -
C:\Windows\system32\icacls.exeicacls C:/Program Files/NipperStudio/resources/rmdb.xml /grant "everyone":M3⤵
- Modifies file permissions
PID:2216 -
C:\Program Files\NipperStudio\QtWebEngineProcess.exe"C:\Program Files\NipperStudio\QtWebEngineProcess.exe" --type=renderer --disable-accelerated-video-decode --disable-gpu-memory-buffer-video-frames --disable-shared-workers --enable-threaded-compositing --no-sandbox --disable-webrtc-hw-encoding --primordial-pipe-token=FC6FA902F0A57B4B6E9CB68B84F581BF --lang=en-US --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553 --disable-gpu-compositing --service-request-channel-token=FC6FA902F0A57B4B6E9CB68B84F581BF --renderer-client-id=2 --mojo-platform-channel-handle=3952 /prefetch:12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4072
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2580 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\activation-request.nlr2⤵PID:1308
-
C:\Program Files\NipperStudio\nipperstudio.exe"C:\Program Files\NipperStudio\nipperstudio.exe"1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:704 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qHp704.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:3144 -
C:\Windows\system32\icacls.exeicacls C:/Program Files/NipperStudio/resources/rmdb.xml /grant "everyone":M3⤵
- Modifies file permissions
PID:1088 -
C:\Program Files\NipperStudio\QtWebEngineProcess.exe"C:\Program Files\NipperStudio\QtWebEngineProcess.exe" --type=renderer --disable-accelerated-video-decode --disable-gpu-memory-buffer-video-frames --disable-shared-workers --enable-threaded-compositing --no-sandbox --disable-webrtc-hw-encoding --primordial-pipe-token=F984D71E6727813281B7467B615D2315 --lang=en-US --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553 --disable-gpu-compositing --service-request-channel-token=F984D71E6727813281B7467B615D2315 --renderer-client-id=2 --mojo-platform-channel-handle=2600 /prefetch:12⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2000
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files\NipperStudio\Qt5Core.dllMD5
ff43b6a4dbf7fecc9d32eb4dfdd42215
SHA1deaad82b91053f5b52f6ce705da4c298971af73f
SHA25637ca27b0220ed0552e729c0f696b1fc3c8f8814b9e6058994fd47c5675d6a673
SHA512c735986ed9432295500b5b5e1fddfa715938ae515c787e3df7c5211333305507048999b54f46b274c8dec1c4cbd1e082589ab528084fafa3249cb2ddb42e805d
-
C:\Program Files\NipperStudio\Qt5Network.dllMD5
9baa9f1cb975feff2d728886fc183680
SHA113080536a05a8b2a869b2ae8a7ce7536c7c8e1e7
SHA256a70f61d11ffec1312cd8e13523ff5746d876e3daf306a2125c6cc08a67235cae
SHA512e7d5e560cc45281fd21466137e2c1d12c43fa84d3db0d8c55cc73e82fef7f1a03e953019b9868063bb8717ff4d6b84ccc6ac016696634ce5d1cd1a4a1edb31cf
-
C:\Program Files\NipperStudio\Qt5Xml.dllMD5
a93b0e57774a62e7c25ab75f71ea6336
SHA10367e6c5add1dc61182abe4f9a0a59d26d524969
SHA2563583bf1371538718a9a268e1cbc84322a473c80bdcc4c0b05120c146f1e36088
SHA512d46b7e61b7bbd4303a4cd3f3e0273e599f4e302ab12eab1c5254c228612599661f30ff23279fb72cb850cef9d6c4bd56fcfe706b4b5e29e11b590bcb00e56be5
-
C:\Program Files\NipperStudio\libtitania.dllMD5
8a48536dc53159139703851e35814744
SHA1443f533b92c33e5236ea7193e1061aa98dcc089c
SHA2565c720214e009ae40dbc3d074fea1d6ee304acdbdbc2694cf16e1a2457f12acda
SHA5120dc1ce729a1a2fcb8760cda6a343d4c7ee7b464f9197d2fe99e89f25c7d9fca93aad27e62cace25a85c8ede0aef4a0644b45ed723f4363891656774d57b03e6f
-
C:\Program Files\NipperStudio\rm-update-nipper.exeMD5
40e4ba5a127ed8a217fd4a2adafdbc3c
SHA119ea39244c83294c07f69a8b10e4339b0132f451
SHA256547004c170e4ba56c55bd652de45935521164c97895edd9fcdd703d4f463f63c
SHA512d6f32229d88a55ace7e8258bb3116c70e23b3a7314eefb3abf77ecdbe3aa901fe969eb4abd04f9c13c4c8e009352d3946adfe02af5f2bab14f693f96e34e727c
-
C:\Program Files\NipperStudio\rm-update-nipper.exeMD5
40e4ba5a127ed8a217fd4a2adafdbc3c
SHA119ea39244c83294c07f69a8b10e4339b0132f451
SHA256547004c170e4ba56c55bd652de45935521164c97895edd9fcdd703d4f463f63c
SHA512d6f32229d88a55ace7e8258bb3116c70e23b3a7314eefb3abf77ecdbe3aa901fe969eb4abd04f9c13c4c8e009352d3946adfe02af5f2bab14f693f96e34e727c
-
C:\Program Files\NipperStudio\vc2010redist_x86.exeMD5
b88228d5fef4b6dc019d69d4471f23ec
SHA1372d9c1670343d3fb252209ba210d4dc4d67d358
SHA2568162b2d665ca52884507ede19549e99939ce4ea4a638c537fa653539819138c8
SHA512cdd218d211a687dde519719553748f3fb36d4ac618670986a6dadb4c45b34a9c6262ba7bab243a242f91d867b041721f22330170a74d4d0b2c354aec999dbff8
-
C:\Program Files\NipperStudio\vc2010redist_x86.exeMD5
b88228d5fef4b6dc019d69d4471f23ec
SHA1372d9c1670343d3fb252209ba210d4dc4d67d358
SHA2568162b2d665ca52884507ede19549e99939ce4ea4a638c537fa653539819138c8
SHA512cdd218d211a687dde519719553748f3fb36d4ac618670986a6dadb4c45b34a9c6262ba7bab243a242f91d867b041721f22330170a74d4d0b2c354aec999dbff8
-
C:\Program Files\NipperStudio\vc2013redist_x64.exeMD5
96b61b8e069832e6b809f24ea74567ba
SHA18bf41ba9eef02d30635a10433817dbb6886da5a2
SHA256e554425243e3e8ca1cd5fe550db41e6fa58a007c74fad400274b128452f38fb8
SHA5123a55dce14bbd455808bd939a5008b67c9c7111cab61b1339528308022e587726954f8c55a597c6974dc543964bdb6532fe433556fbeeaf9f8cb4d95f2bbffc12
-
C:\Program Files\NipperStudio\vc2013redist_x64.exeMD5
96b61b8e069832e6b809f24ea74567ba
SHA18bf41ba9eef02d30635a10433817dbb6886da5a2
SHA256e554425243e3e8ca1cd5fe550db41e6fa58a007c74fad400274b128452f38fb8
SHA5123a55dce14bbd455808bd939a5008b67c9c7111cab61b1339528308022e587726954f8c55a597c6974dc543964bdb6532fe433556fbeeaf9f8cb4d95f2bbffc12
-
C:\Program Files\NipperStudio\vc2013redist_x64.exeMD5
96b61b8e069832e6b809f24ea74567ba
SHA18bf41ba9eef02d30635a10433817dbb6886da5a2
SHA256e554425243e3e8ca1cd5fe550db41e6fa58a007c74fad400274b128452f38fb8
SHA5123a55dce14bbd455808bd939a5008b67c9c7111cab61b1339528308022e587726954f8c55a597c6974dc543964bdb6532fe433556fbeeaf9f8cb4d95f2bbffc12
-
C:\Program Files\NipperStudio\vc2017redist_x64.exeMD5
6b83b62d7fd5354074bdffc2dd7dd6c2
SHA1007064d974a55940838f19cd0b0e3aaf27ca06a7
SHA256b7aa971227e2d68a82186c2c55bdca3ba5293f01528fda98925cdc0d6516062a
SHA5124a188d78211c43c02c37053f2509a0e269a4d97d92f13f41cc90f0a25557a149874bbab55cc86554d01e269fb65460c2ad1df4164f41f565ce9ed77d4c310796
-
C:\Program Files\NipperStudio\vc2017redist_x64.exeMD5
6b83b62d7fd5354074bdffc2dd7dd6c2
SHA1007064d974a55940838f19cd0b0e3aaf27ca06a7
SHA256b7aa971227e2d68a82186c2c55bdca3ba5293f01528fda98925cdc0d6516062a
SHA5124a188d78211c43c02c37053f2509a0e269a4d97d92f13f41cc90f0a25557a149874bbab55cc86554d01e269fb65460c2ad1df4164f41f565ce9ed77d4c310796
-
C:\Program Files\NipperStudio\vc2017redist_x64.exeMD5
6b83b62d7fd5354074bdffc2dd7dd6c2
SHA1007064d974a55940838f19cd0b0e3aaf27ca06a7
SHA256b7aa971227e2d68a82186c2c55bdca3ba5293f01528fda98925cdc0d6516062a
SHA5124a188d78211c43c02c37053f2509a0e269a4d97d92f13f41cc90f0a25557a149874bbab55cc86554d01e269fb65460c2ad1df4164f41f565ce9ed77d4c310796
-
C:\Program Files\NipperStudio\vc2017redist_x86.exeMD5
4c34a474900344483aab8c0db7ed884f
SHA1ba1f7e7cace62f7c55ab948cd3b29acc4e8e2329
SHA2564eedd7d12c83165620653a892066ad0eb53e021a0665ac54c6a8f438f73a660b
SHA512383160a5a7bfd1a9e05081245752eceadf662f504b24cac037834a2241ba374d39e20b5ec57e15e940c731b886c2e1beb46a076993f13a9d941f47a58299f3e8
-
C:\Program Files\NipperStudio\vc2017redist_x86.exeMD5
4c34a474900344483aab8c0db7ed884f
SHA1ba1f7e7cace62f7c55ab948cd3b29acc4e8e2329
SHA2564eedd7d12c83165620653a892066ad0eb53e021a0665ac54c6a8f438f73a660b
SHA512383160a5a7bfd1a9e05081245752eceadf662f504b24cac037834a2241ba374d39e20b5ec57e15e940c731b886c2e1beb46a076993f13a9d941f47a58299f3e8
-
C:\Program Files\NipperStudio\vc2017redist_x86.exeMD5
4c34a474900344483aab8c0db7ed884f
SHA1ba1f7e7cace62f7c55ab948cd3b29acc4e8e2329
SHA2564eedd7d12c83165620653a892066ad0eb53e021a0665ac54c6a8f438f73a660b
SHA512383160a5a7bfd1a9e05081245752eceadf662f504b24cac037834a2241ba374d39e20b5ec57e15e940c731b886c2e1beb46a076993f13a9d941f47a58299f3e8
-
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\state.rsmMD5
ca735178c1bb5170dc51f7936e8e8b7b
SHA11b2795b12ee31dd9e3846efd3fb2987eb5f7cc25
SHA25611cea7d46ad7a9f8c59f6566c329fc0652f9eec4866cd72a3e15e607309ef8e0
SHA512d4c2594e995ed38229e732026c0f0930bc43d8e2c0f678683545632f0b078c28008c33be090a7fa4e378ca1edad0e887566dcfae9eee9c78a5ab61f66010a147
-
C:\ProgramData\Package Cache\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\vcredist_x64.exeMD5
e16e6d68ce1949c9721656390f47ce07
SHA19009cca5dc05e22f4cf0d8529a473f19b363103b
SHA25618e6d3d96fcd39ba069c0e6ebc108881ec5bb07e29a24b0177688ce391dac526
SHA51263a179e4db0cb7954ddc9aee9e3c7aecae9e160154243b248b94647eb8defafb7041ee291f6f880dc3ca7f298dd548e4b3cf0b650e9a7e34f34d2d2f0dd36127
-
C:\Users\Admin\AppData\Local\Temp\Microsoft Visual C++ 2010 x86 Redistributable Setup_20210417_191358742-MSI_vc_red.msi.txtMD5
ff17b95d2eacdd3a894fbfe5cdcf8dfb
SHA1992ff89ff0a21f48a404372e7900a20aa6e9ac53
SHA2562276d6dbd1a2397bc500368565e455f697414c1c8df0634ba3a5ccb200d04dd2
SHA512b22e46c6a7f41afc63b3a36b6fdb820fe07cfeb083bf259fe2a7e95058d6e3821413091b2cc94a9fffb8b4e1808d8d7a3734583f87adfdeb9ef237e39850cc47
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20210417191424_000_vcRuntimeMinimum_x86.logMD5
c8aecad622ba3d2e8aff64c82eaa30f1
SHA1d9c5c3766f64819bbd584ae74c70fce4880c913d
SHA256a04608d5ba931f72ed727b5791aef5d00034317fe9edc2bc99cc5ceb3757817c
SHA512b2a3289cbcdf556d851d08e1c62474525d4a03c3f09d2140adba04902d0ddbceee0dece84db569f9411568797e88d7c0bb5df120f95723136349585fd33b6255
-
C:\Users\Admin\AppData\Local\Temp\dd_vcredist_x86_20210417191424_001_vcRuntimeAdditional_x86.logMD5
e546f6022f1087d8b101acf930ac193b
SHA1638d1d79419bed88f62f24b01657e810d5e30c41
SHA256879f2e7c3ad805c986fc35a32af9cf58dab1164a12709c38666a844c4aba3b43
SHA5127624e98de3f541488704307912dd93c9e3767b5f863c37f13c10c52545f44fa8160507744fbf843615d8396aee7d2680a4c4e539a4624bd38139983155219d16
-
C:\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.be\vcredist_x64.exeMD5
e16e6d68ce1949c9721656390f47ce07
SHA19009cca5dc05e22f4cf0d8529a473f19b363103b
SHA25618e6d3d96fcd39ba069c0e6ebc108881ec5bb07e29a24b0177688ce391dac526
SHA51263a179e4db0cb7954ddc9aee9e3c7aecae9e160154243b248b94647eb8defafb7041ee291f6f880dc3ca7f298dd548e4b3cf0b650e9a7e34f34d2d2f0dd36127
-
C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\.be\VC_redist.x86.exeMD5
80c132947ca8c65408509a2a53dc0474
SHA192ca544a39274f4ab2248856bf0da523ac5e1913
SHA256be2d9b00798b5cae43cb31df29223de5c3fe1d2bc9249a5af38d0a00a97123a8
SHA5127150f2cb36bc1457d3a526a8c6b7a606689ba34de1e913d87915daa24806855e3cbb00ac75116913ed16443b5143c6146b4e961cedfac2478cd7da8ec2ae3d97
-
C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\cab54A5CABBE7274D8A22EB58060AAB7623MD5
dbe99ce19fd1d96e61855978550b052e
SHA1cacd4d2a1990d28817cf864f892c03c2bef5c0c2
SHA256d2fe9491aa5a63d839245fd34b101580d436c7d678c1b12ca9e40ac726f4c84b
SHA5126586279ebe12d3c630d8fe5d048650f03b7920ccdbdbec96608b1574a19dc2d157618c983d03c4b289760c6925c75c6af42da5c7b06820167daaee249a136105
-
C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\cabB3E1576D1FEFBB979E13B1A5379E0B16MD5
905d8b9b3bdded6591ce0d077fe361fd
SHA1c088122ecc2ea64deefba294dd7fe4c735ea06a0
SHA256f4c70d6263722c79aca5bcedf7fbb7aabb5cbbfdae6f06056fdda00f50b9a9dd
SHA51219c139e7a03b908eabbe3c6de252423ad547ed191b67dd4105184569d8ca2bc9cf89e10def0b911d2e35431b6a0a0f1633da4e8131e78a3d856957f5a97fad9d
-
C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\vcRuntimeAdditional_x86MD5
65b4359a0b67244fa4fb781da3f7b0e9
SHA1afc2875b0f4929a972a297b13c4486665cef962c
SHA256d85e9cc5888fb87775d04393e53d4e9f5134f544f809d8e9306547e7eca9bc47
SHA5122e7d168f7f73ef7e67912ee2fbf8c7a383c531a5f453bb407e51bd87d4e981e68f9984746403cf0268cdeb7e5a69a14f5792aedb2c93c807c5850bf15e1f25fe
-
C:\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\vcRuntimeMinimum_x86MD5
222277b9db9011d0253f618c21a35738
SHA1f3e6399829bfbde282e683309178a1f788cb8d74
SHA256216517f2b80a6e4b5cbc663dd3995f64db16dee3f0599cc99d38ffb6cb33ad0a
SHA512ec6c393049c0ff5cf1e980174cbcd0bc14d1dbc0395ab32c2638004b32b23e56dac8f7ed035e30172c36568427a756030a883e406c62b7797b2a52ba25e01765
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.logMD5
e55a6c3142ca87afb7414d8012af6e83
SHA1456118b54bfa36d1016bc9b2c1372fb2b6241cdf
SHA2566c534e47e322e87d913cb501d9ae3ece79319b4b988b98ee6e0a9841039e5081
SHA512983c809269c1f4f4b81e505fa9b28099feca1d355d457cee07f0ba7b26a3dcc53f2b59cce3ae11dd0e74ec087c1d82bbe44280a7616c6e8f2a7ea6041168c6af
-
C:\fd1930c243832266cf9759ad9ba9\Setup.exeMD5
006f8a615020a4a17f5e63801485df46
SHA178c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76
-
\??\c:\fd1930c243832266cf9759ad9ba9\1028\LocalizedData.xmlMD5
7fc06a77d9aafca9fb19fafa0f919100
SHA1e565740e7d582cd73f8d3b12de2f4579ff18bb41
SHA256a27f809211ea1a2d5224cd01101aa3a59bf7853168e45de28a16ef7ed6acd46a
SHA512466dcc6a5fb015be1619f5725fa62ca46eb0fb428e11f93fd9d82e5df61c3950b3fb62d4db7746cc4a2be199e5e69eaa30b6f3354e0017cfa14d127fad52f8cf
-
\??\c:\fd1930c243832266cf9759ad9ba9\1031\LocalizedData.xmlMD5
b83c3803712e61811c438f6e98790369
SHA161a0bc59388786ced045acd82621bee8578cae5a
SHA2562aa6e8d402e44d9ee895b18195f46bf90259de1b6f44efd46a7075b110f2dcd6
SHA512e020f93e3a082476087e690ad051f1feb210e0915924bb4548cc9f53a7ee2760211890eb6036ce9e5e4a311abc0300e89e25efbbb894c2a621ffbc9d64cc8a38
-
\??\c:\fd1930c243832266cf9759ad9ba9\1033\LocalizedData.xmlMD5
d642e322d1e8b739510ca540f8e779f9
SHA136279c76d9f34c09ebddc84fd33fcc7d4b9a896c
SHA2565d90345ff74e177f6da8fb6459c1cfcac080e698215ca75feb130d0d1f2a76b9
SHA512e1e16ae14bc7cc1608e1a08d3c92b6d0518b5fabd27f2c0eb514c87afc3d6192bf7a793a583afc65f1899f03dc419263b29174456e1ec9ab0f0110e0258e0f0d
-
\??\c:\fd1930c243832266cf9759ad9ba9\1036\LocalizedData.xmlMD5
e382abc19294f779d2833287242e7bc6
SHA11ceae32d6b24a3832f9244f5791382865b668a72
SHA25643f913ff28d677316f560a0f45221f35f27cfaf5fc5bd645974a82dca589edbf
SHA51206054c8048cade36a3af54f9a07fd8fa5eb4f3228790996d2abea7ee1ee7eb563d46bd54ff97441f9610e778194082c44e66c5f566c9c50a042aba9eb9cae25e
-
\??\c:\fd1930c243832266cf9759ad9ba9\1040\LocalizedData.xmlMD5
0af948fe4142e34092f9dd47a4b8c275
SHA1b3d6dd5c126280398d9055f90e2c2c26dbae4eaa
SHA256c4c7c0ddaa6d6a3a1dc260e9c5a24bdfaa98c427c69e8a65427dd7cac0a4b248
SHA512d97b5fe2553ca78a3019d53e33d2db80c9fa1cf1d8d2501d9ddf0576c7e6ea38dab754fe4712123abf34b97e10b18fb4bbd1c76d3dacb87b4682e501f93423d9
-
\??\c:\fd1930c243832266cf9759ad9ba9\1041\LocalizedData.xmlMD5
7fcfbc308b0c42dcbd8365ba62bada05
SHA118a0f0e89b36818c94de0ad795cc593d0e3e29a9
SHA25601e7d24dd8e00b5c333e96d1bb83813e02e96f89aad0c2f28f84551d28abbbe2
SHA512cd6f912a037e86d9e1982c73f0f8b3c4d5a9a6b5b108a7b89a46e6691e430a7cb55718de9a0c05650bb194c8d4a2e309ad6221d638cfca8e16aa5920881ba649
-
\??\c:\fd1930c243832266cf9759ad9ba9\1042\LocalizedData.xmlMD5
71dfd70ae141f1d5c1366cb661b354b2
SHA1c4b22590e6f6dd5d39e5158b831ae217ce17a776
SHA256cccda55294aeb4af166a8c0449bca2189ddf5aa9a43d5e939dd3803e61738331
SHA5125000d62f3de41c3fb0ed8a8e9c37dbf4eb427c4f1e3ad3823d4716c6fe62250bac11b7987a302b8a45d91aabcf332457f7aff7d99f15edeffe540639e9440e8a
-
\??\c:\fd1930c243832266cf9759ad9ba9\1049\LocalizedData.xmlMD5
0eeb554d0b9f9fcdb22401e2532e9cd0
SHA108799520b72a1ef92ac5b94a33509d1eddf6caf8
SHA256beef0631c17a4fb1ff0b625c50c6cb6c8ce90a1ae62c5e60e14bf3d915ad509c
SHA5122180e46a5a2ea1f59c879b729806ca02a232c66660f29c338c1fa7fbee2afa4b13d8777d1f7b63cf831eb42f3e55282d70aa8e53f40616b8a6e4d695c36e313d
-
\??\c:\fd1930c243832266cf9759ad9ba9\2052\LocalizedData.xmlMD5
52b1dc12ce4153aa759fb3bbe04d01fc
SHA1bf21f8591c473d1fce68a9faf1e5942f486f6eba
SHA256d1735c8cfd8e10ba019d70818c19fa865e7c72f30ab6421a3748408f85fb96c3
SHA512418903ae9a7baebf73d055e4774ff1917fbaab9ee7ed8c120c34bb10e7303f6dd7b7dae701596d4626387a30ae1b4d329a9af49b8718b360e2ff619c56c19623
-
\??\c:\fd1930c243832266cf9759ad9ba9\3082\LocalizedData.xmlMD5
5397a12d466d55d566b4209e0e4f92d3
SHA1fcffd8961fb487995543fc173521fdf5df6e243b
SHA256f124d318138ff084b6484deb354cca0f72296e1341bf01169792b3e060c89e89
SHA5127708f5a2ad3e4c90c4c216600435af87a1557f60caf880a3dd9b5f482e17399af9f0b9de03ff1dbdd210583e0fec5b466e35794ac24d6d37f9bbc094e52fc77b
-
\??\c:\fd1930c243832266cf9759ad9ba9\DHTMLHeader.htmlMD5
cd131d41791a543cc6f6ed1ea5bd257c
SHA1f42a2708a0b42a13530d26515274d1fcdbfe8490
SHA256e139af8858fe90127095ac1c4685bcd849437ef0df7c416033554703f5d864bb
SHA512a6ee9af8f8c2c7acd58dd3c42b8d70c55202b382ffc5a93772af7bf7d7740c1162bb6d38a4307b1802294a18eb52032d410e128072af7d4f9d54f415be020c9a
-
\??\c:\fd1930c243832266cf9759ad9ba9\ParameterInfo.xmlMD5
66590f13f4c9ba563a9180bdf25a5b80
SHA1d6d9146faeec7824b8a09dd6978e5921cc151906
SHA256bf787b8c697ce418f9d4c07260f56d1145ca70db1cc4b1321d37840837621e8f
SHA512aba67c66c2f3d9b3c9d71d64511895f15f696be8be0eedd2d6908e1203c4b0cf318b366f9f3cd9c3b3b8c0770462f83e6eea73e304c43f88d0cbedf69e7c92b3
-
\??\c:\fd1930c243832266cf9759ad9ba9\Setup.exeMD5
006f8a615020a4a17f5e63801485df46
SHA178c82a80ebf9c8bf0c996dd8bc26087679f77fea
SHA256d273460aa4d42f0b5764383e2ab852ab9af6fecb3ed866f1783869f2f155d8be
SHA512c603ed6f3611eb7049a43a190ed223445a9f7bd5651100a825917198b50c70011e950fa968d3019439afa0a416752517b1c181ee9445e02da3904f4e4b73ce76
-
\??\c:\fd1930c243832266cf9759ad9ba9\SetupEngine.dllMD5
84c1daf5f30ff99895ecab3a55354bcf
SHA17e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA2567a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3
-
\??\c:\fd1930c243832266cf9759ad9ba9\UiInfo.xmlMD5
812f8d2e53f076366fa3a214bb4cf558
SHA135ae734cfb99bb139906b5f4e8efbf950762f6f0
SHA2560d36a884a8381778bea71f5f9f0fc60cacadebd3f814679cb13414b8e7dbc283
SHA5121dcc3ef8c390ca49fbcd50c02accd8cc5700db3594428e2129f79feb81e4cbbeef1b4a10628b2cd66edf31a69ed39ca2f4e252ad8aa13d2f793fca5b9a1eaf23
-
\??\c:\fd1930c243832266cf9759ad9ba9\sqmapi.dllMD5
3f0363b40376047eff6a9b97d633b750
SHA14eaf6650eca5ce931ee771181b04263c536a948b
SHA256bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8
-
\??\c:\fd1930c243832266cf9759ad9ba9\vc_red.cabMD5
6c59fecf51931fb4540e571ae0310098
SHA1db5b0e9f7d20d2b1ccd61320ecca7a60e118619b
SHA25608e4d5bad48c0203fdf02fdc28794f820dfb1d4480bdcac562e7bc6e15ffaad3
SHA512d9cc7c6ef54105c981aacaafde890019af766b53417e765fa7636c3b8a4400ce6f987ccef1a54b4521412a8e45c011476c065cebc892688aeed1b027e3e761ba
-
\??\c:\fd1930c243832266cf9759ad9ba9\vc_red.msiMD5
cd2b99bb86ba6a499110c72b78b9324e
SHA17a288418b36e681093b33dc169e4d27c2ee33edd
SHA25641f6b61e0c070c86e32d8777629dfc8e860848865fefa0ba7d69e9fef0a3b174
SHA51217174b8f0186f05be1e20215aafd64797ec4f831a0d3e0e97ade3f0a25cb6f78d1d8bf568dfea1b2de2add3a9d64aaa5b4319f7927301d5d73bbab1b0eaae3d5
-
\Program Files\NipperStudio\Qt5Core.dllMD5
ff43b6a4dbf7fecc9d32eb4dfdd42215
SHA1deaad82b91053f5b52f6ce705da4c298971af73f
SHA25637ca27b0220ed0552e729c0f696b1fc3c8f8814b9e6058994fd47c5675d6a673
SHA512c735986ed9432295500b5b5e1fddfa715938ae515c787e3df7c5211333305507048999b54f46b274c8dec1c4cbd1e082589ab528084fafa3249cb2ddb42e805d
-
\Program Files\NipperStudio\Qt5Network.dllMD5
9baa9f1cb975feff2d728886fc183680
SHA113080536a05a8b2a869b2ae8a7ce7536c7c8e1e7
SHA256a70f61d11ffec1312cd8e13523ff5746d876e3daf306a2125c6cc08a67235cae
SHA512e7d5e560cc45281fd21466137e2c1d12c43fa84d3db0d8c55cc73e82fef7f1a03e953019b9868063bb8717ff4d6b84ccc6ac016696634ce5d1cd1a4a1edb31cf
-
\Program Files\NipperStudio\libtitania.dllMD5
8a48536dc53159139703851e35814744
SHA1443f533b92c33e5236ea7193e1061aa98dcc089c
SHA2565c720214e009ae40dbc3d074fea1d6ee304acdbdbc2694cf16e1a2457f12acda
SHA5120dc1ce729a1a2fcb8760cda6a343d4c7ee7b464f9197d2fe99e89f25c7d9fca93aad27e62cace25a85c8ede0aef4a0644b45ed723f4363891656774d57b03e6f
-
\Users\Admin\AppData\Local\Temp\nsy9AB0.tmp\InstallOptions.dllMD5
5f35212d7e90ee622b10be39b09bd270
SHA1c4bc9593902adf6daaef37e456dc6100d50d0925
SHA25631944b93e44301974d9c6f810d2da792e34a53dcacd619a08cb0385ac59e513d
SHA5127514810367f56d994c6d5703b56ac16124fab5dfdcfbe337d4413274c1ff9037a2ee623e49ab2fb6227412ab29fcc49a3ada1391910d44c2b5de0adeb3e7c2f0
-
\Users\Admin\AppData\Local\Temp\nsy9AB0.tmp\StartMenu.dllMD5
26836307758e048d1ce0afe754d6a972
SHA123a8f45cf5e2ad78add3c4dd3b3cf15fffced2cc
SHA256a6919f5f3b53a9c8c015413babe7a9872491a2583e49bb3c261e60785c3c3534
SHA512aaf7cfbb9c6951b65bd377db401617812f1d47960a01ae99164183c642fbd8f1ce08720bc92d26b642da5433b80720dfcd96280a162decf678139966be132746
-
\Users\Admin\AppData\Local\Temp\nsy9AB0.tmp\UserInfo.dllMD5
acbda33dd5700c122e2fe48e3d4351fd
SHA12c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
-
\Users\Admin\AppData\Local\Temp\nsy9AB0.tmp\UserInfo.dllMD5
acbda33dd5700c122e2fe48e3d4351fd
SHA12c154baf7c64052ee712b7cdf9c36b7697dd3fc8
SHA256943b33829f9013e4d361482a5c8981ba20a7155c78691dbe02a8f8cd2a02efa0
SHA512d090adf65a74ac5b910b18bb67e989714335e7b4778cd771cff154d7186351a1bebbc7103cca849bdfa2709c991947ffff6c1d8fdf16a74f4dfb614bce3ff6fd
-
\Users\Admin\AppData\Local\Temp\{050d4fc8-5d48-4b8f-8972-47c82c46020f}\.ba1\wixstdba.dllMD5
a52e5220efb60813b31a82d101a97dcb
SHA156e16e4df0944cb07e73a01301886644f062d79b
SHA256e7c8e7edd9112137895820e789baaaeca41626b01fb99fede82968ddb66d02cf
SHA512d6565ba18b5b9795d6bde3ef94d8f7cd77bf8bb69ba3fe7adefb80fc7c5d888cdfdc79238d86a0839846aea4a1e51fc0caed3d62f7054885e8b15fad9f6c654e
-
\Users\Admin\AppData\Local\Temp\{c239cea1-d49e-4e16-8e87-8c055765f7ec}\.ba1\wixstdba.dllMD5
a973cfa4951d519e032f42dc98a198b0
SHA12ba0f1e1570bc2d84f9824d58e77b9192ea5dd94
SHA25625ee85c14c9be619b4f0bf783963ace1dc0af0e802014728c2a2ca8da213d31d
SHA512b4a8c4f08a51bdd9ce7708fe8e2477182a52f1d853954eb5af0430c2df99839b6076a7d93b00391a73d446a6ad9da3ed77ef79c8b23353d32c72fc540415b8ef
-
\Users\Admin\AppData\Local\Temp\{f1e7e313-06df-4c56-96a9-99fdfd149c51}\.ba1\wixstdba.dllMD5
a973cfa4951d519e032f42dc98a198b0
SHA12ba0f1e1570bc2d84f9824d58e77b9192ea5dd94
SHA25625ee85c14c9be619b4f0bf783963ace1dc0af0e802014728c2a2ca8da213d31d
SHA512b4a8c4f08a51bdd9ce7708fe8e2477182a52f1d853954eb5af0430c2df99839b6076a7d93b00391a73d446a6ad9da3ed77ef79c8b23353d32c72fc540415b8ef
-
\fd1930c243832266cf9759ad9ba9\SetupEngine.dllMD5
84c1daf5f30ff99895ecab3a55354bcf
SHA17e25ba36bcc7deed89f3c9568016ddb3156c9c5a
SHA2567a0d281fa802d615ea1207bd2e9ebb98f3b74f9833bba3cb964ba7c7e0fb67fd
SHA512e4fb7e4d39f094463fdcdc4895ab2ea500eb51a32b6909cec80a526bbf34d5c0eb98f47ee256c0f0865bf3169374937f047bf5c4d6762779c8ca3332b4103be3
-
\fd1930c243832266cf9759ad9ba9\sqmapi.dllMD5
3f0363b40376047eff6a9b97d633b750
SHA14eaf6650eca5ce931ee771181b04263c536a948b
SHA256bd6395a58f55a8b1f4063e813ce7438f695b9b086bb965d8ac44e7a97d35a93c
SHA512537be86e2f171e0b2b9f462ac7f62c4342beb5d00b68451228f28677d26a525014758672466ad15ed1fd073be38142dae478df67718908eae9e6266359e1f9e8
-
memory/200-189-0x0000000000000000-mapping.dmp
-
memory/704-211-0x000000006BF60000-0x000000006C4BC000-memory.dmpFilesize
5.4MB
-
memory/704-209-0x00007FF74C350000-0x00007FF74D2A0000-memory.dmpFilesize
15.3MB
-
memory/704-210-0x00007FF9BABB0000-0x00007FF9BAF06000-memory.dmpFilesize
3.3MB
-
memory/860-198-0x0000000000400000-0x0000000000B06000-memory.dmpFilesize
7.0MB
-
memory/860-200-0x0000000002B30000-0x0000000002B31000-memory.dmpFilesize
4KB
-
memory/860-192-0x0000000000B90000-0x0000000000B91000-memory.dmpFilesize
4KB
-
memory/860-197-0x0000000001210000-0x0000000001211000-memory.dmpFilesize
4KB
-
memory/860-196-0x0000000001200000-0x0000000001201000-memory.dmpFilesize
4KB
-
memory/860-195-0x00000000011F0000-0x00000000011F1000-memory.dmpFilesize
4KB
-
memory/860-194-0x00000000011E0000-0x00000000011E1000-memory.dmpFilesize
4KB
-
memory/860-193-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/860-191-0x00000000001E0000-0x00000000001E1000-memory.dmpFilesize
4KB
-
memory/1088-213-0x0000000000000000-mapping.dmp
-
memory/1308-206-0x0000000000000000-mapping.dmp
-
memory/1340-156-0x0000000000000000-mapping.dmp
-
memory/1492-188-0x0000000000000000-mapping.dmp
-
memory/2000-215-0x00007FF9BABB0000-0x00007FF9BAF06000-memory.dmpFilesize
3.3MB
-
memory/2000-214-0x0000000000000000-mapping.dmp
-
memory/2060-153-0x0000000000000000-mapping.dmp
-
memory/2216-205-0x0000000000000000-mapping.dmp
-
memory/2300-118-0x0000000000000000-mapping.dmp
-
memory/2816-190-0x0000000000000000-mapping.dmp
-
memory/3140-204-0x0000000000000000-mapping.dmp
-
memory/3144-212-0x0000000000000000-mapping.dmp
-
memory/3160-174-0x0000000000000000-mapping.dmp
-
memory/3180-146-0x0000000000000000-mapping.dmp
-
memory/3184-149-0x0000000000000000-mapping.dmp
-
memory/3648-201-0x00007FF74C350000-0x00007FF74D2A0000-memory.dmpFilesize
15.3MB
-
memory/3648-202-0x000000006BF60000-0x000000006C4BC000-memory.dmpFilesize
5.4MB
-
memory/3648-203-0x00007FF9BA870000-0x00007FF9BABC6000-memory.dmpFilesize
3.3MB
-
memory/3836-177-0x0000000000000000-mapping.dmp
-
memory/3908-121-0x0000000000000000-mapping.dmp
-
memory/3968-171-0x0000000000000000-mapping.dmp
-
memory/4040-187-0x0000000000000000-mapping.dmp
-
memory/4072-207-0x0000000000000000-mapping.dmp
-
memory/4072-208-0x00007FF9BA870000-0x00007FF9BABC6000-memory.dmpFilesize
3.3MB