Analysis
-
max time kernel
120s -
max time network
122s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
10-01-2023 15:42
Static task
static1
Behavioral task
behavioral1
Sample
AnyDesk.msi
Resource
win10-20220812-en
Behavioral task
behavioral2
Sample
AnyDesk.msi
Resource
win7-20221111-en
Behavioral task
behavioral3
Sample
AnyDesk.msi
Resource
win10v2004-20220812-en
General
-
Target
AnyDesk.msi
-
Size
5.2MB
-
MD5
8b5c001d696ec2cd730280496a311895
-
SHA1
a1ad08a895037a8fc8a5fa7fda7bfba9894a9eac
-
SHA256
e9d32103b6e9ab8fed7f6824525026119a5c5e9674522bdf0ebca8f242af10b1
-
SHA512
1901f730d02d23fdc81ff7bda7d9a7d4deb37596cce076bb1555a391419f2520577fe8872cb5795f2ff64eede2d6e9bf72f4840696001a2f25acc5e8ddca86db
-
SSDEEP
98304:dYGKdAHTgvVVqPvZpgvXM/N3qZBO0cY2YPGvhP0JGom:R8VqPvZ6v6NH0l7PXm
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
Meeldar.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Meeldar.exe -
Blocklisted process makes network request 1 IoCs
Processes:
powershell.exeflow pid process 67 4944 powershell.exe -
Executes dropped EXE 4 IoCs
Processes:
Meeldar.exesetup.exesetup.exesetup.exepid process 4348 Meeldar.exe 4588 setup.exe 1840 setup.exe 4532 setup.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
Meeldar.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Meeldar.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Meeldar.exe -
Loads dropped DLL 8 IoCs
Processes:
MsiExec.exeMeeldar.exepid process 1300 MsiExec.exe 1300 MsiExec.exe 1300 MsiExec.exe 1300 MsiExec.exe 1300 MsiExec.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Meeldar.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run Meeldar.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\aepBuiqa = "C:\\distinção\\digno\\Meeldar.exe" Meeldar.exe -
Processes:
Meeldar.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Meeldar.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc process File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\S: msiexec.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
Meeldar.exepid process 4348 Meeldar.exe -
Drops file in Windows directory 13 IoCs
Processes:
msiexec.exedescription ioc process File opened for modification C:\Windows\Installer\MSIEBBD.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC3B.tmp msiexec.exe File opened for modification C:\Windows\Installer\MSIEC4C.tmp msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File created C:\Windows\Installer\SourceHash{50A59221-7EDA-48AC-99A0-16EE80AB2E92} msiexec.exe File created C:\Windows\Installer\e56e8c2.msi msiexec.exe File opened for modification C:\Windows\Installer\MSIEEA0.tmp msiexec.exe File created C:\Windows\Installer\e56e8bf.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIE91C.tmp msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File opened for modification C:\Windows\Installer\MSIEDD4.tmp msiexec.exe File opened for modification C:\Windows\Installer\e56e8bf.msi msiexec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000789d96067ff55f5b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000789d96060000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900789d9606000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000789d960600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
setup.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 setup.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString setup.exe -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc process Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005746d5c62869db4bb573e7121d5837190000000002000000000010660000000100002000000052e9592d7e31c14eb082bcec59f8a611ead71890c0e5201c67ea7b309ca3a2d0000000000e80000000020000200000009278cb1055795ee6ccfaa07eaf251027d66e28ce6ed1f55c954e2920c69657e620000000e200c9654a918a6d2f5a1cc267e59af2720e6f2b102fdbcdd78887d0a814286a40000000df875fe18d8ef5e7b47921cbf519fd282a4dbd07e2f8eeb83930e7e1a5ad140fe987880cabe554548fb5528567d3bdfc68a60e78bed86312b8d7cff3299c0025 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008018" IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\IESettingSync IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31008018" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 204852bf1225d901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005746d5c62869db4bb573e7121d583719000000000200000000001066000000010000200000003a7e0fc71e17c027cd856024a18a1419ed179ac82b857f9f7303cbf2a3236fc3000000000e8000000002000020000000985b73a0831105e6b3b198eaeb7d46d57f5e13d0233bceb4c4679671004af8b1200000002713feac8dea3476f917a67554df7e07eef82ea0bd6f5648634d7eaded48bcaa400000005d85d013cd4f9e57ce5523b0cbbf0ed9792b9e5ef0264e95d587f3e7994243633492f300f55b509e39dd0ef8db50e477368fc2cedca29a942ea6654287f5e74b iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 207b0bbf1225d901 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{E5AA1176-9105-11ED-B696-F639923F7CA1} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "3125204907" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3125204907" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31008018" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "3172083760" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe -
Modifies data under HKEY_USERS 3 IoCs
Processes:
msiexec.exedescription ioc process Key deleted \REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E msiexec.exe Key deleted \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e msiexec.exe Key created \REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f msiexec.exe -
Modifies registry class 23 IoCs
Processes:
msiexec.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\Media\1 = ";" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12295A05ADE7CA84990A61EE08BAE229\MainFeature msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\PackageCode = "105C82585A7BDA148991FD2FEB5DCB00" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\Version = "16777216" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\Assignment = "1" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\InstanceType = "0" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\PackageName = "AnyDesk.msi" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\Media msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\12295A05ADE7CA84990A61EE08BAE229 msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\AdvertiseFlags = "388" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\Net msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\Media\DiskPrompt = "[1]" msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229 msiexec.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51 msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\ProductName = "AnyDesk" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\Language = "1046" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\AuthorizedLUAApp = "0" msiexec.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\DeploymentFlags = "3" msiexec.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\12295A05ADE7CA84990A61EE08BAE229 msiexec.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\12295A05ADE7CA84990A61EE08BAE229\Clients = 3a0000000000 msiexec.exe -
Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.
Processes:
description flow ioc HTTP User-Agent header 98 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) -
Suspicious behavior: EnumeratesProcesses 56 IoCs
Processes:
msiexec.exepowershell.exeMeeldar.exesetup.exepid process 1468 msiexec.exe 1468 msiexec.exe 4944 powershell.exe 4944 powershell.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 1840 setup.exe 1840 setup.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe 4348 Meeldar.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid process Token: SeShutdownPrivilege 4624 msiexec.exe Token: SeIncreaseQuotaPrivilege 4624 msiexec.exe Token: SeSecurityPrivilege 1468 msiexec.exe Token: SeCreateTokenPrivilege 4624 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4624 msiexec.exe Token: SeLockMemoryPrivilege 4624 msiexec.exe Token: SeIncreaseQuotaPrivilege 4624 msiexec.exe Token: SeMachineAccountPrivilege 4624 msiexec.exe Token: SeTcbPrivilege 4624 msiexec.exe Token: SeSecurityPrivilege 4624 msiexec.exe Token: SeTakeOwnershipPrivilege 4624 msiexec.exe Token: SeLoadDriverPrivilege 4624 msiexec.exe Token: SeSystemProfilePrivilege 4624 msiexec.exe Token: SeSystemtimePrivilege 4624 msiexec.exe Token: SeProfSingleProcessPrivilege 4624 msiexec.exe Token: SeIncBasePriorityPrivilege 4624 msiexec.exe Token: SeCreatePagefilePrivilege 4624 msiexec.exe Token: SeCreatePermanentPrivilege 4624 msiexec.exe Token: SeBackupPrivilege 4624 msiexec.exe Token: SeRestorePrivilege 4624 msiexec.exe Token: SeShutdownPrivilege 4624 msiexec.exe Token: SeDebugPrivilege 4624 msiexec.exe Token: SeAuditPrivilege 4624 msiexec.exe Token: SeSystemEnvironmentPrivilege 4624 msiexec.exe Token: SeChangeNotifyPrivilege 4624 msiexec.exe Token: SeRemoteShutdownPrivilege 4624 msiexec.exe Token: SeUndockPrivilege 4624 msiexec.exe Token: SeSyncAgentPrivilege 4624 msiexec.exe Token: SeEnableDelegationPrivilege 4624 msiexec.exe Token: SeManageVolumePrivilege 4624 msiexec.exe Token: SeImpersonatePrivilege 4624 msiexec.exe Token: SeCreateGlobalPrivilege 4624 msiexec.exe Token: SeBackupPrivilege 3476 vssvc.exe Token: SeRestorePrivilege 3476 vssvc.exe Token: SeAuditPrivilege 3476 vssvc.exe Token: SeBackupPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe Token: SeTakeOwnershipPrivilege 1468 msiexec.exe Token: SeRestorePrivilege 1468 msiexec.exe -
Suspicious use of FindShellTrayWindow 10 IoCs
Processes:
msiexec.exepowershell.exeiexplore.exesetup.exepid process 4624 msiexec.exe 4944 powershell.exe 4944 powershell.exe 4944 powershell.exe 4944 powershell.exe 1416 iexplore.exe 4624 msiexec.exe 4532 setup.exe 4532 setup.exe 4532 setup.exe -
Suspicious use of SendNotifyMessage 3 IoCs
Processes:
setup.exepid process 4532 setup.exe 4532 setup.exe 4532 setup.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEMeeldar.exepid process 1416 iexplore.exe 1416 iexplore.exe 5012 IEXPLORE.EXE 5012 IEXPLORE.EXE 4348 Meeldar.exe 4348 Meeldar.exe -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
msiexec.exeMsiExec.exepowershell.exeiexplore.exesetup.exedescription pid process target process PID 1468 wrote to memory of 4056 1468 msiexec.exe srtasks.exe PID 1468 wrote to memory of 4056 1468 msiexec.exe srtasks.exe PID 1468 wrote to memory of 1300 1468 msiexec.exe MsiExec.exe PID 1468 wrote to memory of 1300 1468 msiexec.exe MsiExec.exe PID 1468 wrote to memory of 1300 1468 msiexec.exe MsiExec.exe PID 1300 wrote to memory of 4944 1300 MsiExec.exe powershell.exe PID 1300 wrote to memory of 4944 1300 MsiExec.exe powershell.exe PID 1300 wrote to memory of 4944 1300 MsiExec.exe powershell.exe PID 4944 wrote to memory of 4348 4944 powershell.exe Meeldar.exe PID 4944 wrote to memory of 4348 4944 powershell.exe Meeldar.exe PID 4944 wrote to memory of 4348 4944 powershell.exe Meeldar.exe PID 1416 wrote to memory of 5012 1416 iexplore.exe IEXPLORE.EXE PID 1416 wrote to memory of 5012 1416 iexplore.exe IEXPLORE.EXE PID 1416 wrote to memory of 5012 1416 iexplore.exe IEXPLORE.EXE PID 4944 wrote to memory of 4588 4944 powershell.exe setup.exe PID 4944 wrote to memory of 4588 4944 powershell.exe setup.exe PID 4944 wrote to memory of 4588 4944 powershell.exe setup.exe PID 4588 wrote to memory of 1840 4588 setup.exe setup.exe PID 4588 wrote to memory of 1840 4588 setup.exe setup.exe PID 4588 wrote to memory of 1840 4588 setup.exe setup.exe PID 4588 wrote to memory of 4532 4588 setup.exe setup.exe PID 4588 wrote to memory of 4532 4588 setup.exe setup.exe PID 4588 wrote to memory of 4532 4588 setup.exe setup.exe
Processes
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
-
C:\Windows\syswow64\MsiExec.exeC:\Windows\syswow64\MsiExec.exe -Embedding 2098D2EA69ACB3402D16EBA5068DEF882⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe-NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssEEDC.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiEECA.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrEEDA.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrEEDB.txt" -propSep " :<->: " -testPrefix "_testValue."3⤵
- Blocklisted process makes network request
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\distinção\digno\Meeldar.exe"C:\distinção\digno\Meeldar.exe"4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Executes dropped EXE
- Checks BIOS information in registry
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Public\Documents\AnyDesk\setup.exe"C:\Users\Public\Documents\AnyDesk\setup.exe"4⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
-
C:\Users\Public\Documents\AnyDesk\setup.exe"C:\Users\Public\Documents\AnyDesk\setup.exe" --local-service5⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
-
C:\Users\Public\Documents\AnyDesk\setup.exe"C:\Users\Public\Documents\AnyDesk\setup.exe" --local-control5⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files (x86)\Internet Explorer\ielowutil.exe"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding1⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1416 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
471B
MD52edb0497a0b1af9ce4fd1678e28d33ca
SHA1a187a6aa5d6a6adaf84d883d45393d3467a969a1
SHA256ef88897d83afa3568fd2b4d8e4c3dbebf153081b157b16074a8ed0737411e5bb
SHA512fb929af42c1a5438a5008b67953230b3864875af25529f12bce1c4f7c4ce467e66a35ff18be15f1a0db9c81ab5f2dc6f45cc0a0b7d9199c4e9c1274557256d31
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776Filesize
404B
MD5b69cf33525790a3d5308d53266938ed4
SHA1b2b43ae1e6fbbf85288a9c69b22ae62be851aff0
SHA256dabef13fb5e6df9f0bec4be36279e7bc9db2947a3cf5973025dc7dc4e292c5ee
SHA51223941ef5e3aff3373345f1864a23d554c6b67b0c44a063a931ace829c506d245529f50e6bacf6adc44ed407fe687690f020099347b13cc8cc35cc8c5c5eec79c
-
C:\Users\Admin\AppData\Local\Temp\pssEEDC.ps1Filesize
5KB
MD5fc1bb6c87fd1f08b534e52546561c53c
SHA1db402c5c1025cf8d3e79df7b868fd186243aa9d1
SHA256a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b
SHA5125495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86
-
C:\Users\Admin\AppData\Local\Temp\scrEEDA.ps1Filesize
17KB
MD5c67846c507bf7950e4bc2d266f91471d
SHA1c4ebed1f716a6a3747dd04988b3349c4860fc0e2
SHA2565c8fa4f1456d769f17a2688048a11683f94f3199d30dcb51f35cdf4949f0cae8
SHA512463d0d4dd1faddf278981c913d07764cdd0c4d7c645a2d38234e3468986625f6a3e3367d44503be71b032562bb0154c5a546d0dde6e4f00db09ceb43a2f769ae
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
8KB
MD564fcc2149aaa9565098c1b0e1232d0b4
SHA133393668ea5570c07a4b15a095977fcd67f3cba1
SHA25673a224cce7ee13c30c68e3980fda6530415bdd1b5b590e914b1f5d62394dc58b
SHA5120a62d6eab587c62ce47f86dcbd6d6118718e70daac73438a3f1dc800cb56d42ef7f37a157911634cfb34f4428a080466709de178a036ae5fbe5fb93df3451ba1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.traceFilesize
19KB
MD512e1fefc2846f8f720c4f6add5b98fd0
SHA126af1ac551ae554b93ee5c30c3020bfe7126ecb4
SHA256912869e8482d6ad59e7fbf379e1c920b9a4b7773940df1ccc94ec3d7cfb9eb0d
SHA512b12bc3c8d1d66e43213ab7392f0cb0daedec3ec5ef6925ed9d3aa211414316cd8283161e55b08be6d2787e2d1fea0d7acc2023b5282c51ef1a9278571a1770d1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\service.confFilesize
2KB
MD510dcf00078835676daa626e593b6431b
SHA18d870311ada43c2f07792d26574c8210b37164bb
SHA256eb7346e48d5df0f4b23fa438ba1476b3b03b2e5b6faf6e4613c72fa91a291fe8
SHA5128e9d62a5754914a4bc1cb91f77442cb842eb8c2f276061a2b1d8acff48891bdf25695ae73352a11b7ca27bdc4a71398d3158d982b3e8a8befff2d1bb68d042d0
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD5ae90ab12205c5b2f39fe3c3cc4302689
SHA157ccfff56044f3c69cfcf89b2b423273fd17098f
SHA25631a090d15f2fbd8ac50d68bd398d53a2ef6de81d609e84b9605e02499c3c5f6d
SHA512627f5976e5a40c60df2ef7b5f8d1cb5578fc19395c4d087990dbe9a9f558a59618089c3f28c31a70cebad688b377886d4974712449659aef2b08ef3088d50bc5
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD5ae90ab12205c5b2f39fe3c3cc4302689
SHA157ccfff56044f3c69cfcf89b2b423273fd17098f
SHA25631a090d15f2fbd8ac50d68bd398d53a2ef6de81d609e84b9605e02499c3c5f6d
SHA512627f5976e5a40c60df2ef7b5f8d1cb5578fc19395c4d087990dbe9a9f558a59618089c3f28c31a70cebad688b377886d4974712449659aef2b08ef3088d50bc5
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD58d66f46d4a719755f59a993aa6280a2d
SHA187a9c17abfd6c462f16580d6cfece041b4b8b76b
SHA256ead12b7fdd69717cebb4ca17f98ef79189b342fa34dee2678dee2a1ac3c02bbf
SHA5124d7639f6ed73f53a3dd29703319dabc35fb860359b0c9ec2a937f8c98d8a6f8a5390a98bd6d273b4adebe4e946e060caffefaeb2dffb99197670de4602d1d179
-
C:\Users\Admin\AppData\Roaming\AnyDesk\system.confFilesize
424B
MD5ae90ab12205c5b2f39fe3c3cc4302689
SHA157ccfff56044f3c69cfcf89b2b423273fd17098f
SHA25631a090d15f2fbd8ac50d68bd398d53a2ef6de81d609e84b9605e02499c3c5f6d
SHA512627f5976e5a40c60df2ef7b5f8d1cb5578fc19395c4d087990dbe9a9f558a59618089c3f28c31a70cebad688b377886d4974712449659aef2b08ef3088d50bc5
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5e7b6153547e5492c2d515806eaf5e0b9
SHA1a75b762377d4c4c880b1254dae932dbc4dca9e4c
SHA25609a4d88dd154e918ce85b552fa2894761eb644a04fe27fa0d4c3a67c8a297a04
SHA512e89844aa8c4070a8061df6e3226614b26a4e0a2780a61722d3a0c73de38d37823dfd14010f41dc775e4cc5948ebdfde94ed9b43fd454e8f3f7bdda5c8121a0ec
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5c770316bdbd253df5bc0cc41371cd92f
SHA1c68b84ba640debd9907e81d671b1687ee73294d8
SHA2563aaee52083f4a3d8efc5b9f2830fda3f92e9ca6d31c6de21a56fe96b579bd5e1
SHA512f66e0204d3970ccbbb9176c06697892bbc6fc0cdcb8a519355d3a95df75a102b86f335578e8dd7b2bfd1f895759d795fef65262dd98df5945427021f1b649af1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5c770316bdbd253df5bc0cc41371cd92f
SHA1c68b84ba640debd9907e81d671b1687ee73294d8
SHA2563aaee52083f4a3d8efc5b9f2830fda3f92e9ca6d31c6de21a56fe96b579bd5e1
SHA512f66e0204d3970ccbbb9176c06697892bbc6fc0cdcb8a519355d3a95df75a102b86f335578e8dd7b2bfd1f895759d795fef65262dd98df5945427021f1b649af1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5c770316bdbd253df5bc0cc41371cd92f
SHA1c68b84ba640debd9907e81d671b1687ee73294d8
SHA2563aaee52083f4a3d8efc5b9f2830fda3f92e9ca6d31c6de21a56fe96b579bd5e1
SHA512f66e0204d3970ccbbb9176c06697892bbc6fc0cdcb8a519355d3a95df75a102b86f335578e8dd7b2bfd1f895759d795fef65262dd98df5945427021f1b649af1
-
C:\Users\Admin\AppData\Roaming\AnyDesk\user.confFilesize
1KB
MD5da6f75f1a7e1f3297a5fda2b11e4e4f0
SHA113edc9315046500d248346d3b3fc64450592bac4
SHA25635f9e74c6b9e59a9aaf64bbcdd69c812b00309a447cac79f71a644a487d6bba0
SHA5129ab071879452b16bdf9026241eb293c4f3dd77bfa54a7648c293ae084eba1bd88f9da2fdb51aedb18e7a51f09e6dcf33b2d9e19908ad929059d8c1b50efb598c
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Users\Public\Documents\AnyDesk\setup.exeFilesize
3.8MB
MD59a1d9fe9b1223273c314632d04008384
SHA1665cad3ed21f6443d1adacf18ca45dfaa8f52c99
SHA2560f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359
SHA5123ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5
-
C:\Windows\Installer\MSIE91C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIE91C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEBBD.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEBBD.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEC3B.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEC3B.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEC4C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEC4C.tmpFilesize
436KB
MD5475d20c0ea477a35660e3f67ecf0a1df
SHA167340739f51e1134ae8f0ffc5ae9dd710e8e3a08
SHA256426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd
SHA51299525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e
-
C:\Windows\Installer\MSIEEA0.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\Windows\Installer\MSIEEA0.tmpFilesize
574KB
MD57b7d9e2c9b8236e7155f2f97254cb40e
SHA199621fc9d14511428d62d91c31865fb2c4625663
SHA256df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897
SHA512fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228
-
C:\distinção\digno\ChromeDls21Filesize
89.4MB
MD5ef1039686e87be5876127bb3314e50d0
SHA152be5de059641f633e419db3e2bb3c08c730907a
SHA2566702962396a7c681a515f0887c254101da122cc9ee943e6fc1952608c46745bf
SHA5120c3e90a4dd52e5ee0bd0c8a2a1cb5653adc103a3674306cb69a53c6500601163f1e2e4fa44dea0ad3211da6249c320399c2e4813a291a7fe227a252b5508af36
-
C:\distinção\digno\LIBEAY32.DLLFilesize
3.5MB
MD54abfe433e39932ba3642a87f7b75f5ff
SHA1c13f41ccfbd4b115108ff288d1d2e89ee8c5f88d
SHA256a50ef797044e0d975916290a7c284eb41e7a8fd5122fcfebcc2fb18e247342a2
SHA51262945f7b7c2db8f3543523a60a2eccdc164322581335b14ffb1fbb2ff0977fa27cd5d9b64685d38aad7d2a080cfbf3d48804c25fbf8e35b03a25a1c5db9c57c6
-
C:\distinção\digno\Meeldar.exeFilesize
15.1MB
MD5a88098f4d2d7866410b428572a3c113e
SHA1a8b6f921b2c0b08b1d5f0766e9d03c4932bd0155
SHA2561c04e379b31b6edd40354af97aeb9046863ae15e3ddac18022836f15db07f421
SHA512c07beeffd780d8d91e79e73997f163fc571ad30e8e7b1e5247f6ada4437621e794b3fc0301061fda7589b1a97ea885b95111e3dbf67f6b2a5aeea84f63d81ff5
-
C:\distinção\digno\Meeldar.exeFilesize
15.1MB
MD5a88098f4d2d7866410b428572a3c113e
SHA1a8b6f921b2c0b08b1d5f0766e9d03c4932bd0155
SHA2561c04e379b31b6edd40354af97aeb9046863ae15e3ddac18022836f15db07f421
SHA512c07beeffd780d8d91e79e73997f163fc571ad30e8e7b1e5247f6ada4437621e794b3fc0301061fda7589b1a97ea885b95111e3dbf67f6b2a5aeea84f63d81ff5
-
C:\distinção\digno\PROFILE.DLLFilesize
241KB
MD524aae6bcc99f29b0b4e1db6ea1e8e902
SHA1ef6eb3f8fea180b36252fd85d8ab0d6842d0f32d
SHA256199498a70290ba14947f8fbde13840499f07e63d9b3b79ced03928fca9c009b9
SHA51251f3ccefcf0f562c502fbf789f40e21b4ecd99599fd857841938f7e2d6529f2640360f0e7947441b2aed7e611905b03fe9cac246a874d54bf545acdfa4ce24d8
-
C:\distinção\digno\libeay32.dllFilesize
3.5MB
MD54abfe433e39932ba3642a87f7b75f5ff
SHA1c13f41ccfbd4b115108ff288d1d2e89ee8c5f88d
SHA256a50ef797044e0d975916290a7c284eb41e7a8fd5122fcfebcc2fb18e247342a2
SHA51262945f7b7c2db8f3543523a60a2eccdc164322581335b14ffb1fbb2ff0977fa27cd5d9b64685d38aad7d2a080cfbf3d48804c25fbf8e35b03a25a1c5db9c57c6
-
C:\distinção\digno\libeay32.dllFilesize
3.5MB
MD54abfe433e39932ba3642a87f7b75f5ff
SHA1c13f41ccfbd4b115108ff288d1d2e89ee8c5f88d
SHA256a50ef797044e0d975916290a7c284eb41e7a8fd5122fcfebcc2fb18e247342a2
SHA51262945f7b7c2db8f3543523a60a2eccdc164322581335b14ffb1fbb2ff0977fa27cd5d9b64685d38aad7d2a080cfbf3d48804c25fbf8e35b03a25a1c5db9c57c6
-
C:\distinção\digno\profile.dllFilesize
241KB
MD524aae6bcc99f29b0b4e1db6ea1e8e902
SHA1ef6eb3f8fea180b36252fd85d8ab0d6842d0f32d
SHA256199498a70290ba14947f8fbde13840499f07e63d9b3b79ced03928fca9c009b9
SHA51251f3ccefcf0f562c502fbf789f40e21b4ecd99599fd857841938f7e2d6529f2640360f0e7947441b2aed7e611905b03fe9cac246a874d54bf545acdfa4ce24d8
-
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2Filesize
23.0MB
MD584f415524d05868d94cc123ca1b0f336
SHA1fbe7722b3bfcc9e8a3c2f401c45c636c7b4746b8
SHA2564e380db5dd58b794c403f1f4d413f6f5c45c994a97fc656b12e6f12504dcfa3c
SHA5125707ee45000f9935a58d3b7593aaf1333b3f050c5bd5e83804d4d24cfdd53cc26d579da2dd20441133eae079f7078560b32480f4cb1f7bc075449c8120180e02
-
\??\Volume{06969d78-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{c5837086-cb5d-4c7d-95fb-2e45137886d5}_OnDiskSnapshotPropFilesize
5KB
MD5325c0446ca8b109eb3777f9b3031b7b9
SHA1caaff9781cc2bec797f1a91d65b25c757c00337a
SHA2560d5c9531b9a46a71e1579147855e4e192d9dcf34f73df890a34c6d3f3d00c97c
SHA5120b37c5b327f43a0d0da0881175c55451b686eb05f4b2e91a46fd8f8f0cc0aab474d567ebeccfd190df33510fb130df5a5487aca89017bc1b139704fdcd24dbb6
-
memory/1300-133-0x0000000000000000-mapping.dmp
-
memory/1840-210-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/1840-190-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/1840-185-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/1840-180-0x0000000000000000-mapping.dmp
-
memory/4056-132-0x0000000000000000-mapping.dmp
-
memory/4348-171-0x00000000018E0000-0x00000000023A5000-memory.dmpFilesize
10.8MB
-
memory/4348-170-0x0000000077780000-0x0000000077923000-memory.dmpFilesize
1.6MB
-
memory/4348-202-0x0000000077780000-0x0000000077923000-memory.dmpFilesize
1.6MB
-
memory/4348-206-0x0000000009E10000-0x000000000F787000-memory.dmpFilesize
89.5MB
-
memory/4348-179-0x0000000009E10000-0x000000000F787000-memory.dmpFilesize
89.5MB
-
memory/4348-160-0x0000000000000000-mapping.dmp
-
memory/4348-168-0x00000000018E0000-0x00000000023A5000-memory.dmpFilesize
10.8MB
-
memory/4348-169-0x00000000018E0000-0x00000000023A5000-memory.dmpFilesize
10.8MB
-
memory/4348-172-0x00000000018E0000-0x00000000023A5000-memory.dmpFilesize
10.8MB
-
memory/4532-211-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4532-193-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4532-182-0x0000000000000000-mapping.dmp
-
memory/4532-187-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4588-175-0x0000000000000000-mapping.dmp
-
memory/4588-177-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4588-207-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4588-183-0x0000000000F90000-0x0000000001FE9000-memory.dmpFilesize
16.3MB
-
memory/4944-154-0x0000000007870000-0x0000000007906000-memory.dmpFilesize
600KB
-
memory/4944-152-0x0000000007FD0000-0x000000000864A000-memory.dmpFilesize
6.5MB
-
memory/4944-150-0x0000000006870000-0x000000000688E000-memory.dmpFilesize
120KB
-
memory/4944-153-0x0000000006DC0000-0x0000000006DDA000-memory.dmpFilesize
104KB
-
memory/4944-155-0x0000000006E70000-0x0000000006E92000-memory.dmpFilesize
136KB
-
memory/4944-149-0x0000000006200000-0x0000000006266000-memory.dmpFilesize
408KB
-
memory/4944-148-0x0000000006190000-0x00000000061F6000-memory.dmpFilesize
408KB
-
memory/4944-147-0x00000000059D0000-0x00000000059F2000-memory.dmpFilesize
136KB
-
memory/4944-156-0x0000000008650000-0x0000000008BF4000-memory.dmpFilesize
5.6MB
-
memory/4944-146-0x0000000005A30000-0x0000000006058000-memory.dmpFilesize
6.2MB
-
memory/4944-145-0x00000000032E0000-0x0000000003316000-memory.dmpFilesize
216KB
-
memory/4944-144-0x0000000000000000-mapping.dmp