Analysis
-
max time kernel
1782s -
max time network
1787s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
31-01-2023 05:31
Static task
static1
Behavioral task
behavioral1
Sample
clrjit_dump.dll
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
clrjit_dump.dll
Resource
win10v2004-20221111-en
General
-
Target
clrjit_dump.dll
-
Size
548KB
-
MD5
bb3c1b827cba1a09c708610c564be8ec
-
SHA1
ce850503d10d2710dbe25850a804e713b7373cae
-
SHA256
7c294284e335b093fedec96c754d4b2630bffa9cabe4596cbc0d8d3ff3727660
-
SHA512
393fb7a9dd03725670fe1285de765f9aaca19c10459ecc6aca75baa0c79b5c44d2a5dab8edbb07ba0ee1352fae438e7c9fb3522d6783601709c2b9cc38a8a50c
-
SSDEEP
12288:rlk72WGvN7z5DxbOhRF+61+QfcfhwTHCWcX/WtpF:raGvN7z5DxbURFH1vfcfhXVXUF
Malware Config
Signatures
-
Executes dropped EXE 8 IoCs
Processes:
VC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64 (1).exeVC_redist.x64 (1).exeVC_redist.x64.exeNikoLoader_dump.exeNikoLoader_dump.exepid process 4888 VC_redist.x64.exe 3800 VC_redist.x64.exe 5196 VC_redist.x64.exe 5972 VC_redist.x64 (1).exe 5764 VC_redist.x64 (1).exe 1288 VC_redist.x64.exe 5788 NikoLoader_dump.exe 2080 NikoLoader_dump.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
VC_redist.x64.exeVC_redist.x64 (1).exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation VC_redist.x64.exe Key value queried \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Control Panel\International\Geo\Nation VC_redist.x64 (1).exe -
Loads dropped DLL 3 IoCs
Processes:
VC_redist.x64.exeVC_redist.x64.exeVC_redist.x64 (1).exepid process 3800 VC_redist.x64.exe 4824 VC_redist.x64.exe 5764 VC_redist.x64 (1).exe -
Adds Run key to start application 2 TTPs 6 IoCs
Processes:
VC_redist.x64.exemsedge.exeVC_redist.x64.exemsedge.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\{d4cecf3b-b68f-4995-8840-52ea0fab646e} = "\"C:\\ProgramData\\Package Cache\\{d4cecf3b-b68f-4995-8840-52ea0fab646e}\\VC_redist.x64.exe\" /burn.runonce" VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Windows\CurrentVersion\Run msedge.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 24 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe -
Drops file in System32 directory 50 IoCs
Processes:
msiexec.exedescription ioc process File created C:\Windows\system32\vcamp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140deu.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140deu.dll msiexec.exe File created C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfc140kor.dll msiexec.exe File opened for modification C:\Windows\system32\vcamp140.dll msiexec.exe File created C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140jpn.dll msiexec.exe File created C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\system32\mfcm140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140enu.dll msiexec.exe File opened for modification C:\Windows\system32\concrt140.dll msiexec.exe File created C:\Windows\system32\msvcp140.dll msiexec.exe File created C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140_1.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_2.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\mfc140enu.dll msiexec.exe File created C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfcm140.dll msiexec.exe File created C:\Windows\system32\mfcm140u.dll msiexec.exe File created C:\Windows\system32\concrt140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140rus.dll msiexec.exe File created C:\Windows\system32\mfc140rus.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140u.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140kor.dll msiexec.exe File created C:\Windows\system32\mfc140cht.dll msiexec.exe File opened for modification C:\Windows\system32\vcomp140.dll msiexec.exe File created C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\msvcp140_codecvt_ids.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140cht.dll msiexec.exe File created C:\Windows\system32\mfc140chs.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140.dll msiexec.exe File opened for modification C:\Windows\system32\msvcp140_1.dll msiexec.exe File created C:\Windows\system32\msvcp140_atomic_wait.dll msiexec.exe File created C:\Windows\system32\vcomp140.dll msiexec.exe File opened for modification C:\Windows\system32\mfc140ita.dll msiexec.exe File created C:\Windows\system32\mfc140.dll msiexec.exe File created C:\Windows\system32\mfc140esn.dll msiexec.exe File created C:\Windows\system32\mfc140fra.dll msiexec.exe File opened for modification C:\Windows\system32\vcruntime140.dll msiexec.exe File opened for modification C:\Windows\system32\vccorlib140.dll msiexec.exe File created C:\Windows\system32\msvcp140_2.dll msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
Processes:
NikoLoader.exepid process 1236 NikoLoader.exe 1236 NikoLoader.exe -
Drops file in Program Files directory 2 IoCs
Processes:
setup.exedescription ioc process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e590600b-d5e3-4a52-a07b-c048f98188f0.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20230131063310.pma setup.exe -
Drops file in Windows directory 17 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\e5930bb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3B2C.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI53D3.tmp msiexec.exe File created C:\Windows\Installer\e5930bb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI3629.tmp msiexec.exe File created C:\Windows\Installer\e5930cb.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI46C5.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI4D5A.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\e5930cc.msi msiexec.exe File opened for modification C:\Windows\Installer\e5930cc.msi msiexec.exe File created C:\Windows\Installer\e5930df.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{CF4C347D-954E-4543-88D2-EC17F07F466F} msiexec.exe File created C:\Windows\Installer\SourceHash{EAE242B1-0A26-485A-BFEB-0292EE9F03CB} msiexec.exe File opened for modification C:\Windows\Installer\MSI4F61.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 1992 3616 WerFault.exe rundll32.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000005cb6ed2f2c7878f0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000005cb6ed20000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090005cb6ed2000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000005cb6ed200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 6 IoCs
Processes:
msedge.exemsedge.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe -
Modifies data under HKEY_USERS 13 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\21 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\21 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\22 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\24 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1F msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\20 msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\23 msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\23 msiexec.exe -
Modifies registry class 64 IoCs
Processes:
SuspendProcess.exemsedge.exemsiexec.exeTHEMIDA_UNPACK_x86.exeScylla_x86.exeSuspendProcess.exeVC_redist.x64.exeVC_redist.x64.exeVC_redist.x64.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 SuspendProcess.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" SuspendProcess.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings msedge.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1\1B242EAE62A0A584FBBE2029EEF930BC msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\LastUsedSource = "n;1;C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags THEMIDA_UNPACK_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16" Scylla_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0" SuspendProcess.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" Scylla_x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.34,bundle\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} VC_redist.x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = 0000000001000000ffffffff THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ THEMIDA_UNPACK_x86.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 SuspendProcess.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" SuspendProcess.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8A567BD6FA501A947AD1F646E53EEC14\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\ProductName = "Microsoft Visual C++ 2022 X64 Additional Runtime - 14.34.31931" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Language = "1033" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell THEMIDA_UNPACK_x86.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 THEMIDA_UNPACK_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\ProductName = "Microsoft Visual C++ 2022 X64 Minimum Runtime - 14.34.31931" msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\88AAB0B9F51EF1A3CA0C2B609EDD7FC1 msiexec.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202 SuspendProcess.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Scylla_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4" Scylla_x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\VC,redist.x64,amd64,14.30,bundle\Dependents VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7} SuspendProcess.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" SuspendProcess.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 SuspendProcess.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}" Scylla_x86.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1" SuspendProcess.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" Scylla_x86.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14\Version = "14.34.31931" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{CF4C347D-954E-4543-88D2-EC17F07F466F}v14.34.31931\\packages\\vcRuntimeMinimum_amd64\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\1B242EAE62A0A584FBBE2029EEF930BC\Provider msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\Version = "237141179" msiexec.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings SuspendProcess.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} VC_redist.x64.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0 Scylla_x86.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell SuspendProcess.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Scylla_x86.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList\Net msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D\SourceList msiexec.exe Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8800A266DCF6DD54E97A86760485EA5D msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\AdvertiseFlags = "388" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\AuthorizedLUAApp = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Dependents\{d4cecf3b-b68f-4995-8840-52ea0fab646e} VC_redist.x64.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\D743C4FCE4593454882DCE710FF764F6\Language = "1033" msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1" THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU SuspendProcess.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Scylla_x86.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net msiexec.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0" THEMIDA_UNPACK_x86.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0 SuspendProcess.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeMinimumVSU_amd64,v14 VC_redist.x64.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14\Version = "14.34.31931" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\1B242EAE62A0A584FBBE2029EEF930BC\SourceList\Net\1 = "C:\\ProgramData\\Package Cache\\{EAE242B1-0A26-485A-BFEB-0292EE9F03CB}v14.34.31931\\packages\\vcRuntimeAdditional_amd64\\" msiexec.exe Key created \REGISTRY\MACHINE\Software\Classes\Installer\Dependencies\Microsoft.VS.VC_RuntimeAdditionalVSU_amd64,v14 VC_redist.x64.exe -
NTFS ADS 2 IoCs
Processes:
msedge.exemsedge.exedescription ioc process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 189309.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 399339.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsiexec.exeTHEMIDA_UNPACK_x86.exemsedge.exemsedge.exeidentity_helper.exepid process 1544 msedge.exe 1544 msedge.exe 3888 msedge.exe 3888 msedge.exe 2304 msedge.exe 2304 msedge.exe 3156 identity_helper.exe 3156 identity_helper.exe 4888 msedge.exe 4888 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 4024 msedge.exe 5940 msedge.exe 5940 msedge.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 3916 msiexec.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 2204 THEMIDA_UNPACK_x86.exe 4764 msedge.exe 4764 msedge.exe 1172 msedge.exe 1172 msedge.exe 5408 identity_helper.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 45 IoCs
Processes:
msedge.exemsedge.exepid process 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
AUDIODG.EXEvssvc.exeVC_redist.x64.exemsiexec.exedescription pid process Token: 33 4380 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 4380 AUDIODG.EXE Token: SeBackupPrivilege 5576 vssvc.exe Token: SeRestorePrivilege 5576 vssvc.exe Token: SeAuditPrivilege 5576 vssvc.exe Token: SeShutdownPrivilege 5196 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 5196 VC_redist.x64.exe Token: SeSecurityPrivilege 3916 msiexec.exe Token: SeCreateTokenPrivilege 5196 VC_redist.x64.exe Token: SeAssignPrimaryTokenPrivilege 5196 VC_redist.x64.exe Token: SeLockMemoryPrivilege 5196 VC_redist.x64.exe Token: SeIncreaseQuotaPrivilege 5196 VC_redist.x64.exe Token: SeMachineAccountPrivilege 5196 VC_redist.x64.exe Token: SeTcbPrivilege 5196 VC_redist.x64.exe Token: SeSecurityPrivilege 5196 VC_redist.x64.exe Token: SeTakeOwnershipPrivilege 5196 VC_redist.x64.exe Token: SeLoadDriverPrivilege 5196 VC_redist.x64.exe Token: SeSystemProfilePrivilege 5196 VC_redist.x64.exe Token: SeSystemtimePrivilege 5196 VC_redist.x64.exe Token: SeProfSingleProcessPrivilege 5196 VC_redist.x64.exe Token: SeIncBasePriorityPrivilege 5196 VC_redist.x64.exe Token: SeCreatePagefilePrivilege 5196 VC_redist.x64.exe Token: SeCreatePermanentPrivilege 5196 VC_redist.x64.exe Token: SeBackupPrivilege 5196 VC_redist.x64.exe Token: SeRestorePrivilege 5196 VC_redist.x64.exe Token: SeShutdownPrivilege 5196 VC_redist.x64.exe Token: SeDebugPrivilege 5196 VC_redist.x64.exe Token: SeAuditPrivilege 5196 VC_redist.x64.exe Token: SeSystemEnvironmentPrivilege 5196 VC_redist.x64.exe Token: SeChangeNotifyPrivilege 5196 VC_redist.x64.exe Token: SeRemoteShutdownPrivilege 5196 VC_redist.x64.exe Token: SeUndockPrivilege 5196 VC_redist.x64.exe Token: SeSyncAgentPrivilege 5196 VC_redist.x64.exe Token: SeEnableDelegationPrivilege 5196 VC_redist.x64.exe Token: SeManageVolumePrivilege 5196 VC_redist.x64.exe Token: SeImpersonatePrivilege 5196 VC_redist.x64.exe Token: SeCreateGlobalPrivilege 5196 VC_redist.x64.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe Token: SeTakeOwnershipPrivilege 3916 msiexec.exe Token: SeRestorePrivilege 3916 msiexec.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
Processes:
msedge.exepid process 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe -
Suspicious use of SendNotifyMessage 64 IoCs
Processes:
msedge.exemsedge.exepid process 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 2304 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe 1172 msedge.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
THEMIDA_UNPACK_x86.exeSuspendProcess.exeSuspendProcess.exeScylla_x86.exepid process 2204 THEMIDA_UNPACK_x86.exe 2736 SuspendProcess.exe 1624 SuspendProcess.exe 1448 Scylla_x86.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
rundll32.exemsedge.exemsedge.exedescription pid process target process PID 4076 wrote to memory of 3616 4076 rundll32.exe rundll32.exe PID 4076 wrote to memory of 3616 4076 rundll32.exe rundll32.exe PID 4076 wrote to memory of 3616 4076 rundll32.exe rundll32.exe PID 2492 wrote to memory of 4360 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4360 2492 msedge.exe msedge.exe PID 2304 wrote to memory of 4528 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4528 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2304 wrote to memory of 4532 2304 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe PID 2492 wrote to memory of 4128 2492 msedge.exe msedge.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\clrjit_dump.dll,#11⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\clrjit_dump.dll,#12⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3616 -s 5683⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 460 -p 3616 -ip 36161⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xf8,0x108,0x7ffbb54f46f8,0x7ffbb54f4708,0x7ffbb54f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,4218166496536529689,14017430766982694679,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,4218166496536529689,14017430766982694679,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffbb54f46f8,0x7ffbb54f4708,0x7ffbb54f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2304 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2228 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3664 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4436 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6056 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4140 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=6692 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5052 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7336 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6752 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7716 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7864 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7936 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x224,0x228,0x22c,0x200,0x230,0x7ff7d36e5460,0x7ff7d36e5470,0x7ff7d36e54803⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7936 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7548 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1780 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4064 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5436 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5528 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8316 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1120 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8384 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6352 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8304 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7768 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6444 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=8908 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8924 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8868 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=8908 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3092 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1980 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Admin\Downloads\VC_redist.x64.exe"C:\Users\Admin\Downloads\VC_redist.x64.exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\{16337E69-2CED-4274-8EEC-91E46FF57AD8}\.cr\VC_redist.x64.exe"C:\Windows\Temp\{16337E69-2CED-4274-8EEC-91E46FF57AD8}\.cr\VC_redist.x64.exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64.exe" -burn.filehandle.attached=696 -burn.filehandle.self=7003⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\.be\VC_redist.x64.exe"C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{0BFA91C4-6850-4173-9A32-028D959255D7} {2C77343D-62AD-4DFE-B25F-6A268FD09BB7} 38004⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1148 -burn.embedded BurnPipe.{16BA0D72-4C72-4BC8-847D-3327DABCC141} {E3833F2E-3E11-4714-BD3F-35B6B302182B} 51965⤵
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.clean.room="C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={d4cecf3b-b68f-4995-8840-52ea0fab646e} -burn.filehandle.self=1148 -burn.embedded BurnPipe.{16BA0D72-4C72-4BC8-847D-3327DABCC141} {E3833F2E-3E11-4714-BD3F-35B6B302182B} 51966⤵
- Loads dropped DLL
-
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe"C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{AAB7F8F3-A273-48B1-87E4-5AA5DB14F6F9} {F945BAB8-BFE8-47E5-8BF5-73CBCBABD1BC} 48247⤵
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2148,9546711364315587161,14697014445998191791,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5092 /prefetch:82⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x3901⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\Downloads\Release\Release\THEMIDA_UNPACK_x86.exe"C:\Users\Admin\Downloads\Release\Release\THEMIDA_UNPACK_x86.exe" C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"2⤵
-
C:\Users\Admin\Downloads\Release\Release\pd.exe"C:\Users\Admin\Downloads\Release\Release\pd.exe" -pid 38682⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Adds Run key to start application
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xd8,0x10c,0x7ffbb54f46f8,0x7ffbb54f4708,0x7ffbb54f47182⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5440 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5628 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5932 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5284 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6184 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6296 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6648 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6724 /prefetch:82⤵
-
C:\Users\Admin\Downloads\VC_redist.x64 (1).exe"C:\Users\Admin\Downloads\VC_redist.x64 (1).exe"2⤵
- Executes dropped EXE
-
C:\Windows\Temp\{7D5553F3-44C0-4591-B550-CA2BDC5E25F8}\.cr\VC_redist.x64 (1).exe"C:\Windows\Temp\{7D5553F3-44C0-4591-B550-CA2BDC5E25F8}\.cr\VC_redist.x64 (1).exe" -burn.clean.room="C:\Users\Admin\Downloads\VC_redist.x64 (1).exe" -burn.filehandle.attached=648 -burn.filehandle.self=6563⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
-
C:\Windows\Temp\{50949496-A699-4E0A-B801-349923F307B6}\.be\VC_redist.x64.exe"C:\Windows\Temp\{50949496-A699-4E0A-B801-349923F307B6}\.be\VC_redist.x64.exe" -q -burn.elevated BurnPipe.{926F1781-C8F7-41D8-AB65-F40C23A2F34D} {3672848E-4939-4FB1-B9BD-CBF0869303DB} 57644⤵
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5400 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1736 /prefetch:82⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4160 /prefetch:22⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6880 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5852 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7132 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7060 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6996 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4024 /prefetch:12⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2088,18256909256419026833,9879471984596563927,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7004 /prefetch:12⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Users\Admin\Downloads\Release\Release\pd.exe"C:\Users\Admin\Downloads\Release\Release\pd.exe"1⤵
-
C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe"C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe"1⤵
-
C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe"C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe" C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"2⤵
-
C:\Users\Admin\Downloads\Release\Release\pd.exe"C:\Users\Admin\Downloads\Release\Release\pd.exe" -pid 7842⤵
-
C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe"C:\Users\Admin\Downloads\Release\Release\SuspendProcess.exe" C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"2⤵
-
C:\Users\Admin\Downloads\Release\Release\scylla\Scylla_x86.exe"C:\Users\Admin\Downloads\Release\Release\scylla\Scylla_x86.exe"1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader_dump.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader_dump.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=NikoLoader_dump.exe&platform=0009&osver=6&isServer=0&shimver=4.0.30319.02⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x120,0x124,0x40,0x128,0x7ffbb54f46f8,0x7ffbb54f4708,0x7ffbb54f47183⤵
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader_dump.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader_dump.exe"1⤵
- Executes dropped EXE
-
C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"C:\Users\Admin\Downloads\Release\Release\NikoLoader.exe"1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x384 0x3901⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
471B
MD56cf5592a0288361d4a6075f6ab337a47
SHA1b2b37d9492f5eb918d65a03af4220607d39c86a6
SHA256ec3e68fd36843b764ffbb38a35adf1b0fadc16c529ddd777984a5ef376006ca0
SHA5126b64fa72d5193473ab71be38db095124a1bbaed45e2bef1758a40fd0f45bf1187bc1cf584d5a03542c1484fcb28c5ce62c0c64994b9398408a08e234d0f37954
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\80237EE4964FC9C409AAF55BF996A292_D46D6FA25B74360E1349F9015B5CCE53Filesize
412B
MD57ac14e687e7574d26befb644b8315d13
SHA15b7ea350815fb41c28520ac9a829c9f84a5c5ba4
SHA256d7053afc49009a59ca45f78a55e35a29a3cdf75029d63bbbb5a21588c2d21124
SHA51287b8f96df863ac16cff8e59bc6e7ad36d44ff66110a437f14f29d7055bdd9addd6e414fa1422b020e941a4022928bc2641a7f4d71d7e4651d364429998446585
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a58a7931227f93b9a54bc982c0d99582
SHA17591b129f025f2003039a81830b9cd5d7043d3e2
SHA256a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0
SHA51224eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD5a58a7931227f93b9a54bc982c0d99582
SHA17591b129f025f2003039a81830b9cd5d7043d3e2
SHA256a6751ef5a8d88960e0fc22e205155f766e840d13c46c962166f35e3bf8367ac0
SHA51224eec66ba6b79cebb2b920cdad34f9b68fcc9503a2e4bc718ddf3d39b8f959ee1c7b0e73079b31a0e8acc98960fcedeb7e49f38b8f5036aa21294048f7f1a79b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56102471af38b45f30decc8db2f59a8e2
SHA135428c52f58b3a35d5028929b6298d6b95d6bdec
SHA25657e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4
SHA5121040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.datFilesize
152B
MD56102471af38b45f30decc8db2f59a8e2
SHA135428c52f58b3a35d5028929b6298d6b95d6bdec
SHA25657e3a5210c5872fc5d56b4111a4d07e512ef54a79128391084c167c101a9d7c4
SHA5121040720fe63680c7a17ced8026e3a2e31e0e73066bd0c3d74e5cd4a19c0e6f23dc30e0a41f62d92c0b9cc9840895ece4b3d36a200816e400feec49e54599b3fe
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local StateFilesize
2KB
MD5d9af602ee7b6b12d57f21e6602e818af
SHA11400d2a5cd1f710216b9372ce4edee499ed98503
SHA2567ea0bae747f9decb7261044bd6e04584d51263d01dd025170ce0d0e8c9c2b5b0
SHA5124160bfe23407411b8f1e58c15162606854475e57a3e9f9a2d88476bd47a6a5d1d68c42d5e63a809d210c96e019b404e9918dbdad121253f8661c8b85ab85d35b
-
C:\Users\Admin\Downloads\VC_redist.x64.exeFilesize
24.3MB
MD5703bd677778f2a1ba1eb4338bac3b868
SHA1a176f140e942920b777f80de89e16ea57ee32be8
SHA2562257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041
-
C:\Users\Admin\Downloads\VC_redist.x64.exeFilesize
24.3MB
MD5703bd677778f2a1ba1eb4338bac3b868
SHA1a176f140e942920b777f80de89e16ea57ee32be8
SHA2562257b3fbe3c7559de8b31170155a433faf5b83829e67c589d5674ff086b868b9
SHA512a66ea382d8bdd31491627fd698242d2eda38b1d9df762c402923ef40bbca6aa2f43f22fa811c5fc894b529f9e77fcdd5ced9cd8af4a19f53845fce3780e8c041
-
C:\Windows\Temp\{16337E69-2CED-4274-8EEC-91E46FF57AD8}\.cr\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{16337E69-2CED-4274-8EEC-91E46FF57AD8}\.cr\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\.ba\wixstdba.dllFilesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\.be\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\.be\VC_redist.x64.exeFilesize
635KB
MD5848da6b57cb8acc151a8d64d15ba383d
SHA18f4d4a1afa9fd985c67642213b3e7ccf415591da
SHA2565a61f9775032457db28edd41f98f08c874e759f344ea8475c9ac8abbba68de12
SHA512ff8b87e7746ecf19a150874dedd6ea4c51c76cfc291c5a80d9e5073a9bbbb2bd6ed7d10425b083578dc8d28d0d905e379fa3f919a60979e5b5c44ebc0ac613e6
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\cab2C04DDC374BD96EB5C8EB8208F2C7C92Filesize
5.4MB
MD562bc0f466e65d9219281cf75c8f91380
SHA10826a1591b81acf0fe30d58e19b0a87df2a49a3e
SHA256534dd81be6b7a23a745c36eda87e6387c5d146c3a96c84793d0edc7eb85b40f3
SHA51217713f4228c0c2793c622bbb0a90bd5688d98a6576a695cb956fa233238c4c6e5b0cb43510be4f072613ad575d0b44e7c847f48b785a161cc337a9e6fdca3bb5
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\cab5046A8AB272BF37297BB7928664C9503Filesize
914KB
MD545c9c674c0ba87f57168d6ab852e9641
SHA173ace24362f14dc58d4099dae6e4e62902e9e950
SHA256d14f231d1ab0d928e309b067622b5389e0dc6c4f0d3671632066f6586c442c76
SHA5125bb06ca9c966c9edd30944523a84efd3c13b8eb9f6a5c6cfd961a0c82a1cb193e7b58baf888dede7b740ed42ce76ab20c3e41a684c4dd9d818ff8b0d9e52e684
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\vcRuntimeAdditional_x64Filesize
180KB
MD5c214a9e931bbdd960bb48ac1a2b91945
SHA1a640c55dd522e01d0be4307a5eee9a40f779a6cc
SHA2561dbd3e4e71c6678e640c289c1c64bbb12c70f65f52b27191680a9e4141d64b11
SHA512d25fef3bdd3cd18035892618602e27621e9fb3a913e7972ec7bb624d593ae4b766e718fd2e2c7342c589e9a97beb03d2fedef22e824c6b539b83f199cb967933
-
C:\Windows\Temp\{A1B4CBC5-EF08-4D66-BBF8-C42DA2B3B427}\vcRuntimeMinimum_x64Filesize
180KB
MD5df77fc41aa2f85ca423919e397084137
SHA15b87cd2dfb661df49f9557e2fc3b95c7833c9b0b
SHA25651b6a928f7becbf525cbeff180442b05533f8ea8f8494cc97a491e29bdd4b7c2
SHA512a36b093011b9534db0881eb72de4638e39be67a9844b14fcd3e40539aafd9aa9ce7b14d3968aedb092ecf9bca9ac0918a65f65632643782edafefa36fc12c3e2
-
\??\pipe\LOCAL\crashpad_2304_FCHTDNRIDFCKKWOJMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
\??\pipe\LOCAL\crashpad_2492_VHPVJBXVUFAPVTVGMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/1236-284-0x000000000BCF0000-0x000000000BD2C000-memory.dmpFilesize
240KB
-
memory/1236-282-0x0000000005540000-0x0000000005552000-memory.dmpFilesize
72KB
-
memory/1236-283-0x0000000005740000-0x000000000574A000-memory.dmpFilesize
40KB
-
memory/1264-245-0x0000000000000000-mapping.dmp
-
memory/1512-251-0x0000000000000000-mapping.dmp
-
memory/1540-212-0x0000000000000000-mapping.dmp
-
memory/1544-143-0x0000000000000000-mapping.dmp
-
memory/1556-191-0x0000000000000000-mapping.dmp
-
memory/1580-257-0x0000000000000000-mapping.dmp
-
memory/1668-157-0x0000000000000000-mapping.dmp
-
memory/1992-159-0x0000000000000000-mapping.dmp
-
memory/2096-261-0x0000000000000000-mapping.dmp
-
memory/2204-247-0x0000000004F80000-0x0000000005524000-memory.dmpFilesize
5.6MB
-
memory/2204-248-0x0000000004A70000-0x0000000004B02000-memory.dmpFilesize
584KB
-
memory/2204-246-0x00000000001F0000-0x00000000001F8000-memory.dmpFilesize
32KB
-
memory/2672-153-0x0000000000000000-mapping.dmp
-
memory/2672-195-0x0000000000000000-mapping.dmp
-
memory/2696-254-0x0000000000000000-mapping.dmp
-
memory/2760-217-0x0000000000000000-mapping.dmp
-
memory/2864-275-0x00000000007E0000-0x00000000007E8000-memory.dmpFilesize
32KB
-
memory/2912-193-0x0000000000000000-mapping.dmp
-
memory/3156-187-0x0000000000000000-mapping.dmp
-
memory/3192-162-0x0000000000000000-mapping.dmp
-
memory/3236-148-0x0000000000000000-mapping.dmp
-
memory/3616-132-0x0000000000000000-mapping.dmp
-
memory/3664-259-0x0000000000000000-mapping.dmp
-
memory/3696-202-0x0000000000000000-mapping.dmp
-
memory/3784-263-0x0000000000000000-mapping.dmp
-
memory/3800-230-0x0000000000000000-mapping.dmp
-
memory/3868-250-0x0000000000650000-0x0000000000710000-memory.dmpFilesize
768KB
-
memory/3868-249-0x0000000000000000-mapping.dmp
-
memory/3888-144-0x0000000000000000-mapping.dmp
-
memory/4024-215-0x0000000000000000-mapping.dmp
-
memory/4108-208-0x0000000000000000-mapping.dmp
-
memory/4128-142-0x0000000000000000-mapping.dmp
-
memory/4264-243-0x0000000000000000-mapping.dmp
-
memory/4360-133-0x0000000000000000-mapping.dmp
-
memory/4448-155-0x0000000000000000-mapping.dmp
-
memory/4468-221-0x0000000000000000-mapping.dmp
-
memory/4520-164-0x0000000000000000-mapping.dmp
-
memory/4528-134-0x0000000000000000-mapping.dmp
-
memory/4532-141-0x0000000000000000-mapping.dmp
-
memory/4648-225-0x0000000000000000-mapping.dmp
-
memory/4764-255-0x0000000000000000-mapping.dmp
-
memory/4824-244-0x0000000000000000-mapping.dmp
-
memory/4832-189-0x0000000000000000-mapping.dmp
-
memory/4888-227-0x0000000000000000-mapping.dmp
-
memory/4888-200-0x0000000000000000-mapping.dmp
-
memory/5044-206-0x0000000000000000-mapping.dmp
-
memory/5128-166-0x0000000000000000-mapping.dmp
-
memory/5192-223-0x0000000000000000-mapping.dmp
-
memory/5196-168-0x0000000000000000-mapping.dmp
-
memory/5196-234-0x0000000000000000-mapping.dmp
-
memory/5200-214-0x0000000000000000-mapping.dmp
-
memory/5256-170-0x0000000000000000-mapping.dmp
-
memory/5312-252-0x0000000000000000-mapping.dmp
-
memory/5340-172-0x0000000000000000-mapping.dmp
-
memory/5436-174-0x0000000000000000-mapping.dmp
-
memory/5452-176-0x0000000000000000-mapping.dmp
-
memory/5520-178-0x0000000000000000-mapping.dmp
-
memory/5644-210-0x0000000000000000-mapping.dmp
-
memory/5700-204-0x0000000000000000-mapping.dmp
-
memory/5716-180-0x0000000000000000-mapping.dmp
-
memory/5744-182-0x0000000000000000-mapping.dmp
-
memory/5760-184-0x0000000000000000-mapping.dmp
-
memory/5852-185-0x0000000000000000-mapping.dmp
-
memory/5904-219-0x0000000000000000-mapping.dmp
-
memory/5908-186-0x0000000000000000-mapping.dmp
-
memory/5940-226-0x0000000000000000-mapping.dmp
-
memory/5984-199-0x0000000000000000-mapping.dmp
-
memory/6000-238-0x0000000000000000-mapping.dmp
-
memory/6024-197-0x0000000000000000-mapping.dmp