fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Resubmissions

05-02-2023 19:45

230205-ygsl7sea5t 10

05-02-2023 19:32

230205-x8yf4aae86 10

Analysis

max time kernel
355s
max time network
359s
platform
windows10-1703_x64
resource
win10-20220901-es
resource tags

arch:x64arch:x86image:win10-20220901-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
05-02-2023 19:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

10^/10

ransomware

Malware Config

Extracted

Path

C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\CREDITS.txt

Ransom Note

2-dim General Purpose FFT (Fast Fourier/Cosine/Sine Transform) Package http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html === Copyright(C) 1997,2001 Takuya OOURA (email: [email protected]). You may use, copy, modify this code for any purpose and without fee. You may distribute this ORIGINAL package. @puppeteer/replay https://github.com/puppeteer/replay === Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have made, use, offer to sell, sell, import, and otherwise transfer the Work, where such license applies only to those patent claims licensable by such Contributor that are necessarily infringed by their Contribution(s) alone or by combination of their Contribution(s) with the Work to which such Contribution(s) was submitted. If You institute patent litigation against any entity (including a cross-claim or counterclaim in a lawsuit) alleging that the Work or a Contribution incorporated within the Work constitutes direct or contributory patent infringement, then any patent licenses granted to You under this License for that Work shall terminate as of the date such litigation is filed. 4. Redistribution. You may reproduce and distribute copies of the Work or Derivative Works thereof in any medium, with or without modifications, and in Source or Object form, provided that You meet the following conditions: (a) You must give any other recipients of the Work or Derivative Works a copy of this License; and (b) You must cause any modified files to carry prominent notices stating that You changed the files; and (c) You must retain, in the Source form of any Derivative Works that You distribute, all copyright, patent, trademark, and attribution notices from the Source form of the Work, excluding those notices that do not pertain to any part of the Derivative Works; and (d) If the Work includes a "NOTICE" text file as part of its distribution, then any Derivative Works that You distribute must include a readable copy of the attribution notices contained within such NOTICE file, excluding those notices that do not pertain to any part of the Derivative Works, in at least one of the following places: within a NOTICE text file distributed as part of the Derivative Works; within the Source form or documentation, if provided along with the Derivative Works; or, within a display generated by the Derivative Works, if and wherever such third-party notices normally appear. The contents of the NOTICE file are for informational purposes only and do not modify the License. You may add Your own attribution notices within Derivative Works that You distribute, alongside or as an addendum to the NOTICE text from the Work, provided that such additional attribution notices cannot be construed as modifying the License. You may add Your own copyright statement to Your modifications and may provide additional or different license terms and conditions for use, reproduction, or distribution of Your modifications, or for any such Derivative Works as a whole, provided Your use, reproduction, and distribution of the Work otherwise complies with the conditions stated in this License. 5. Submission of Contributions. Unless You explicitly state otherwise, any Contribution intentionally submitted for inclusion in the Work by You to the Licensor shall be under the terms and conditions of this License, without any additional terms or conditions. Notwithstanding the above, nothing herein shall supersede or modify the terms of any separate license agreement you may have executed with Licensor regarding such Contributions. 6. Trademarks. This License does not grant permission to use the trade names, trademarks, service marks, or product names of the Licensor, except as required for reasonable and customary use in describing the origin of the Work and reproducing the content of the NOTICE file. 7. Disclaimer of Warranty. Unless required by applicable law or agreed to in writing, Licensor provides the Work (and each Contributor provides its Contributions) on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied, including, without limitation, any warranties or conditions of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A PARTICULAR PURPOSE. You are solely responsible for determining the appropriateness of using or redistributing the Work and assume any risks associated with Your exercise of permissions under this License. 8. Limitation of Liability. In no event and under no legal theory, whether in tort (including negligence), contract, or otherwise, unless required by applicable law (such as deliberate and grossly negligent acts) or agreed to in writing, shall any Contributor be liable to You for damages, including any direct, indirect, special, incidental, or consequential damages of any character arising as a result of this License or out of the use or inability to use the Work (including but not limited to damages for loss of goodwill, work stoppage, computer failure or malfunction, or any and all other commercial damages or losses), even if such Contributor has been advised of the possibility of such damages. 9. Accepting Warranty or Additional Liability. While redistributing the Work or Derivative Works thereof, You may choose to offer, and charge a fee for, acceptance of support, warranty, indemnity, or other liability obligations and/or rights consistent with this License. However, in accepting such obligations, You may act only on Your own behalf and on Your sole responsibility, not on behalf of any other Contributor, and only if You agree to indemnify, defend, and hold each Contributor harmless for any liability incurred by, or claims asserted against, such Contributor by reason of your accepting any such warranty or additional liability. END OF TERMS AND CONDITIONS APPENDIX: How to apply the Apache License to your work. To apply the Apache License to your work, attach the following boilerplate notice, with the fields enclosed by brackets "[]" replaced with your own identifying information. (Don't include the brackets!) The text should be enclosed in the appropriate comment syntax for the file format. We also recommend that a file or class name and description of purpose be included on the same "printed page" as the copyright notice for easier identification within third-party archives. Copyright [yyyy] [name of copyright owner] Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License. Abseil https://github.com/abseil/abseil-cpp === Apache License Version 2.0, January 2004 https://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION 1. Definitions. "License" shall mean the terms and conditions for use, reproduction, and distribution as defined by Sections 1 through 9 of this document. "Licensor" shall mean the copyright owner or entity authorized by the copyright owner that is granting the License. "Legal Entity" shall mean the union of the acting entity and all other entities that control, are controlled by, or are under common control with that entity. For the purposes of this definition, "control" means (i) the power, direct or indirect, to cause the direction or management of such entity, whether by contract or otherwise, or (ii) ownership of fifty percent (50%) or more of the outstanding shares, or (iii) beneficial ownership of such entity. "You" (or "Your") shall mean an individual or Legal Entity exercising permissions granted by this License. "Source" form shall mean the preferred form for making modifications, including but not limited to software source code, documentation source, and configuration files. "Object" form shall mean any form resulting from mechanical transformation or translation of a Source form, including but not limited to compiled object code, generated documentation, and conversions to other media types. "Work" shall mean the work of authorship, whether in Source or Object form, made available under the License, as indicated by a copyright notice that is included in or attached to the work (an example is provided in the Appendix below). "Derivative Works" shall mean any work, whether in Source or Object form, that is based on (or derived from) the Work and for which the editorial revisions, annotations, elaborations, or other modifications represent, as a whole, an original work of authorship. For the purposes of this License, Derivative Works shall not include works that remain separable from, or merely link (or bind by name) to the interfaces of, the Work and Derivative Works thereof. "Contribution" shall mean any work of authorship, including the original version of the Work and any modifications or additions to that Work or Derivative Works thereof, that is intentionally submitted to Licensor for inclusion in the Work by the copyright owner or by an individual or Legal Entity authorized to submit on behalf of the copyright owner. For the purposes of this definition, "submitted" means any form of electronic, verbal, or written communication sent to the Licensor or its representatives, including but not limited to communication on electronic mailing lists, source code control systems, and issue tracking systems that are managed by, or on behalf of, the Licensor for the purpose of discussing and improving the Work, but excluding communication that is conspicuously marked or otherwise designated in writing by the copyright owner as "Not a Contribution." "Contributor" shall mean Licensor and any individual or Legal Entity on behalf of whom a Contribution has been received by Licensor and subsequently incorporated within the Work. 2. Grant of Copyright License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare Derivative Works of, publicly display, publicly perform, sublicense, and distribute the Work and such Derivative Works in Source or Object form. 3. Grant of Patent License. Subject to the terms and conditions of this License, each Contributor hereby grants to You a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable (except as stated in this section) patent license to make, have ma

Emails

[email protected]

[email protected])&quot

[email protected]

<[email protected]&gt

[email protected]

<[email protected]&gt

URLs

http://www.kurims.kyoto-u.ac.jp/~ooura/fft.html

https://github.com/puppeteer/replay

http://www.apache.org/licenses/

http://www.apache.org/licenses/LICENSE-2.0

https://github.com/abseil/abseil-cpp

https://www.apache.org/licenses/

https://www.apache.org/licenses/LICENSE-2.0

https://raw.githubusercontent.com/GoogleChrome/accessibility-developer-tools/master/dist/js/axs_testing.js

https://github.com/acornjs/acorn

https://aomedia.googlesource.com/aom/

http://code.google.com/p/angleproject/

http://lcamtuf.coredump.cx/afl/

http://source.android.com

http://developer.android.com/tools/extras/support-library.html

https://developer.android.com/topic/libraries/architecture/index.html

https://android.googlesource.com/platform/frameworks/support

http://developer.android.com/sdk/index.html

https://android.googlesource.com/platform/frameworks/base

http://www.mojohaus.org/animal-sniffer/animal-sniffer-annotations/

https://github.com/google-ar/arcore-android-sdk

Signatures

Blocklisted process makes network request 2 IoCs

Processes:

msiexec.exe

flow	pid	Process
156	3576	msiexec.exe
158	3576	msiexec.exe

Executes dropped EXE 5 IoCs

Processes:

remote_assistance_host.exeremoting_native_messaging_host.exeremote_assistance_host.exeremoting_host.exeremoting_host.exe

pid	Process
68	remote_assistance_host.exe
2544	remoting_native_messaging_host.exe
3380	remote_assistance_host.exe
4504	remoting_host.exe
3852	remoting_host.exe

Loads dropped DLL 11 IoCs

Processes:

MsiExec.exeMsiExec.exeMsiExec.exeremote_assistance_host.exeremoting_native_messaging_host.exeremote_assistance_host.exeremoting_host.exeremoting_host.exe

pid	Process
2888	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
4700	MsiExec.exe
4700	MsiExec.exe
68	remote_assistance_host.exe
2544	remoting_native_messaging_host.exe
3380	remote_assistance_host.exe
4504	remoting_host.exe
3852	remoting_host.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe

Drops file in Program Files directory 19 IoCs

Processes:

msiexec.exeremoting_host.exeremoting_host.exe

description	ioc	Process
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_desktop-firefox.json	msiexec.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\debug.log	remoting_host.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_native_messaging_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_assistance.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_desktop.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\icudtl.dat	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_open_url.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_security_key.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_webauthn.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_desktop.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_start_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_webauthn.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host_uiaccess.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_assistance-firefox.json	msiexec.exe
File created	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\CREDITS.txt	msiexec.exe
File opened for modification	C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\debug.log	remoting_host.exe

Drops file in Windows directory 17 IoCs

Processes:

msiexec.exeMsiExec.exe

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIECED.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6B14E7C9-210F-41DF-AE42-C42E5A8DDB87}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID26A.tmp	msiexec.exe
File created	C:\Windows\rescache\_merged\3623239459\11870838.pri	MsiExec.exe
File created	C:\Windows\Installer\e59cf10.msi	msiexec.exe
File created	C:\Windows\Installer\e59cf0e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID7EA.tmp	msiexec.exe
File created	C:\Windows\Installer\wix{6B14E7C9-210F-41DF-AE42-C42E5A8DDB87}.SchedServiceConfig.rmi	MsiExec.exe
File opened for modification	C:\Windows\Installer\MSID24A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDAC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE366.tmp	msiexec.exe
File created	C:\Windows\Installer\{6B14E7C9-210F-41DF-AE42-C42E5A8DDB87}\chromoting.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\e59cf0e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\{6B14E7C9-210F-41DF-AE42-C42E5A8DDB87}\chromoting.ico	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

svchost.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0064	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3b2ce006-5e61-4fde-bab8-9b8aac9b26df}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0065	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exefirefox.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe

Modifies data under HKEY_USERS 34 IoCs

Processes:

MsiExec.exemsiexec.exesvchost.exe

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri	MsiExec.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\LanguageList = 5f0065006e002d00550053003b0065006e005f007300740061006e0064006100720064005f003100300030005f00550053005f004c00540052005f006400610072006b005f004400650073006b0074006f007000	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10001 = "BranchCache Content Retrieval (HTTP-Out)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@netlogon.dll,-1003 = "Netlogon Service (NP-In)"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f\a01460c8\@{EnvironmentsApp_10.0.15063.0_neutral__cw5n1h2txyewy?ms-resource://EnvironmentsApp/resource = "Windows Mixed Reality Environments"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10005 = "BranchCache Hosted Cache Server(HTTP-Out)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37303 = "mDNS (UDP-In)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\provsvc.dll,-200 = "HomeGroup In"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache\C:%5CWindows%5CSystemApps%5CEnvironmentsApp_cw5n1h2txyewy%5Cresources.pri\1d2a058e0b92f6f	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10004 = "BranchCache Hosted Cache Server (HTTP-In)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\provsvc.dll,-205 = "HomeGroup In (PNRP)"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MrtCache	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10000 = "BranchCache Content Retrieval (HTTP-In)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\dosvc.dll,-102 = "Delivery Optimization (TCP-In)"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\OnDemandInterfaceCache	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%SystemRoot%\system32\firewallapi.dll,-37305 = "mDNS (UDP-Out)"	MsiExec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@C:\Windows\SysWOW64\FirewallControlPanel.dll,-12122 = "Windows Firewall"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10002 = "BranchCache Peer Discovery (WSD-In)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\provsvc.dll,-207 = "HomeGroup Out (PNRP)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\provsvc.dll,-203 = "HomeGroup Out"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@netlogon.dll,-1008 = "Netlogon Service Authz (RPC)"	MsiExec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10006 = "BranchCache Hosted Cache Client (HTTP-Out)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@peerdistsh.dll,-10003 = "BranchCache Peer Discovery (WSD-Out)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%systemroot%\system32\dosvc.dll,-103 = "Delivery Optimization (UDP-In)"	MsiExec.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e\52C64B7E\@%windir%\system32\diagtrack.dll,-3001 = "Connected User Experiences and Telemetry"	MsiExec.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ = "IRdpDesktopSession PSFactory"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\InprocServer32\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\110.0.5481.7\\remoting_core.dll"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationCompany = "Google LLC"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\Version = "1845499241"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\PackageName = "chromeremotedesktophost.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ProxyStubClsid32\ = "{b59b96da-83cb-40ee-9b91-c377400fc3e3}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\PackageCode = "39158FC9201731D40AD14CBF200ECFC1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\AdvertiseFlags = "388"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR\ = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\110.0.5481.7\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\Net	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationName = "@C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\110.0.5481.7\\remoting_core.dll,-119"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27e8bb1f-93b0-517e-886d-f024d2544b2a}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\HELPDIR	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\Net\1 = "C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppId\{52e6fd1a-f16e-49c0-aacb-5436a915448b}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\InprocServer32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9C7E41B6F012FD14EA244CE2A5D8BD78\chromoting_host	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\DeploymentFlags = "3"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS\ = "0"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\9C7E41B6F012FD14EA244CE2A5D8BD78	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{e051a481-6345-4ba1-bdb1-cf7929955268}\TypeLib\ = "{b6396c45-b0cc-456b-9f49-f12964ee6df4}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27e8bb1f-93b0-517e-886d-f024d2544b2a}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\ = "Chromoting 1.0 Type Library"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open\command\ = "\"C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\110.0.5481.7\\remote_open_url.exe\" %1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{b59b96da-83cb-40ee-9b91-c377400fc3e3}\ = "IRdpDesktopSessionEventHandler PSFactory"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\FLAGS	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\ProductIcon = "C:\\Windows\\Installer\\{6B14E7C9-210F-41DF-AE42-C42E5A8DDB87}\\chromoting.ico"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList\Media\1 = ";"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}\ProxyStubClsid32\ = "{6a7699f0-ee43-43e7-aa30-a6738f9bd470}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\Language = "1033"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application\ApplicationIcon = "C:\\Program Files (x86)\\Google\\Chrome Remote Desktop\\110.0.5481.7\\remoting_core.dll,-112"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{52e6fd1a-f16e-49c0-aacb-5436a915448b}\AccessPermission = 010014807800000088000000140000003000000002001c000100000011001400040000000101000000000010002000000200480003000000000014000b000000010100000000000512000000000018000b00000001020000000000052000000020020000000014000b0000000101000000000005130000000102000000000005200000002002000001020000000000052000000020020000	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{27e8bb1f-93b0-517e-886d-f024d2544b2a}\LocalServer32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\767F12B2751E6AF469C35538C441336A\9C7E41B6F012FD14EA244CE2A5D8BD78	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ChromeRemoteDesktopUrlForwarder\Application	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{655bd819-c08c-4b04-80c2-f160739ff6ef}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{6a7699f0-ee43-43e7-aa30-a6738f9bd470}	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Typelib\{b6396c45-b0cc-456b-9f49-f12964ee6df4}\1.0\0\win32	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\9C7E41B6F012FD14EA244CE2A5D8BD78\SourceList	msiexec.exe

NTFS ADS 1 IoCs

Processes:

firefox.exe

description	ioc	Process
File created	C:\Users\Admin\Downloads\chromeremotedesktophost.msi:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

remote_assistance_host.exe

pid	Process
3380	remote_assistance_host.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exemsiexec.exe

pid	Process
4964	AnyDesk.exe
4964	AnyDesk.exe
1580	AnyDesk.exe
1580	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4180	msiexec.exe
4180	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

firefox.exemsiexec.exemsiexec.exe

description	pid	Process
Token: SeDebugPrivilege	828	firefox.exe
Token: SeDebugPrivilege	828	firefox.exe
Token: SeDebugPrivilege	828	firefox.exe
Token: SeDebugPrivilege	828	firefox.exe
Token: SeDebugPrivilege	828	firefox.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	4180	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeDebugPrivilege	3576	msiexec.exe
Token: SeAuditPrivilege	3576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3576	msiexec.exe
Token: SeChangeNotifyPrivilege	3576	msiexec.exe
Token: SeRemoteShutdownPrivilege	3576	msiexec.exe
Token: SeUndockPrivilege	3576	msiexec.exe
Token: SeSyncAgentPrivilege	3576	msiexec.exe
Token: SeEnableDelegationPrivilege	3576	msiexec.exe
Token: SeManageVolumePrivilege	3576	msiexec.exe
Token: SeImpersonatePrivilege	3576	msiexec.exe
Token: SeCreateGlobalPrivilege	3576	msiexec.exe
Token: SeCreateTokenPrivilege	3576	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3576	msiexec.exe
Token: SeLockMemoryPrivilege	3576	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3576	msiexec.exe
Token: SeMachineAccountPrivilege	3576	msiexec.exe
Token: SeTcbPrivilege	3576	msiexec.exe
Token: SeSecurityPrivilege	3576	msiexec.exe
Token: SeTakeOwnershipPrivilege	3576	msiexec.exe
Token: SeLoadDriverPrivilege	3576	msiexec.exe
Token: SeSystemProfilePrivilege	3576	msiexec.exe
Token: SeSystemtimePrivilege	3576	msiexec.exe
Token: SeProfSingleProcessPrivilege	3576	msiexec.exe
Token: SeIncBasePriorityPrivilege	3576	msiexec.exe
Token: SeCreatePagefilePrivilege	3576	msiexec.exe
Token: SeCreatePermanentPrivilege	3576	msiexec.exe
Token: SeBackupPrivilege	3576	msiexec.exe
Token: SeRestorePrivilege	3576	msiexec.exe
Token: SeShutdownPrivilege	3576	msiexec.exe
Token: SeDebugPrivilege	3576	msiexec.exe
Token: SeAuditPrivilege	3576	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3576	msiexec.exe
Token: SeChangeNotifyPrivilege	3576	msiexec.exe
Token: SeRemoteShutdownPrivilege	3576	msiexec.exe
Token: SeUndockPrivilege	3576	msiexec.exe
Token: SeSyncAgentPrivilege	3576	msiexec.exe
Token: SeEnableDelegationPrivilege	3576	msiexec.exe
Token: SeManageVolumePrivilege	3576	msiexec.exe

Suspicious use of FindShellTrayWindow 14 IoCs

Processes:

firefox.exeAnyDesk.exemsiexec.exeremote_assistance_host.exe

pid	Process
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
828	firefox.exe
828	firefox.exe
3576	msiexec.exe
3576	msiexec.exe
3380	remote_assistance_host.exe

Suspicious use of SendNotifyMessage 10 IoCs

Processes:

firefox.exeAnyDesk.exe

pid	Process
828	firefox.exe
828	firefox.exe
828	firefox.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
4960	AnyDesk.exe
828	firefox.exe
828	firefox.exe

Suspicious use of SetWindowsHookEx 28 IoCs

Processes:

firefox.exe

pid	Process
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe
828	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	Process	procid_target
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 5016 wrote to memory of 828	5016	firefox.exe	68
PID 828 wrote to memory of 3528	828	firefox.exe	69
PID 828 wrote to memory of 3528	828	firefox.exe	69
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 4160	828	firefox.exe	72
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73
PID 828 wrote to memory of 3784	828	firefox.exe	73

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1580
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4960

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.0.2118226695\1476260611" -parentBuildID 20200403170909 -prefsHandle 1492 -prefMapHandle 1484 -prefsLen 1 -prefMapSize 219987 -appdir "C:\Program Files\Mozilla Firefox\browser" - 828 "\\.\pipe\gecko-crash-server-pipe.828" 1592 gpu
    3⤵
    PID:3528
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.3.479679862\314885697" -childID 1 -isForBrowser -prefsHandle 2232 -prefMapHandle 2228 -prefsLen 156 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 828 "\\.\pipe\gecko-crash-server-pipe.828" 2244 tab
    3⤵
    PID:4160
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="828.13.1839899362\752527461" -childID 2 -isForBrowser -prefsHandle 3264 -prefMapHandle 3260 -prefsLen 6938 -prefMapSize 219987 -parentBuildID 20200403170909 -appdir "C:\Program Files\Mozilla Firefox\browser" - 828 "\\.\pipe\gecko-crash-server-pipe.828" 3284 tab
    3⤵
    PID:3784
- - C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe
    "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe" "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_assistance-firefox.json" [email protected]
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:68
- - C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_native_messaging_host.exe
    "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_native_messaging_host.exe" "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_desktop-firefox.json" [email protected]
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2544
- - C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe
    "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe" "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_assistance-firefox.json" [email protected]
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    PID:3380
  - - C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe
      "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe" --type=evaluate_capability --evaluate-type=d3d-support
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:4504
  - - C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe
      "C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe" --type=evaluate_capability --evaluate-type=d3d-support
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Program Files directory
      PID:3852

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\chromeremotedesktophost.msi"
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3576

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4180
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B5528E9AACEC8A704B64B1A5E34D77A3 C
  2⤵
  - Loads dropped DLL
  PID:2888
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4852
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 4DAB74EA218055229388C6581BE8FAFD
  2⤵
  - Loads dropped DLL
  PID:2088
- C:\Windows\system32\cmd.exe
  cmd /c mklink /d CurrentVersion ".\110.0.5481.7\"
  2⤵
  PID:5000
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 08A2B42064278556750A3691C8B051B9 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  PID:4700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2304

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1248

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4792

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x420
1⤵
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_assistance-firefox.json

Filesize
249B

MD5
2dc896251ebf6ff82728fa088d06b997

SHA1
b7fe0b487e05173476a56982156720a16cbabe11

SHA256
4ac1608cc2f932ddcb11e0a0d8bbf512376947f6ffc6490070fab4c33de3ee15

SHA512
5d1efae136b722e34fe55fde14acfaab0a59b3d983d9156c7509e9b97032f4ccc72001c1bccd24a9011724246592c294296ca0f00f0c871d31726437b899afb5

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\com.google.chrome.remote_desktop-firefox.json

Filesize
232B

MD5
89461153933170309aed35a77ad00091

SHA1
6c20298246e7dfff20877eddc7ab97b32f709b60

SHA256
cd511ff312991532758def5d72093134be6396b090e63cca873cba581b6f377f

SHA512
bf813bd84f679f2d49d2384fd98aec4fab7645b8366358b5b3ed2c62a09e45d86fa4767131888bf7618c9597d917bcf208aeff4e971074fc71caa3d9a09e0d64

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\icudtl.dat

Filesize
10.1MB

MD5
2c367970ac87a9275eeec5629bb6fc3d

SHA1
399324d1aeee5e74747a6873501a1ee5aac005ee

SHA256
17d57b17d12dc5cfbf06413d68a06f45ccf245f4abdf5429f30256977c4ed6de

SHA512
f788a0d35f9e4bebe641ee67fff14968b62891f52d05bf638cd2c845df87f2e107c42a32bbe62f389f05e5673fe55cbdb85258571e698325400705cd7b16db01

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe

Filesize
416KB

MD5
5d3a2461cefb238263794385ad305eef

SHA1
dc695f1fb6fb9b8fa6df83b23c7bffcf0fc68d70

SHA256
00ee94df743878eb1ebc661f1fac3e7b9a0c3622ddedfff02ee059bcb2dd76bc

SHA512
07225dc00fe087bce525ec658132d27b96d02543c8c13556abc4b640ba9f50b00d879810e8cdc703d166a78018a7de30bce955fde2b497a586aa77e3bbcd6cbb

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe

Filesize
416KB

MD5
5d3a2461cefb238263794385ad305eef

SHA1
dc695f1fb6fb9b8fa6df83b23c7bffcf0fc68d70

SHA256
00ee94df743878eb1ebc661f1fac3e7b9a0c3622ddedfff02ee059bcb2dd76bc

SHA512
07225dc00fe087bce525ec658132d27b96d02543c8c13556abc4b640ba9f50b00d879810e8cdc703d166a78018a7de30bce955fde2b497a586aa77e3bbcd6cbb

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remote_assistance_host.exe

Filesize
416KB

MD5
5d3a2461cefb238263794385ad305eef

SHA1
dc695f1fb6fb9b8fa6df83b23c7bffcf0fc68d70

SHA256
00ee94df743878eb1ebc661f1fac3e7b9a0c3622ddedfff02ee059bcb2dd76bc

SHA512
07225dc00fe087bce525ec658132d27b96d02543c8c13556abc4b640ba9f50b00d879810e8cdc703d166a78018a7de30bce955fde2b497a586aa77e3bbcd6cbb

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll

Filesize
26.5MB

MD5
213b11c6f666e8835378bc2c600bd018

SHA1
42794b8296e1f0077e896046d9a459de72e3fd62

SHA256
f4ff95b840733bd999abbeff8e352028b952d62e1eeaa7c1f708742e28979361

SHA512
91cfd5b2b901256d261adb6b74efcea288c3222e5b3342b2322a99ec60b331c5c13d11aecfe4e20bf231bcbe382479b43a0f10bedeb689844339cc960a0f0640

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe

Filesize
72KB

MD5
1fa070201d5d492d5fa0da92d0e067ea

SHA1
b1610c98f333ab2bd539415e47032f7003d0553c

SHA256
38db1d5e0a8428a0813fbf853cf110e51c2bc7c0ca744da78353bd43679bd432

SHA512
5b7e005fa9cf8e1907ce633eebe7eea02b3e0ccb8f6d97e29727cde3d65d1814485dc369052055f69a5cc543931024c0612f0d17d24d128af7729ebea2050a46

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_host.exe

Filesize
72KB

MD5
1fa070201d5d492d5fa0da92d0e067ea

SHA1
b1610c98f333ab2bd539415e47032f7003d0553c

SHA256
38db1d5e0a8428a0813fbf853cf110e51c2bc7c0ca744da78353bd43679bd432

SHA512
5b7e005fa9cf8e1907ce633eebe7eea02b3e0ccb8f6d97e29727cde3d65d1814485dc369052055f69a5cc543931024c0612f0d17d24d128af7729ebea2050a46

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_native_messaging_host.exe

Filesize
418KB

MD5
16d23cc88201979b8cdf71b2bdf144ec

SHA1
df98de61532eec4124078c49dbccea70e0da0072

SHA256
84f56dfe855c0501d43da2d9deeb08ed4e657e154d478ea8e6a0351ea6fae7a2

SHA512
f3a17b3c40947a4b6913596bd83e0962a4b991a1b4cee0bbc138dbfe5301107c6457a3625bedd6b5b2ec945ddacb4a448d86cdeaf51282efc127bf3fbe0a2973

Download Submit
C:\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_native_messaging_host.exe

Filesize
418KB

MD5
16d23cc88201979b8cdf71b2bdf144ec

SHA1
df98de61532eec4124078c49dbccea70e0da0072

SHA256
84f56dfe855c0501d43da2d9deeb08ed4e657e154d478ea8e6a0351ea6fae7a2

SHA512
f3a17b3c40947a4b6913596bd83e0962a4b991a1b4cee0bbc138dbfe5301107c6457a3625bedd6b5b2ec945ddacb4a448d86cdeaf51282efc127bf3fbe0a2973

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
471B

MD5
2eec864f7a4091183bd585de9d2db3af

SHA1
746292f8e084ce68210fd389b5ba494f739e6187

SHA256
4d9949a2f65ba2e5b6ad6cdebd9d795a133b1477c56230561549213d0d8e3a1f

SHA512
dc3e943526fea2d609cbfe37d33f7572b3968783a0330acb25996d719fb0e2a69b86d5dc26e1870f26301d764f0de7d3e4430b362822885806efd873ea26278c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
727B

MD5
f49252f5798cca57242de79c97a58a8d

SHA1
20a5a380c35b4a64c623d85682af95fb813b849b

SHA256
e50213aec2b6520f6dbd77b9ad238ca5a4ae65478f9ebe7c37178c18ce72ccea

SHA512
e4dae6e651d5f12d571d06dcbcca71a01e36e342da78a768e5c253242a36f2de8cc25adee3ae130856679a778669ce9530500570a60574090ec8772a0443151b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
727B

MD5
8efcecf8c36c3d648eeb916fc7b9e79a

SHA1
b922a9922bd0b74945270d0b84b4408a865fca79

SHA256
a4435cdfa4375f58743517502fbac6810cb8079a270f71e466cdda520f11018b

SHA512
8f59fda85d68bafccec466aa3ddf06f4a4d2ec4a8a6a2bab82f84c5b7f35907117ef462a6ad29691da1606a047b9890f881ae2cebea30ee4f0a2fa45e3777276

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\698460A0B6E60F2F602361424D832905_8BB23D43DE574E82F2BEE0DF0EC47EEB

Filesize
430B

MD5
c76ae1078e553544205efc5129177346

SHA1
faee81ba88f0f99b5d795cf4f2334b086769073b

SHA256
192b1fc9938d9e29ecdc9627308606c05b02d004357bece39b432e1548def26a

SHA512
a26194e396da241f94cb558d4c7340943a773a02f9bd681cdcb0ca78eac54c7e0cf10c53fa63b4fa92fd3ace9e50abff10b7707a0e8fdeacd2aa75e240870caf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EC9B1D0ABBD7F98B401D425828828CE_466BAFE78D4077069B6C3828315C7C8D

Filesize
434B

MD5
0b4dd730ce0b8bfae8e1682e8a5b75a3

SHA1
b351f3edecfbe87862973b2983f51114dd700e34

SHA256
a7b1783d04b90cf7871c8d9812fd107a87ede7d839cb7b1a7a7bd136a92a27e9

SHA512
c998410d8e283717cf0f053f95512f3583c150ab5ff4db2ad7bc74714b7cd000e3146217808c58fc54e664706c42fd14204cbd6ff9679a853b6f3b3464e816d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\C8E534EE129F27D55460CE17FD628216_1130D9B25898B0DB0D4F04DC5B93F141

Filesize
412B

MD5
c29634e5b8c5598a6f4807970dfbf6ac

SHA1
9003efb681223101d32393527864ba96e57d4a94

SHA256
be9373a388f4eb88e992bd1873ec22d572bd355d6e9b5f3d24686719da3b28aa

SHA512
508a496e9f4e2a85f688bbeffe26a128d42b9154e74a60ea423f84f449b8a1cae9adc08462d23cadaba104b6fae92ff1601eba805e386341b6f2c4c457144c6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI51B0.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
7d28a116a97e7f4b5969497ecb5f5f69

SHA1
166407802fe2c18cb33d2990df08ef0a83200466

SHA256
79607a3803bcca64b018a524eb70149ea6da17c8698f59f884a337d05bae4903

SHA512
a072a8361d7bec853249d96d36454d882c0fa30e6da4afc89b9dbc16f1acb013092adf0acc666c1fd69d94d81644889b59378c6456347fb02524e92187f981cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
7d28a116a97e7f4b5969497ecb5f5f69

SHA1
166407802fe2c18cb33d2990df08ef0a83200466

SHA256
79607a3803bcca64b018a524eb70149ea6da17c8698f59f884a337d05bae4903

SHA512
a072a8361d7bec853249d96d36454d882c0fa30e6da4afc89b9dbc16f1acb013092adf0acc666c1fd69d94d81644889b59378c6456347fb02524e92187f981cc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
e340362c0fadaa1834fd119a60b33cac

SHA1
5e91fbb636dcb69001bf8432397d2d0c9ffa0628

SHA256
82646e1b4bc5b72f5532383b2c3c1be2847ab82b8418239c27af2baa0b6f7c5d

SHA512
f40766f44e4904346395b85cc27d8d72aa8f8e38028a23a57712524d9b3573c1d8d342ea03152b84054d794529757796354b02014a621c4faf48f6a3c3824443

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5be3cade962ee31ff531b399a425e8ce

SHA1
69c63560d7587b0cb1db1efff191ed26c86bb844

SHA256
89a6cadc18dcda06f7bb2b1bc5b911d4616fc5fd9260b6e39ed7e1d2cf4cfea0

SHA512
b7570a847f54891df89c44c1531cfd7ac889084e15f5c57d3c8ad31c487026ca44682b3a622ea3f0d259e8e8746eb187b80635e898bced17fc4876d79af60f4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
a7c9cf5b1d7d356b29e0af567a270b23

SHA1
3104cee174c2d6bda04a9b29e5843b2e540db037

SHA256
3b298fc91ade237e02fb6cf309416146d563d35c001692ac178a0720abf984bf

SHA512
8c7a9b725cff16def930be9f514841b6dcca1b3f758f44c6bcaa0bdbf02f5d2d77fcd420e344661ac29cae44d281617674dcc88c3a354cf793dd506441982e42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
5b1afc03f46545565a1c54a82815550f

SHA1
f2b4233e4086f612f3002fc4da09570a4d1aa78e

SHA256
c01fb3757f81fb88ab18b81ee63372b6065689d7ab7dd9b713bfb32a24c30e7e

SHA512
514aa07e42258d98f8b08fdb54cbfa1f8470ea391c855725c1989f454ee2bd579b30add11e74c1afd25cebd50d881a17de659a950b63de8abc6c1f93c16fd92b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
e345def8ce2aaa7fde455042ced25445

SHA1
d0a85a16c7c76dd47f41bf858020f4a7c65aa170

SHA256
ed14acc6d804de98064753cfc50565104ac71007c61b4be78dadf1cd7e2138fe

SHA512
d2151b1b91853f0ba274d66fe7466d134453039fcadd88cb891545bd0df2739c929cad64c5fe31268e98e722e2730731e5f9572cb8e2d127c31e99d19a8c27dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
2956b1d20f32eab51879e643b6ee209c

SHA1
e66cada8aaf2a11052580dbbb7904e53813a1e8f

SHA256
1861fe338939a01de392972c998f89d330029cc6fdf5df98c39f47a874eec79d

SHA512
4b5afcff20f15ea2871640adfcee2d316c93f48437809b58e66bd10ab50a9c58036589a4971dd6205a2ec3746c06dd142f1f9b954d12532708dfb25dd752f49e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
30e9b8bcd78015a6bbee5a09eb36d11d

SHA1
ec0db651c49dcc901fb0cc17493dc7733f68d45b

SHA256
5e06513e8250cb62c38bfd52d873681023d04f6618dc0a32a4e3d83bcfd4850c

SHA512
4690f05e37891a1c161584f87bfc12c86908f9cb9715857fbaedb1be3901282c7799144e02692924a63a15df38c58259eaca3aa0e9049b7777a3f64b44af362e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c1bfc94b031ea1904692c80d3dbd133

SHA1
d74c79e6b695b3caacbbc5280e96b7fcf74f2223

SHA256
15e10f4bf28165bb1ca15587168617b7fba138a5a09a5304daf9565f54ce8de5

SHA512
b75fb99363caff2164487744d08542a70b22bc45ee14d21cd77b9082677ef04560ac2f7d2967712af50bcc487a1f90b66a01b5553161488e69558e582e581092

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c1bfc94b031ea1904692c80d3dbd133

SHA1
d74c79e6b695b3caacbbc5280e96b7fcf74f2223

SHA256
15e10f4bf28165bb1ca15587168617b7fba138a5a09a5304daf9565f54ce8de5

SHA512
b75fb99363caff2164487744d08542a70b22bc45ee14d21cd77b9082677ef04560ac2f7d2967712af50bcc487a1f90b66a01b5553161488e69558e582e581092

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c1bfc94b031ea1904692c80d3dbd133

SHA1
d74c79e6b695b3caacbbc5280e96b7fcf74f2223

SHA256
15e10f4bf28165bb1ca15587168617b7fba138a5a09a5304daf9565f54ce8de5

SHA512
b75fb99363caff2164487744d08542a70b22bc45ee14d21cd77b9082677ef04560ac2f7d2967712af50bcc487a1f90b66a01b5553161488e69558e582e581092

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
39bf378b294759cd074cf31bf31ab0ac

SHA1
3e0f3e199e2fccf20c73170790e1e28a24ba6c46

SHA256
b7ef65981d1f42717f22c52d12231f07c2375d0bf9ce8b287af9fc8a6b93121d

SHA512
ee56502779420fc0a185d5096f62e2ec68f4e59e02099d79c295439c84c4991af8515745c1d2ac38cf609c46bc1dc1090be48aa62ed76c3cd61ad74e3b4e3693

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e7ee67b868930d17b33a386ca2119e88

SHA1
152beae852aa05f66bdaf748481cea0bc9e09028

SHA256
b67d5c3f2ad73efb8f3143311cc0bcb25e88da8800db9d88ae40b6c88bd7e78a

SHA512
cde1175315554ac4232a20d96df042791a0b356d6aedf48b4dfbfe71e5124865889ad36ea1487b589c43c2e462224fde356d95d91f2ff24110638c8fbe7c6dd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
8e37cc963c1d74465c29b5435adb6175

SHA1
a1576fe451b21c9833e12891ed5930f0c36f54d4

SHA256
f1df8b4eb4bd51e3bb01c351abf0fceb32c65556885a574b4aee369bc76b3992

SHA512
1e36a129dd02b525a8fb55ced9bd91a36f02b33c07e7145bcccd13e9d165c1efa1f276b603ebbc3c26c653ed8ce11a68e5981bc51049a69c496cdf621670b0f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
81aefc6bf3f6c1241a53b060b86aa6f4

SHA1
2c585cfed5130cd1f54b8810568a6f65748f21a4

SHA256
007ccb8109ddb0146887c487fc97baca9fb3b016a95c4174fc87c1d9b1e3168c

SHA512
6e715c6060d2d5a1d9c0ae38378039500876f52ac5a148a6267aca1d19e43f4c8de7fd319976b51cc1f0db4b1602cfc3f2b905aede3475456241ce173520d1a3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e05a0ceaf8c31e46af966e6b3c118d2c

SHA1
2e177516fa8cbd410a4604c1b2ab4931420b1fd6

SHA256
3d190da11f5bc7966e7a8b7bb116dffc3442b307dd55e8ac822088093de5cb8c

SHA512
6366ba340799bf6859b6bda73433f34363c66ece6a55f8b53c7c47ef30fdeb7b890c321a9e8f3fc29f723077128cb1315dce2d50e21ebed2ccf53c2c1c02aaf9

Download Submit
C:\Users\Admin\Downloads\chromeremotedesktophost.msi

Filesize
19.9MB

MD5
91589ea2826ee9df4d689e4ffad677ec

SHA1
1e9b0fcf91a9eaa288b6d92788098dfbb0e6fd96

SHA256
2d1b86066bc55b7067e3ff232b99f91036f65b1569af108254843fb383dd26b4

SHA512
05a2ebb3ad81a1b1e06b24dc08de180f82acaada2054ecc6e910119ed944b3e1298a5b80fa22faa48943e6f8dc5850ea97509062df7d607f4d915fa80ce30e53

Download Submit
C:\Windows\Installer\MSID26A.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
C:\Windows\Installer\MSID7EA.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
C:\Windows\Installer\MSIDAC9.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
C:\Windows\Installer\MSIE366.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
C:\Windows\Installer\MSIECED.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
25.0MB

MD5
319dc40e69fa522891a8df08e192b951

SHA1
6ebdb9222bbf852a8eb8a70d0cd058b9348002ca

SHA256
00a62d6aaa5b075f3daab8b5fb3ea392a6f4fca91ffa3f688db0ccad7c98c1cd

SHA512
637dfde7592731f316582d13cbb237bafa307a1fffd52e5f5b939441e37e7d6fef4de9c7220d2ec7700a12ce0d66a3ef9cec929050f4b1fbab959265bd22e83f

Download Submit
\??\Volume{b79df8d1-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{dcf51922-ed3d-468c-9481-d1d9c797d3a7}_OnDiskSnapshotProp

Filesize
5KB

MD5
ae8e6db4844deb0eda7e6e5c1837797d

SHA1
64d2d025224dd77af3327121ec516864bf381c57

SHA256
d22ad45c0315d9901231902a0b164c54ac9469be1c56250d5e4c5d513a92763b

SHA512
37a2a41448e9f33eb25f3b10469cbe68d5eae3a52245b93d09d54fad7eeac60ecc7a8b4b612004e6bfb48aaa1629137ecf6e5358e611426aad71dfa3a58b0a61

Download Submit
\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll

Filesize
26.5MB

MD5
213b11c6f666e8835378bc2c600bd018

SHA1
42794b8296e1f0077e896046d9a459de72e3fd62

SHA256
f4ff95b840733bd999abbeff8e352028b952d62e1eeaa7c1f708742e28979361

SHA512
91cfd5b2b901256d261adb6b74efcea288c3222e5b3342b2322a99ec60b331c5c13d11aecfe4e20bf231bcbe382479b43a0f10bedeb689844339cc960a0f0640

Download Submit
\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll

Filesize
26.5MB

MD5
213b11c6f666e8835378bc2c600bd018

SHA1
42794b8296e1f0077e896046d9a459de72e3fd62

SHA256
f4ff95b840733bd999abbeff8e352028b952d62e1eeaa7c1f708742e28979361

SHA512
91cfd5b2b901256d261adb6b74efcea288c3222e5b3342b2322a99ec60b331c5c13d11aecfe4e20bf231bcbe382479b43a0f10bedeb689844339cc960a0f0640

Download Submit
\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll

Filesize
26.5MB

MD5
213b11c6f666e8835378bc2c600bd018

SHA1
42794b8296e1f0077e896046d9a459de72e3fd62

SHA256
f4ff95b840733bd999abbeff8e352028b952d62e1eeaa7c1f708742e28979361

SHA512
91cfd5b2b901256d261adb6b74efcea288c3222e5b3342b2322a99ec60b331c5c13d11aecfe4e20bf231bcbe382479b43a0f10bedeb689844339cc960a0f0640

Download Submit
\Program Files (x86)\Google\Chrome Remote Desktop\110.0.5481.7\remoting_core.dll

Filesize
26.5MB

MD5
213b11c6f666e8835378bc2c600bd018

SHA1
42794b8296e1f0077e896046d9a459de72e3fd62

SHA256
f4ff95b840733bd999abbeff8e352028b952d62e1eeaa7c1f708742e28979361

SHA512
91cfd5b2b901256d261adb6b74efcea288c3222e5b3342b2322a99ec60b331c5c13d11aecfe4e20bf231bcbe382479b43a0f10bedeb689844339cc960a0f0640

Download Submit
\Users\Admin\AppData\Local\Temp\MSI51B0.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
\Windows\Installer\MSID26A.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
\Windows\Installer\MSID7EA.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
\Windows\Installer\MSIDAC9.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
\Windows\Installer\MSIE366.tmp

Filesize
88KB

MD5
85fcf7b457b7194bbeb46db22fae05c3

SHA1
5eca64d0d4ab4599852a475a7dd25beb88ae1c27

SHA256
e24376a9346c2d486ce7426ca3ddc73cd020bb7216f8e5a0b9b2cb23caddcf31

SHA512
12d46c2d63d221adb288a89b2fe0b423d4ae7579c24c36d651a6ce9488bfdc669a1e8378309c28f7019c7cfc43fa87e99b4829cace97715c0b94ac9e2a758339

Download Submit
\Windows\Installer\MSIECED.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit
memory/68-668-0x0000000000000000-mapping.dmp

Download
memory/1580-153-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-143-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-183-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-184-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-126-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-121-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-209-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/1580-146-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-127-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-136-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-120-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-163-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-162-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-161-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-160-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-159-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-157-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-158-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-156-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-155-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-154-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-147-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-145-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-151-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-150-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-149-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-148-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-125-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-181-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-152-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-122-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-144-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-180-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-401-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/1580-123-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-182-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-165-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-142-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-166-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/1580-139-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-178-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-179-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-138-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-137-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/1580-135-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-134-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-133-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-132-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-128-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-141-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-177-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-140-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-176-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-175-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-174-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-124-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-164-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-173-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-172-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-171-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-170-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-131-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-130-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-169-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-129-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/1580-168-0x00000000778B0000-0x0000000077A3E000-memory.dmp

Filesize
1.6MB

Download
memory/2088-519-0x0000000000000000-mapping.dmp

Download
memory/2544-754-0x0000000000000000-mapping.dmp

Download
memory/2888-459-0x0000000000000000-mapping.dmp

Download
memory/3380-820-0x0000000000000000-mapping.dmp

Download
memory/3852-997-0x0000000000000000-mapping.dmp

Download
memory/4504-916-0x0000000000000000-mapping.dmp

Download
memory/4700-585-0x0000000000000000-mapping.dmp

Download
memory/4852-512-0x0000000000000000-mapping.dmp

Download
memory/4960-453-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4960-365-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4960-218-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4960-188-0x0000000000000000-mapping.dmp

Download
memory/4964-441-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4964-372-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4964-262-0x0000000001270000-0x00000000022EE000-memory.dmp

Filesize
16.5MB

Download
memory/4964-185-0x0000000000000000-mapping.dmp

Download
memory/5000-584-0x0000000000000000-mapping.dmp

Download