Overview
overview
10Static
static
1AnyDesk.exe
windows7-x64
9AnyDesk.exe
windows10-2004-x64
10tmp/ChromeSetup.exe
windows7-x64
8tmp/ChromeSetup.exe
windows10-2004-x64
8tmp/Spotif...6).exe
windows7-x64
8tmp/Spotif...6).exe
windows10-2004-x64
10tmp/filmor...83.exe
windows7-x64
7tmp/filmor...83.exe
windows10-2004-x64
7Analysis
-
max time kernel
117s -
max time network
152s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-03-2023 08:25
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
AnyDesk.exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral3
Sample
tmp/ChromeSetup.exe
Resource
win7-20230220-en
Behavioral task
behavioral4
Sample
tmp/ChromeSetup.exe
Resource
win10v2004-20230221-en
Behavioral task
behavioral5
Sample
tmp/SpotifySetup (6).exe
Resource
win7-20230220-en
Behavioral task
behavioral6
Sample
tmp/SpotifySetup (6).exe
Resource
win10v2004-20230220-en
Behavioral task
behavioral7
Sample
tmp/filmora_setup_full1083.exe
Resource
win7-20230220-en
Behavioral task
behavioral8
Sample
tmp/filmora_setup_full1083.exe
Resource
win10v2004-20230221-en
General
-
Target
AnyDesk.exe
-
Size
5.5MB
-
MD5
33614c059849aaeacaa68422b11a9795
-
SHA1
baf66bc7a279fcde9fa90708c153e06b89bb60d9
-
SHA256
25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e
-
SHA512
c211cfee30e6f3336a0d4aa8e44d91be4fb0399c2dc7d8a01b37d4264b44865c51037f5b6470f3aecd53cb551951132d80fbdba3b18fe0787cacd6166a66e5f6
-
SSDEEP
98304:cKYGKdACTgvV6qPvZpgvXM/N3qZBO0cY2YPGvhP0JGom5:cp86qPvZ6v6NH0l7PXm5
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Hw2maturidade.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Hw2maturidade.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 4 2004 powershell.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Hw2maturidade.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Hw2maturidade.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Hw2maturidade.exe -
Executes dropped EXE 1 IoCs
Processes:
Hw2maturidade.exepid process 1576 Hw2maturidade.exe -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exepowershell.exeHw2maturidade.exepid process 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2020 MsiExec.exe 2004 powershell.exe 2004 powershell.exe 1576 Hw2maturidade.exe 1576 Hw2maturidade.exe -
Processes:
Hw2maturidade.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Hw2maturidade.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe -
Drops file in System32 directory 1 IoCs
Processes:
powershell.exedescription ioc process File opened for modification C:\Windows\SysWOW64\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk powershell.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Hw2maturidade.exepid process 1576 Hw2maturidade.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exeDrvInst.exedescription ioc process File opened for modification C:\Windows\Installer\6c93c8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI94D1.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI98BA.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\Installer\6c93c8.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIA3C2.tmp msiexec.exe File created C:\Windows\Installer\6c93cc.msi msiexec.exe File opened for modification C:\Windows\Installer\MSI95CC.tmp msiexec.exe File created C:\Windows\Installer\6c93ca.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIA5C7.tmp msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Processes:
iexplore.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{DFFA79D1-C314-11ED-BB29-4E1AE6AC1D45} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe -
Modifies data under HKEY_USERS 46 IoCs
Processes:
DrvInst.exemsiexec.exedescription ioc process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E msiexec.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\PackageName = "AnyDesk.msi" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\ProductName = "AnyDesk" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\PackageCode = "1BD298B5F2ED9B84692DEE45C27D3993" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AuthorizedLUAApp = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\24210B1B431A27145802EE85AB1B4207 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\InstanceType = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Language = "1046" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51 msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 7 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 5 IoCs
Processes:
msiexec.exepowershell.exepid process 468 msiexec.exe 468 msiexec.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeDrvInst.exedescription pid process Token: SeShutdownPrivilege 2000 msiexec.exe Token: SeIncreaseQuotaPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeSecurityPrivilege 468 msiexec.exe Token: SeCreateTokenPrivilege 2000 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2000 msiexec.exe Token: SeLockMemoryPrivilege 2000 msiexec.exe Token: SeIncreaseQuotaPrivilege 2000 msiexec.exe Token: SeMachineAccountPrivilege 2000 msiexec.exe Token: SeTcbPrivilege 2000 msiexec.exe Token: SeSecurityPrivilege 2000 msiexec.exe Token: SeTakeOwnershipPrivilege 2000 msiexec.exe Token: SeLoadDriverPrivilege 2000 msiexec.exe Token: SeSystemProfilePrivilege 2000 msiexec.exe Token: SeSystemtimePrivilege 2000 msiexec.exe Token: SeProfSingleProcessPrivilege 2000 msiexec.exe Token: SeIncBasePriorityPrivilege 2000 msiexec.exe Token: SeCreatePagefilePrivilege 2000 msiexec.exe Token: SeCreatePermanentPrivilege 2000 msiexec.exe Token: SeBackupPrivilege 2000 msiexec.exe Token: SeRestorePrivilege 2000 msiexec.exe Token: SeShutdownPrivilege 2000 msiexec.exe Token: SeDebugPrivilege 2000 msiexec.exe Token: SeAuditPrivilege 2000 msiexec.exe Token: SeSystemEnvironmentPrivilege 2000 msiexec.exe Token: SeChangeNotifyPrivilege 2000 msiexec.exe Token: SeRemoteShutdownPrivilege 2000 msiexec.exe Token: SeUndockPrivilege 2000 msiexec.exe Token: SeSyncAgentPrivilege 2000 msiexec.exe Token: SeEnableDelegationPrivilege 2000 msiexec.exe Token: SeManageVolumePrivilege 2000 msiexec.exe Token: SeImpersonatePrivilege 2000 msiexec.exe Token: SeCreateGlobalPrivilege 2000 msiexec.exe Token: SeBackupPrivilege 588 vssvc.exe Token: SeRestorePrivilege 588 vssvc.exe Token: SeAuditPrivilege 588 vssvc.exe Token: SeBackupPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 1720 DrvInst.exe Token: SeLoadDriverPrivilege 1720 DrvInst.exe Token: SeLoadDriverPrivilege 1720 DrvInst.exe Token: SeLoadDriverPrivilege 1720 DrvInst.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe Token: SeTakeOwnershipPrivilege 468 msiexec.exe Token: SeRestorePrivilege 468 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exepowershell.exepid process 2000 msiexec.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe 2004 powershell.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
AnyDesk.exeiexplore.exepid process 2036 AnyDesk.exe 2036 AnyDesk.exe 2036 iexplore.exe 2036 iexplore.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
AnyDesk.exemsiexec.exeMsiExec.exepowershell.exeiexplore.exedescription pid process target process PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 2036 wrote to memory of 2000 2036 AnyDesk.exe msiexec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 468 wrote to memory of 2020 468 msiexec.exe MsiExec.exe PID 2020 wrote to memory of 2004 2020 MsiExec.exe powershell.exe PID 2020 wrote to memory of 2004 2020 MsiExec.exe powershell.exe PID 2020 wrote to memory of 2004 2020 MsiExec.exe powershell.exe PID 2020 wrote to memory of 2004 2020 MsiExec.exe powershell.exe PID 2004 wrote to memory of 1576 2004 powershell.exe Hw2maturidade.exe PID 2004 wrote to memory of 1576 2004 powershell.exe Hw2maturidade.exe PID 2004 wrote to memory of 1576 2004 powershell.exe Hw2maturidade.exe PID 2004 wrote to memory of 1576 2004 powershell.exe Hw2maturidade.exe PID 2036 wrote to memory of 1540 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1540 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1540 2036 iexplore.exe IEXPLORE.EXE PID 2036 wrote to memory of 1540 2036 iexplore.exe IEXPLORE.EXE -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\msiexec.exe"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi"2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding CEDBD9E1545E4971DC464E27DDB2DE4D2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssA651.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiA63F.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrA640.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrA641.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\abominável\elegível\Hw2maturidade.exe"C:\Users\Admin\abominável\elegível\Hw2maturidade.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
-
C:\Users\Public\Documents\AnyDesk\setup.exe"C:\Users\Public\Documents\AnyDesk\setup.exe"4⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004A4" "0000000000000588"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2036 CREDAT:275457 /prefetch:22⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\ABOMIN~1\ELEGVE~1\Update.zipFilesize
34.0MB
MD52d3ba64c6b91723bcda584b7b086a7e7
SHA1b00f3b74f16c29546427d27a70c85d63dc87601c
SHA256bb5e945b4d14207d543169e43b1e39e6565a7a8ecdba3b663b73d7b653f9c911
SHA51284c5af14cff7c2a20a7505032bee707248af6b79dd184752e308551b5a2aa3703f6d19e5151ec87eba04242d917da7a34584d9f69c69e095db352a09fdd20f9d
-
C:\Users\Admin\AppData\Local\Temp\AnyDesk.msiFilesize
5.2MB
MD51b71048c460473fd82ec2de1c98798b0
SHA1a139134145c4eb2fb460a319d1727540ee264927
SHA256cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f
SHA512d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29
-
C:\Users\Admin\AppData\Local\Temp\pssA651.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scrA640.ps1Filesize
17KB
MD5573c661545a080753d80b02e5116212c
SHA14905b0e15d7c6daa47ec99f8536306b8dcdca702
SHA2569f636f81baf940aa6c51f47bbeb3de89c3a70fcc524bebd4333fcf2e7a690c25
SHA5120d8c3979a02e0a11207cd5d9dddad6d704fe4aa2c979106e56019c3d2eddfbb93f650e59f1c8ed0336d022cbcb89ce82bdcf5c7ab1635ba096944aa5f743b10e
-
C:\Users\Admin\abominável\elegível\Hw2maturidade.exeFilesize
213KB
MD57fb1c5dfc2605843cec69a6fc4e96576
SHA1b5e591d23a3798b89648033760d3710a403b32be
SHA256330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
SHA5120c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7
-
C:\Users\Admin\abominável\elegível\Hw2maturidade.exeFilesize
213KB
MD57fb1c5dfc2605843cec69a6fc4e96576
SHA1b5e591d23a3798b89648033760d3710a403b32be
SHA256330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
SHA5120c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7
-
C:\Users\Admin\abominável\elegível\Hw2maturidade.exeFilesize
213KB
MD57fb1c5dfc2605843cec69a6fc4e96576
SHA1b5e591d23a3798b89648033760d3710a403b32be
SHA256330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
SHA5120c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7
-
C:\Users\Admin\abominável\elegível\MSVCR80.dllFilesize
3.6MB
MD5650316f36cab9b31d6d743109c55b87a
SHA12016b0aa7d44bff91f292acacd81998cc5ca79e1
SHA2568e48344a0637941d305d3d368a96adeeb791b1ee1d4c4b7316fa492962f5e7fe
SHA5128b69198d0f20e34f87b458ce90c19e5a7e3ecd53a6d896a356b58a9e2232e8d450c7b31d33e1a9439f5e705faabfdd7ed2be36b312c231fd60f116328207cbd8
-
C:\Users\Admin\abominável\elegível\custsat.dllFilesize
33KB
MD51ff80ebe5082a13d02253b415aa26f60
SHA17da7551ec7f3f1e606edf9313595e4ebe45ac8d1
SHA256e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f
SHA5128c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90
-
C:\Users\Admin\abominável\elegível\netonxxFilesize
89.4MB
MD590358f8902d4597a7d92c1430e98a713
SHA1d71dff92a8d47e48eaf7e067dc3dc5349a2edd11
SHA256e7a1403108c1c6270b6d31cc723f1ace8c4039f6010cb80a6ee5ed0a31f6f96d
SHA512b1ce59c494a9e019c18f607980154f6e046e435746c0da36af50e15e5539c8af214fa62c5c6efecec204ffd29e16a905443c1153fb5581cbae7ebee1b59ee042
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Windows\Installer\6c93c8.msiFilesize
5.2MB
MD51b71048c460473fd82ec2de1c98798b0
SHA1a139134145c4eb2fb460a319d1727540ee264927
SHA256cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f
SHA512d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29
-
C:\Windows\Installer\MSI94D1.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI95CC.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI98BA.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSI98BA.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIA5C7.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
\Users\Admin\abominável\elegível\Hw2maturidade.exeFilesize
213KB
MD57fb1c5dfc2605843cec69a6fc4e96576
SHA1b5e591d23a3798b89648033760d3710a403b32be
SHA256330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
SHA5120c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7
-
\Users\Admin\abominável\elegível\Hw2maturidade.exeFilesize
213KB
MD57fb1c5dfc2605843cec69a6fc4e96576
SHA1b5e591d23a3798b89648033760d3710a403b32be
SHA256330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5
SHA5120c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7
-
\Users\Admin\abominável\elegível\custsat.dllFilesize
33KB
MD51ff80ebe5082a13d02253b415aa26f60
SHA17da7551ec7f3f1e606edf9313595e4ebe45ac8d1
SHA256e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f
SHA5128c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90
-
\Users\Admin\abominável\elegível\msvcr80.dllFilesize
3.6MB
MD5650316f36cab9b31d6d743109c55b87a
SHA12016b0aa7d44bff91f292acacd81998cc5ca79e1
SHA2568e48344a0637941d305d3d368a96adeeb791b1ee1d4c4b7316fa492962f5e7fe
SHA5128b69198d0f20e34f87b458ce90c19e5a7e3ecd53a6d896a356b58a9e2232e8d450c7b31d33e1a9439f5e705faabfdd7ed2be36b312c231fd60f116328207cbd8
-
\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
\Windows\Installer\MSI94D1.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSI95CC.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSI98BA.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
\Windows\Installer\MSIA5C7.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
memory/1576-203-0x000000000E350000-0x000000000E396000-memory.dmpFilesize
280KB
-
memory/1576-201-0x000000000E2F0000-0x000000000E387000-memory.dmpFilesize
604KB
-
memory/1576-187-0x0000000000980000-0x000000000145B000-memory.dmpFilesize
10.9MB
-
memory/1576-188-0x0000000000980000-0x000000000145B000-memory.dmpFilesize
10.9MB
-
memory/1576-189-0x0000000000980000-0x000000000145B000-memory.dmpFilesize
10.9MB
-
memory/1576-190-0x0000000000980000-0x000000000145B000-memory.dmpFilesize
10.9MB
-
memory/1576-228-0x00000000106C0000-0x00000000106D7000-memory.dmpFilesize
92KB
-
memory/1576-192-0x0000000002D70000-0x0000000002DF4000-memory.dmpFilesize
528KB
-
memory/1576-193-0x00000000003E0000-0x00000000003ED000-memory.dmpFilesize
52KB
-
memory/1576-194-0x00000000005D0000-0x00000000005DD000-memory.dmpFilesize
52KB
-
memory/1576-195-0x000000000E3D0000-0x000000000E560000-memory.dmpFilesize
1.6MB
-
memory/1576-196-0x00000000003D0000-0x00000000003D1000-memory.dmpFilesize
4KB
-
memory/1576-222-0x0000000010500000-0x0000000010538000-memory.dmpFilesize
224KB
-
memory/1576-197-0x000000000E560000-0x000000000E723000-memory.dmpFilesize
1.8MB
-
memory/1576-199-0x0000000000850000-0x000000000086C000-memory.dmpFilesize
112KB
-
memory/1576-200-0x0000000002E00000-0x0000000002E3C000-memory.dmpFilesize
240KB
-
memory/1576-217-0x0000000002E40000-0x0000000002E41000-memory.dmpFilesize
4KB
-
memory/1576-185-0x0000000000020000-0x000000000002B000-memory.dmpFilesize
44KB
-
memory/1576-214-0x000000000F940000-0x000000000F97C000-memory.dmpFilesize
240KB
-
memory/1576-204-0x000000000EBF0000-0x000000000EC1B000-memory.dmpFilesize
172KB
-
memory/1576-205-0x000000000F080000-0x000000000F0F0000-memory.dmpFilesize
448KB
-
memory/1576-207-0x000000000F100000-0x000000000F10A000-memory.dmpFilesize
40KB
-
memory/1576-206-0x000000000F0F0000-0x000000000F0FB000-memory.dmpFilesize
44KB
-
memory/1576-208-0x000000000F6E0000-0x000000000F6F9000-memory.dmpFilesize
100KB
-
memory/1576-209-0x0000000008870000-0x000000000E1E7000-memory.dmpFilesize
89.5MB
-
memory/1576-211-0x000000000F8E0000-0x000000000F938000-memory.dmpFilesize
352KB
-
memory/1576-212-0x000000000F9C0000-0x000000000FA0F000-memory.dmpFilesize
316KB
-
memory/1576-213-0x0000000000980000-0x000000000145B000-memory.dmpFilesize
10.9MB
-
memory/1656-221-0x00000000000E0000-0x0000000001139000-memory.dmpFilesize
16.3MB
-
memory/2004-98-0x0000000001EE0000-0x0000000001F20000-memory.dmpFilesize
256KB
-
memory/2004-202-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB
-
memory/2004-97-0x0000000001EE0000-0x0000000001F20000-memory.dmpFilesize
256KB
-
memory/2004-94-0x0000000001EE0000-0x0000000001F20000-memory.dmpFilesize
256KB
-
memory/2004-93-0x0000000001EE0000-0x0000000001F20000-memory.dmpFilesize
256KB
-
memory/2004-99-0x0000000001EE0000-0x0000000001F20000-memory.dmpFilesize
256KB
-
memory/2004-132-0x0000000005D30000-0x0000000005D31000-memory.dmpFilesize
4KB