fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050

Analysis

max time kernel
80s
max time network
83s
platform
windows7_x64
resource
win7-20220718-en
resource tags

arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system
submitted
05-08-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

3.9MB
MD5

6cf5ad7a7d1b7bab0c62e246cf41a985
SHA1

b06a03adc550ead96534f5e723395c4e16bfdf44
SHA256

fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
SHA512

46cd8bd1ead75a8adb7d5bff81a2fdc04567d462e965664f6f9f796237839f07f74d2201c3da8f7f37c9dfc45749ed88708db5a216d84f7ac146e5af58a8608e

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

install.exeanydesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeanydesk.exe

pid process

1684 install.exe
1016 anydesk.exe
480 AnyDesk.exe
1116 AnyDesk.exe
1868 AnyDesk.exe
1556 anydesk.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1868 netsh.exe

pid	process
1684	install.exe
1016	anydesk.exe
480	AnyDesk.exe
1116	AnyDesk.exe
1868	AnyDesk.exe
1556	anydesk.exe

pid	process
1868	netsh.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

install.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe	install.exe

Loads dropped DLL 19 IoCs

Processes:

MsiExec.exeMsiExec.exeinstall.execmd.exeanydesk.execmd.exeAnyDesk.exeanydesk.exe

pid	process
1776	MsiExec.exe
1056	MsiExec.exe
1056	MsiExec.exe
1056	MsiExec.exe
1056	MsiExec.exe
1684	install.exe
1684	install.exe
1684	install.exe
1356	cmd.exe
1016	anydesk.exe
1016	anydesk.exe
392	cmd.exe
1868	AnyDesk.exe
1868	AnyDesk.exe
1684	install.exe
1556	anydesk.exe
1556	anydesk.exe
1056	MsiExec.exe
1776	MsiExec.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

1088 ICACLS.EXE
1808 ICACLS.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1088	ICACLS.EXE
1808	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administartor = "0"	install.exe

Drops file in System32 directory 1 IoCs

Processes:

install.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\log1.txt install.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\log1.txt	install.exe

Drops file in Windows directory 16 IoCs

Processes:

DrvInst.exeEXPAND.EXEmsiexec.exe

description	ioc	process
File opened for modification	C:\Windows\INF\setupapi.ev3	DrvInst.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	EXPAND.EXE
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File created	C:\Windows\Installer\6c6089.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E4F.tmp	msiexec.exe
File created	C:\Windows\Installer\6c608b.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1F99.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6327.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI66B3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6089.ipi	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File created	C:\Windows\Installer\6c6088.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\6c6088.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI6347.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	EXPAND.EXE

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exenetsh.exemsiexec.exeMsiExec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-103 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-101 = "Provides RD Gateway enforcement for NAP"	netsh.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-102 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-4 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-102 = "1.0"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-100 = "EAP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-1 = "IPsec Relying Party"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-3 = "Microsoft Corporation"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-102 = "1.0"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\napipsec.dll,-2 = "Provides IPsec based enforcement for Network Access Protection"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-100 = "DHCP Quarantine Enforcement Client"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\dhcpqec.dll,-101 = "Provides DHCP based enforcement for NAP"	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-103 = "Microsoft Corporation"	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "200000"	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	netsh.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tsgqec.dll,-100 = "RD Gateway Quarantine Enforcement Client"	netsh.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\eapqec.dll,-101 = "Provides Network Access Protection enforcement for EAP authenticated network connections, such as those used with 802.1X and VPN technologies."	netsh.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe

Modifies registry class 38 IoCs

Processes:

anydesk.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\PackageCode = "3FB72BC8CB959144EB519E3E5854F372"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Language = "1033"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04\ProductFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Version = "458752"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Assignment = "1"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AuthorizedLUAApp = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\PackageName = "1.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media\1 = ";"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\ProductName = "Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

msiexec.exeanydesk.exeAnyDesk.exeAnyDesk.exe

pid process

1752 msiexec.exe
1752 msiexec.exe
1016 anydesk.exe
1016 anydesk.exe
480 AnyDesk.exe
1868 AnyDesk.exe

pid	process
1752	msiexec.exe
1752	msiexec.exe
1016	anydesk.exe
1016	anydesk.exe
480	AnyDesk.exe
1868	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeDrvInst.exeinstall.exe

description	pid	process
Token: SeShutdownPrivilege	2032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeSecurityPrivilege	1752	msiexec.exe
Token: SeCreateTokenPrivilege	2032	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2032	msiexec.exe
Token: SeLockMemoryPrivilege	2032	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2032	msiexec.exe
Token: SeMachineAccountPrivilege	2032	msiexec.exe
Token: SeTcbPrivilege	2032	msiexec.exe
Token: SeSecurityPrivilege	2032	msiexec.exe
Token: SeTakeOwnershipPrivilege	2032	msiexec.exe
Token: SeLoadDriverPrivilege	2032	msiexec.exe
Token: SeSystemProfilePrivilege	2032	msiexec.exe
Token: SeSystemtimePrivilege	2032	msiexec.exe
Token: SeProfSingleProcessPrivilege	2032	msiexec.exe
Token: SeIncBasePriorityPrivilege	2032	msiexec.exe
Token: SeCreatePagefilePrivilege	2032	msiexec.exe
Token: SeCreatePermanentPrivilege	2032	msiexec.exe
Token: SeBackupPrivilege	2032	msiexec.exe
Token: SeRestorePrivilege	2032	msiexec.exe
Token: SeShutdownPrivilege	2032	msiexec.exe
Token: SeDebugPrivilege	2032	msiexec.exe
Token: SeAuditPrivilege	2032	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2032	msiexec.exe
Token: SeChangeNotifyPrivilege	2032	msiexec.exe
Token: SeRemoteShutdownPrivilege	2032	msiexec.exe
Token: SeUndockPrivilege	2032	msiexec.exe
Token: SeSyncAgentPrivilege	2032	msiexec.exe
Token: SeEnableDelegationPrivilege	2032	msiexec.exe
Token: SeManageVolumePrivilege	2032	msiexec.exe
Token: SeImpersonatePrivilege	2032	msiexec.exe
Token: SeCreateGlobalPrivilege	2032	msiexec.exe
Token: SeBackupPrivilege	1324	vssvc.exe
Token: SeRestorePrivilege	1324	vssvc.exe
Token: SeAuditPrivilege	1324	vssvc.exe
Token: SeBackupPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	852	DrvInst.exe
Token: SeLoadDriverPrivilege	852	DrvInst.exe
Token: SeLoadDriverPrivilege	852	DrvInst.exe
Token: SeLoadDriverPrivilege	852	DrvInst.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRemoteShutdownPrivilege	1684	install.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe
Token: SeRestorePrivilege	1752	msiexec.exe
Token: SeTakeOwnershipPrivilege	1752	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exeAnyDesk.exe

pid process

2032 msiexec.exe
1116 AnyDesk.exe
1116 AnyDesk.exe
1116 AnyDesk.exe
2032 msiexec.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

1116 AnyDesk.exe
1116 AnyDesk.exe
1116 AnyDesk.exe

pid	process
2032	msiexec.exe
1116	AnyDesk.exe
1116	AnyDesk.exe
1116	AnyDesk.exe
2032	msiexec.exe

pid	process
1116	AnyDesk.exe
1116	AnyDesk.exe
1116	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msiexec.exeMsiExec.exeinstall.execmd.execmd.exe

description	pid	process	target process
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1776	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1752 wrote to memory of 1056	1752	msiexec.exe	MsiExec.exe
PID 1056 wrote to memory of 1088	1056	MsiExec.exe	ICACLS.EXE
PID 1056 wrote to memory of 1088	1056	MsiExec.exe	ICACLS.EXE
PID 1056 wrote to memory of 1088	1056	MsiExec.exe	ICACLS.EXE
PID 1056 wrote to memory of 1088	1056	MsiExec.exe	ICACLS.EXE
PID 1056 wrote to memory of 1208	1056	MsiExec.exe	EXPAND.EXE
PID 1056 wrote to memory of 1208	1056	MsiExec.exe	EXPAND.EXE
PID 1056 wrote to memory of 1208	1056	MsiExec.exe	EXPAND.EXE
PID 1056 wrote to memory of 1208	1056	MsiExec.exe	EXPAND.EXE
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1056 wrote to memory of 1684	1056	MsiExec.exe	install.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 1356	1684	install.exe	cmd.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1356 wrote to memory of 1016	1356	cmd.exe	anydesk.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 1684 wrote to memory of 392	1684	install.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1808	392	cmd.exe	cmd.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe
PID 392 wrote to memory of 1868	392	cmd.exe	AnyDesk.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2032

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1752

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 24C75CD981BA86CF43B5A13259A0B2B2
2⤵
- Loads dropped DLL
PID:1776

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files"
3⤵
PID:1972

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 76ADFC8C15B6A33C817D49E9DF246242 M Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:1056

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:1088

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:1208

C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
"C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1684

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1356

\??\c:\programdata\anydesk.exe
c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1016

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
4⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:392

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
5⤵
PID:1808

\??\c:\programdata\anydesk\AnyDesk.exe
c:\programdata\anydesk\anydesk.exe --set-password
5⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1868

\??\c:\programdata\anydesk\anydesk.exe
"c:\programdata\anydesk\anydesk.exe" --get-id
4⤵
- Executes dropped EXE
- Loads dropped DLL
PID:1556

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
4⤵
- Modifies Windows Firewall
- Modifies data under HKEY_USERS
PID:1868

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1324

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "0000000000000498" "0000000000000060"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:852

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:480

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1116

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
6f0b0ebab56b7a543ffe077a4235657b

SHA1
7a56ce527da6a71873d713d2ae445c21d78adf94

SHA256
71566fdcaa427a465bb6d61fd76f19176da882392c7b5505b167e2f37f866f87

SHA512
8a4178f6eb54164a595538840e7fd278ae9535e87afd710d2849795f5eb18d2533be01ee22db5a54284f33e744412ddd6666d799c0c217f35e6206d329d7268f

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
286dd03a3b31e7564ea8ab17651077ea

SHA1
d250aba60b1078199cd8801898a018c8d96c503f

SHA256
dfefaa3849da1c52cd35b4a54edc0ef13f8072aa79024e4ffe110c713a8d83f2

SHA512
3dbd672ac002f999662939ed996fe6eddaf6efb9c9c041519afcf1ad7102e8baf4224339c8e7781914cf7053eb1e2984c07c3968dad93b0e8563691be23baa7b

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
455B

MD5
193fe40539ea8c61115cd909666a9c0f

SHA1
886347220d56fcf981517bb49724d7fb088c1090

SHA256
f560261d1f5598b70344d115a037dfb2a9937f785053cb868fcce1f3726fdfa1

SHA512
868f14ce6683093e34497aef54c38b5a8ec0613a45b5b5ab86c1f53cd6818624c8540debd63a17841c0c0ce78ffc09513b937419133d5c12579232e712d079d6

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
664B

MD5
025809d3e4b88bf6ba59006774ddd87f

SHA1
88e2ced088df2447f807dcd0364c7323a7069e47

SHA256
634549695d5d8303c53aeab976cbe73a10db36ec6950dff9c4ca099a604f56ad

SHA512
7df74c024d19f0837f6c1de8c9204b30802a7d47febf5eac7dd1e71c34c2ab8f5976fa8e21cbcdc927d6ec28427010fd046beaa6ad09c0c424053c5a0d483cc0

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
60B

MD5
25e71767a94343d45dd3e066c05784bf

SHA1
901ae90156458e9b91f29cb0789964a5bfbc1127

SHA256
1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525

SHA512
ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

Download Submit
C:\ProgramData\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files.cab
Filesize
3.6MB

MD5
223fa9756fce44168abd5db7afa03fad

SHA1
2e8bfc88819353490ec4c201445dc004fa9aaff5

SHA256
a929c064c064a1b5013b8fbce01feb7ae08e6bd9b05106dcda8320f9db0fb13d

SHA512
0efe5917995e6ee837aadbb9951ad1f7bcadfa9638de747b219e6a9bbe53fd586118a291776c6ff1c0416b3b439dadb0336ae61e74b1e6d12e9a38f11dac33ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\msiwrapper.ini
Filesize
1KB

MD5
0127720b98e6b009d6e39f3583f397fb

SHA1
5f9e2776283b39997af330ad6f350c60abd47366

SHA256
1bf7d04aca13264e66e5f066508fc27fe1f9f9dab1726f9e458bad49e3953010

SHA512
3eef16b65131fc0b233ad1f7a5dadd2b7b6f15073a75c863e6d83fa2894a25aad460fa0ca183cc3ef2f95fedf1b8a3d43414542bfc3b3267c8fb69def5b12621

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\msiwrapper.ini
Filesize
1KB

MD5
6b4b385c1a10bcbb5cb7465152ad51a1

SHA1
496a7774f5aaa745ba6cfabf6743bdd3b95dbc92

SHA256
05d2ec2f0b089ec60f0e81c339045ea36ed323f52916093d7f48a788f5e80f4b

SHA512
482698a8fad77fe972bafa2e6567285a8958ea68b9cb77169a5b5f11e22fc563130694177be657d9408ce5bbe1109d02d768b1d30c30270e90ba239998e95f9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
5de5604fe9d6e32845c4d253e2c5289d

SHA1
594c782b5745f1bd26800f15f0a58a85a90fd649

SHA256
1572d2b71aab7a791c954e613b222124335e92e491d99282b949bd691eb45dfb

SHA512
979698b67b05f9c1d86c2793a15b991d3107899794bc34d52fe6db07fef97666fab3fab2fe75a281efb8a5863f79c73fdf963787f2369edc45060dd13d82e6bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
7KB

MD5
2449126cfd8c04d65f90fc545244458a

SHA1
dafd3b271481ab5cd00fa339e3263f9bd5180ee0

SHA256
06c0638446ca36fdb0746f11457c3b12d1623871608d5c84f3ac0c4c7dd33007

SHA512
bc98a77ee9c52eeaaf9fc0a8385b659885a456f4617ae48cd36b63796c8283d8f15c11326b6819a6086410edb552ace54a3ca6c03ad03e33b8425ef460bbc5ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
5d4617ca8419cd5b62f445a4fd249df9

SHA1
42b092f40af7180954112369f3140ac6d25864b4

SHA256
ae0c3351e0cc7ea54cc283f94af00ec91ea2e17622af5aea2675fbc716bba22b

SHA512
534d10e41b4284ae49614dcb92c79909a2530123fe09501fa8bb4f271190bf4c0366eb4f51558f7b7c78bf79d18f15895758bc2e2e2bf6f0f018d92edab2ca7f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1003B

MD5
26e857e5eb5fa0cf425867261abf7f00

SHA1
f1d43afeb24675d797474d2993cca2a58ed8f7f7

SHA256
4fce8ce9edeeea9351396770073c9ed3c4dd1c4a34074db15b78aa78c086afa2

SHA512
02423b591781b312e1e0dcb167e961a25b716fda7abaf215f6b0cbc87f97865ba606806ae8800dc7cd737da2e8ba3267c620bf89e22764ce044b175ccd353b12

Download Submit
C:\Windows\Installer\MSI1E4F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI1F99.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI6347.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI66B3.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\c:\programdata\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\??\c:\programdata\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Users\Admin\AppData\Local\Temp\MW-b61b57df-54e0-4599-84ba-6d1d1196c64c\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
\Windows\Installer\MSI1E4F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Windows\Installer\MSI1F99.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Windows\Installer\MSI6347.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\Windows\Installer\MSI66B3.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
memory/392-117-0x0000000000000000-mapping.dmp

Download
memory/480-103-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/480-137-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/480-92-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1016-107-0x0000000000C00000-0x0000000001B7D000-memory.dmp

Filesize
15.5MB

Download
memory/1016-82-0x0000000000000000-mapping.dmp

Download
memory/1016-89-0x0000000000C00000-0x0000000001B7D000-memory.dmp

Filesize
15.5MB

Download
memory/1016-87-0x0000000000C00000-0x0000000001B7D000-memory.dmp

Filesize
15.5MB

Download
memory/1056-60-0x0000000000000000-mapping.dmp

Download
memory/1088-65-0x0000000000000000-mapping.dmp

Download
memory/1116-110-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1116-139-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1208-67-0x0000000000000000-mapping.dmp

Download
memory/1356-78-0x0000000000000000-mapping.dmp

Download
memory/1556-152-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1556-141-0x0000000000000000-mapping.dmp

Download
memory/1556-146-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1684-72-0x0000000000000000-mapping.dmp

Download
memory/1776-56-0x0000000000000000-mapping.dmp

Download
memory/1776-57-0x0000000075A81000-0x0000000075A83000-memory.dmp

Filesize
8KB

Download
memory/1808-153-0x0000000000000000-mapping.dmp

Download
memory/1808-119-0x0000000000000000-mapping.dmp

Download
memory/1868-128-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1868-122-0x0000000000000000-mapping.dmp

Download
memory/1868-150-0x0000000000000000-mapping.dmp

Download
memory/1868-138-0x0000000001060000-0x0000000001FDD000-memory.dmp

Filesize
15.5MB

Download
memory/1972-159-0x0000000000000000-mapping.dmp

Download
memory/2032-54-0x000007FEFBCF1000-0x000007FEFBCF3000-memory.dmp

Filesize
8KB

Download