fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18

Analysis

max time kernel
747s
max time network
750s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
27/02/2023, 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

3.8MB
MD5

e546506082b374a0869bdd97b313fe5d
SHA1

082dc6b336b41788391bad20b26f4b9a1ad724fc
SHA256

fc19f3275d02764cf249dc6fe8962e06b83a4f5769cc369bc4f77b90c567df18
SHA512

15a8d7c74193dffd77639b1356ccbe975d17de73d0d6d177b8ecf816d665f620adefcded37c141bac0b2d8564fbba61aca4d9b01885740f23fbcc190515cbd08
SSDEEP

98304:uSCb8xJlb0VgU/vZaZKa4opQILfbsLajDMWEeq7PbUs6En5:uH8HCOUZakpAbjbsLsMmqM

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk (1).exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk (1).exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 10 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4784	AnyDesk (1).exe

Suspicious behavior: EnumeratesProcesses 63 IoCs

pid	Process
2200	AnyDesk (1).exe
2200	AnyDesk (1).exe
2200	AnyDesk (1).exe
2200	AnyDesk (1).exe
2200	AnyDesk (1).exe
2200	AnyDesk (1).exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
668	Process not Found

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeDebugPrivilege	2200	AnyDesk (1).exe
Token: 33	4240	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4240	AUDIODG.EXE
Token: SeDebugPrivilege	4560	firefox.exe
Token: SeDebugPrivilege	4560	firefox.exe
Token: SeDebugPrivilege	4560	firefox.exe
Token: SeDebugPrivilege	4560	firefox.exe
Token: SeDebugPrivilege	4560	firefox.exe
Token: SeDebugPrivilege	4224	taskmgr.exe
Token: SeSystemProfilePrivilege	4224	taskmgr.exe
Token: SeCreateGlobalPrivilege	4224	taskmgr.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4560	firefox.exe
4560	firefox.exe
4560	firefox.exe
4560	firefox.exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
5132	mshta.exe
5608	Solaris.exe.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4560	firefox.exe
4560	firefox.exe
4560	firefox.exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4784	AnyDesk (1).exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe
4224	taskmgr.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
4560	firefox.exe
4316	AnyDesk (1).exe
4316	AnyDesk (1).exe
5608	Solaris.exe.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5060 wrote to memory of 2200	5060	AnyDesk (1).exe	85
PID 5060 wrote to memory of 2200	5060	AnyDesk (1).exe	85
PID 5060 wrote to memory of 2200	5060	AnyDesk (1).exe	85
PID 5060 wrote to memory of 4784	5060	AnyDesk (1).exe	86
PID 5060 wrote to memory of 4784	5060	AnyDesk (1).exe	86
PID 5060 wrote to memory of 4784	5060	AnyDesk (1).exe	86
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 3676 wrote to memory of 4560	3676	firefox.exe	91
PID 4560 wrote to memory of 4132	4560	firefox.exe	92
PID 4560 wrote to memory of 4132	4560	firefox.exe	92
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93
PID 4560 wrote to memory of 4816	4560	firefox.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5060
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:4316
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4784

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3676
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4560
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.0.312280201\2107947853" -parentBuildID 20221007134813 -prefsHandle 1856 -prefMapHandle 1756 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f3ddd4ba-1a59-44f1-8900-1ab6fa26567f} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 1940 26bc9bed558 gpu
    3⤵
    PID:4132
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.1.252949437\1887857458" -parentBuildID 20221007134813 -prefsHandle 2320 -prefMapHandle 2316 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {731e4707-009b-4284-9c5e-e4d7877c803f} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 2332 26bbcc70a58 socket
    3⤵
    - Checks processor information in registry
    PID:4816
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.2.1197525869\21483928" -childID 1 -isForBrowser -prefsHandle 2908 -prefMapHandle 2880 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c16280f6-f408-4296-8f42-18c3547b7c13} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 2968 26bcd506e58 tab
    3⤵
    PID:540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.3.1962504570\942371400" -childID 2 -isForBrowser -prefsHandle 3408 -prefMapHandle 3504 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3f70001-d1ae-42bf-883e-729f18133b9c} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 1300 26bbcc63558 tab
    3⤵
    PID:1276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.4.1771314072\1878128620" -childID 3 -isForBrowser -prefsHandle 4380 -prefMapHandle 4376 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {95213061-0613-4c98-9626-824d2e558fe3} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4392 26bbcc61658 tab
    3⤵
    PID:5076
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.5.195293341\1150985084" -childID 4 -isForBrowser -prefsHandle 4712 -prefMapHandle 4740 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fc6c898c-87f1-4fd9-b5d4-faaef80300fb} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4732 26bcd47bd58 tab
    3⤵
    PID:2420
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.6.1125192629\1132185930" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 5064 -prefsLen 26941 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d55ac049-badf-4177-8b04-e62a96bdc8e2} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5168 26bbcc72558 tab
    3⤵
    PID:4088
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.7.1089066832\338444616" -childID 6 -isForBrowser -prefsHandle 5032 -prefMapHandle 5036 -prefsLen 26941 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54b84235-2c20-4c4b-a06c-81425ada8a83} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4984 26bcd505f58 tab
    3⤵
    PID:1504
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.8.621186655\1158672908" -childID 7 -isForBrowser -prefsHandle 5012 -prefMapHandle 5016 -prefsLen 26941 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c96ff1c5-2746-4c24-a5fc-e101a8854d35} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4604 26bcfa76458 tab
    3⤵
    PID:1340
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.9.1131198997\1080371966" -childID 8 -isForBrowser -prefsHandle 5652 -prefMapHandle 4324 -prefsLen 27252 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {97e21193-8e85-4f4b-abb2-f37d7cc64458} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5660 26bce267158 tab
    3⤵
    PID:2092
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.10.1559689704\877899191" -parentBuildID 20221007134813 -prefsHandle 4844 -prefMapHandle 4840 -prefsLen 27252 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bde2b4ea-b782-4bd6-93a5-06725978ceca} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 5956 26bd0082b58 rdd
    3⤵
    PID:4760
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.11.75878722\408749028" -childID 9 -isForBrowser -prefsHandle 3732 -prefMapHandle 4308 -prefsLen 27252 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5b7a27b-e07f-4dd6-83e1-f13c7619b598} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 4812 26bce250758 tab
    3⤵
    PID:4716
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.12.624816447\1811453549" -parentBuildID 20221007134813 -sandboxingKind 1 -prefsHandle 6192 -prefMapHandle 4416 -prefsLen 27252 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4973a11-ff5f-4408-bc95-114ff50188a9} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 3708 26bd0192c58 utility
    3⤵
    PID:3940
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4560.13.353692104\641241605" -childID 10 -isForBrowser -prefsHandle 7008 -prefMapHandle 6988 -prefsLen 27261 -prefMapSize 232675 -jsInitHandle 1416 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {71553f72-2aba-4d2a-8dfe-697d33dddcb4} 4560 "\\.\pipe\gecko-crash-server-pipe.4560" 6960 26bd2086758 tab
    3⤵
    PID:1876

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x514 0x318
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4240

C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\SuspendRestart.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
1⤵
- Suspicious use of FindShellTrayWindow
PID:5132

C:\Users\Admin\Desktop\Solaris.exe.exe
"C:\Users\Admin\Desktop\Solaris.exe.exe"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:5608

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4224

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
8463da0703fe1be809bf3b2b8e20e9ea

SHA1
e67f624195545294c534234f66c837a2265400cc

SHA256
79bd27ce68163354ec6fe086aa4f9ec9f534cf91006da0ba9eb5993b7217a635

SHA512
2f1f14490bb021bfd5dfb16442e339070b66d43c6ae770e507daa1885557470cbf89762697350ca647e2dc2e7f6da0671a50908fb35d96608130029e6879a8b6

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\doomed\13183

Filesize
15KB

MD5
9a68e3a4a063edceed8c71e73a6cf8e3

SHA1
5e5c45de85fe44d7e6a90140e9cfe8e86561869f

SHA256
275e79eb764c0b1b17b14b99551b9680b9b75c89830bfa86880fe4bbdc71f45b

SHA512
00a566e4b9522e946dfdc1d45aae92a9154ca0f7e0399fca3a5527b819d094b906f596ce43c89271ff242658caeae5cf89c766c8d2981b0af8016e9799ded358

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\85w5cth6.default-release\cache2\entries\319A3C729485F0E9394E9379F5D4BC51F73F2F5B

Filesize
178KB

MD5
c773abb3fd5c1ace66c078b73ac99bbd

SHA1
b0eee1f98a8be2e6744d64a324c0d7de2e3a161d

SHA256
1d5adb39ccbc987250a02fb932788214e15bd1312b2e1e81c0af506a45e7d7db

SHA512
04700471b44ae3e406458732434f539d2245ce7dc9ed1048b8a7ee7174fa3634aed1f654db3967079259165b524f0e6462cd9af02921467fb8d22aab8f43346d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e9c884f56e1aeb3571b3c54af3c9c7c6

SHA1
4d25c14702a5fcde76a0fb457ac17be04550090d

SHA256
95df55769d287f815ae7fdc5f50bceba7edd34a55dec267cfa15cc7acfe47e98

SHA512
e0f34a1c728f96fe43cf78fab9c063b3bff48b6a86e8560723805c567311596f012a73995e090e7483571d8b0de0cf2af677a7fd0c810d655cecc089ff053390

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
ff89e319b2e052e793d6f2d4ccf2197b

SHA1
71d7686d0c9ca55d55b5d522cb347094c2c61063

SHA256
90158e69d101c7cd890bae1a59c24689d00300014f9f65b870f35bfe71474022

SHA512
dda002cc3ebceaaf2acac4eb3419f4775ce480d4efd9de87fe3ad3ef4c8e306a3079f57ba7730b5de61a9422dae94d8639a306cd0c7cd80ee953327c77474516

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
40KB

MD5
1f6589c958f7c3c49d317f710c94d0dc

SHA1
1d18d60bf55e6b216050c307890a98957aba51df

SHA256
7b3e76dc3c5565a19a4a0e93c1bf2bbb31d8d1a588492be6d848b1b503077a4b

SHA512
eb24d390b724f8c10c9ffe28913f3cb52ee62833e23e94508090ed0ddff9feba3ca91e3712144990208c3e71d8d00a793818ecb3436b12f54804416a1e11a8fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
07c7d629153b3d31e21088bed2c8eb53

SHA1
a6f3394fe97b1d8c0d67096a01c00752527cae68

SHA256
1cde2d6ef0f274f01e2fa946de32d2474376288aed79f5c264d8cade66745569

SHA512
01456e3d758e7546b567f0200c4d19e5cbcc32c5402ea050dd5eafc225dbbe7bc5c3c41ff04b6b180aadfe94331aa2617dd6ba77073e40e0f13ee74d40c80599

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
07c7d629153b3d31e21088bed2c8eb53

SHA1
a6f3394fe97b1d8c0d67096a01c00752527cae68

SHA256
1cde2d6ef0f274f01e2fa946de32d2474376288aed79f5c264d8cade66745569

SHA512
01456e3d758e7546b567f0200c4d19e5cbcc32c5402ea050dd5eafc225dbbe7bc5c3c41ff04b6b180aadfe94331aa2617dd6ba77073e40e0f13ee74d40c80599

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0094cb2deb75be5b1e0c20c214ad8202

SHA1
f9baba5b6928fe523bcbb0aac352f4272efce199

SHA256
bb35fd510e44296f5a9f048e7ec30564ca7a0eaae34aba9279d62179d4ce7376

SHA512
5874d7500303b1d923dee055b91e89ce5052f3506c83aa13757e3b3a30acf79af26fed8d6033a9647f6b39928d394658af839225db82f543ad5404125990779b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
264871cb31e4339688f800e3968e73f3

SHA1
3cd6e3f4f14087164c6d8cc8395c7199caf83260

SHA256
74fe4ed380080775244ec0b92e9da92aa16fb30a0121eace6cd9b8bd0671b7c5

SHA512
f33322b526d4e914c6a2cc8c98045356aec7666f86f25b78a20017c36a748a080df76cba16a48f42d9076890a65e9ae4eb6c8703c6c428b891df3c45049f89a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
264871cb31e4339688f800e3968e73f3

SHA1
3cd6e3f4f14087164c6d8cc8395c7199caf83260

SHA256
74fe4ed380080775244ec0b92e9da92aa16fb30a0121eace6cd9b8bd0671b7c5

SHA512
f33322b526d4e914c6a2cc8c98045356aec7666f86f25b78a20017c36a748a080df76cba16a48f42d9076890a65e9ae4eb6c8703c6c428b891df3c45049f89a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
264871cb31e4339688f800e3968e73f3

SHA1
3cd6e3f4f14087164c6d8cc8395c7199caf83260

SHA256
74fe4ed380080775244ec0b92e9da92aa16fb30a0121eace6cd9b8bd0671b7c5

SHA512
f33322b526d4e914c6a2cc8c98045356aec7666f86f25b78a20017c36a748a080df76cba16a48f42d9076890a65e9ae4eb6c8703c6c428b891df3c45049f89a7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
32bcd3fa9aeb3bdc5891a4336ae05822

SHA1
e3a4c4af66b6ea92fb3dfbd2c30b0c50bb13ba7a

SHA256
4d88d0d4b35ebebae398fd68f54af0d701cc41883f35383e06a4180fa60316a6

SHA512
d3fa12c1067c4245381871565561459370cfa658a87995a51b50acc88ada1a6020395fba1e8fbbb17cea6665fdf5daa37d2cfd661261f6f8cf969c5911dc6e94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
680B

MD5
32bcd3fa9aeb3bdc5891a4336ae05822

SHA1
e3a4c4af66b6ea92fb3dfbd2c30b0c50bb13ba7a

SHA256
4d88d0d4b35ebebae398fd68f54af0d701cc41883f35383e06a4180fa60316a6

SHA512
d3fa12c1067c4245381871565561459370cfa658a87995a51b50acc88ada1a6020395fba1e8fbbb17cea6665fdf5daa37d2cfd661261f6f8cf969c5911dc6e94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
801B

MD5
3abd161d27393f0cfc3317224326f9b4

SHA1
461992ac5959d3cae05bc8ccb9f70827cc96434c

SHA256
cc445ec2429b92a0c033bd7df73a4da1a6c5cf6eea2be3b9ee1f4020fe4c65ed

SHA512
4619aaa56cba04db32bfa92f0c64d2dcd2d1fd966f26bcc16b664ad2d38df9db3de17a2508ca2442d547fd15b4c8dadea942effa630111b8143268b22d45f13d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
25f674c297c74d18b27803725d218c99

SHA1
4a72601bb3f22d9f167b43b53d4fc4cb56c83ac2

SHA256
da6c36ed72d9234a17348b4c544163675085056a79f77bea45aa01a18ce00443

SHA512
a3583dc4a18c68431b79340e5be775a123bfab6ed83e0459585930a2f01e454a11d3018db76f09df16fe36870e4317824d005a5ebcefe6e752dd5234add33272

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
848B

MD5
25f674c297c74d18b27803725d218c99

SHA1
4a72601bb3f22d9f167b43b53d4fc4cb56c83ac2

SHA256
da6c36ed72d9234a17348b4c544163675085056a79f77bea45aa01a18ce00443

SHA512
a3583dc4a18c68431b79340e5be775a123bfab6ed83e0459585930a2f01e454a11d3018db76f09df16fe36870e4317824d005a5ebcefe6e752dd5234add33272

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5f7dd9e2cafe953a3d608d0fc33a5459

SHA1
c707be60aef5260f5c2893b298d48a4360f6b057

SHA256
1922216342cc4ae76fb94f75f39aa83ada817c73b2d523010aefa20da1b9f1d0

SHA512
3b2397b8bf18711fd558f32deafb7b6f1efab7f7c1c7bc67d1f67f736214caf189ed33126b9ac90ee6e6ba7fc868fa1e145ebb6ecab889ff40402163ac435f9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1bc4886fd5e0f8e56c235b32649680e5

SHA1
256d4b941bea2aa3b00e9ce6d6ee523a476097d4

SHA256
5efa5cdf09f0acc139ab471158faed0b965bead8b12deba7c99c7034982225d1

SHA512
38e00b27bcbf787f3fd7c0cd16287a9b3558c48b7b9bb8cc9b75157d4163c579c3e5ab38b1a8fad5d0cdbcad8f9ee97a0c1ea188d1cd94b57118d1e5430f2a37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b0300440603b806040e126893a5c542e

SHA1
e2015fe4a94057604270644023b50e67ceda5887

SHA256
a78196ab044e9e1da3858cee22dd1ee6c17d64f9baf5f73427cca830683e85dc

SHA512
0dc05bc20872a29d95b5f5df1cbb8785421b3187344b8110dedbeb4d8b03d2dd66543cf62d93490209200828d04e880eb5055739e5a97dc403a4305838847562

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b0300440603b806040e126893a5c542e

SHA1
e2015fe4a94057604270644023b50e67ceda5887

SHA256
a78196ab044e9e1da3858cee22dd1ee6c17d64f9baf5f73427cca830683e85dc

SHA512
0dc05bc20872a29d95b5f5df1cbb8785421b3187344b8110dedbeb4d8b03d2dd66543cf62d93490209200828d04e880eb5055739e5a97dc403a4305838847562

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b0300440603b806040e126893a5c542e

SHA1
e2015fe4a94057604270644023b50e67ceda5887

SHA256
a78196ab044e9e1da3858cee22dd1ee6c17d64f9baf5f73427cca830683e85dc

SHA512
0dc05bc20872a29d95b5f5df1cbb8785421b3187344b8110dedbeb4d8b03d2dd66543cf62d93490209200828d04e880eb5055739e5a97dc403a4305838847562

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f5f68af48521783d2431052c4d702127

SHA1
ba6af3f07b4c230770da57b7e8033a27d26317a6

SHA256
b515bc3cac57f54d398867df32ed482dc99a9b4381a81e8d9920229b0fbc18c7

SHA512
223dbd1633e61d4bf2a802f55ceb27d261b5b143fcc5a5be499e9a2f6f77228660048099ec7025372af16028458401b0db6e1b604d1686f1cb42f85795e140d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
18c47119018e274977f69918a9722c29

SHA1
2426bbd0fdcd3cc60e36207bfd26cd8de7b12526

SHA256
119044abe4dddbd9b89466ef62e73df78015d345b05c3b3c047414c1f6faad7c

SHA512
12ab98cdc725798ecd2f921cf806ba88aa8831709d1ff7370dc8ed78d1736f8cea7bc25b6f0eccae51778afb1a056fa57b8720933cd1c9e987f456880b02e867

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ffaf6aa1750e0fca4770a32544799db

SHA1
fcf137ea7cc7882714cf2ad9631fdb47b74ea17a

SHA256
0fafcff5fe36667e600b7b314189f95889e16d3b076a600acdfe69a077ca8602

SHA512
9d38e0800631ad0fb6bd1f5e3be8449e00fa23b724f8a5c1a0ed9cee53fac83856be385e490a48df8a50962fc787d424429338aa4fa468c66e3c150c7dfdc75c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
7e4ba9c6eb1318ac1b20c1a3ee18a09f

SHA1
d1f768eb5bd6a5fa3515ef6e11ecb9b2d7bdfc1c

SHA256
ab543c5b051cc54d9b73617530a8f0b836d560a166de9ed6ff15acd99b41f60f

SHA512
92cf26928328d9d46b4e22007ece658da092786096b7757d61ca4cc1bc6654d132ae018124d39b2243c4267215a2cb9306b25b2ee03ab664fe600f73575e4485

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
cc5559ecab3097b228e210f00c630f65

SHA1
c2ef6b2997d32cde0dc299d416c46d0c438fc6dd

SHA256
717f85d63f1b9159c77952fabf20d02fb60429b19fe7d76a9d073ab85bc93ed1

SHA512
cb9f49e8712ea10b462057cfe676c3248f34eb79f48f56a9a26fe0b77da5abf3f00fae1a4ee0e3319c851096bfd735c123e2152072b31dad9044ee980e3730ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fb24a7bef512d4d07923f7f347067f35

SHA1
ced7a585476842ca290ea3b720b81b1c4551f735

SHA256
a858111fd20a9592a0df2c3e47fc98b95b190b3b30fa8c8fdd0fa13e1f445516

SHA512
6f82f1a407d62501b18b2d8f54a76574f3c1b3e420cae982799bc21b7fb808b539a2b4ffa7f3434d9cfaa323bc6a965ab079dda6c6b704c897b72e09052366c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
fb24a7bef512d4d07923f7f347067f35

SHA1
ced7a585476842ca290ea3b720b81b1c4551f735

SHA256
a858111fd20a9592a0df2c3e47fc98b95b190b3b30fa8c8fdd0fa13e1f445516

SHA512
6f82f1a407d62501b18b2d8f54a76574f3c1b3e420cae982799bc21b7fb808b539a2b4ffa7f3434d9cfaa323bc6a965ab079dda6c6b704c897b72e09052366c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
37a5ca86b93cac870e88144b3920b575

SHA1
c2e81c24b41b0bab9da8fdd027593f3368fd59f5

SHA256
010370f32ef7246e3458292b3acdcb42a8744572736570782a517c32690c3d65

SHA512
d5758dd5a8025e00a80c8b184a82376d7e270cb8ea14d03f34c6c938dc1f4168dd7b7cfc3cd863bde60d16c22f787a26e39146adebed0af7bca4db154ecdcf77

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
2a8ae580f8e731414163895dfb28cc02

SHA1
291bb0ca5066b78f647a5e3d6c07e48393fe7f2b

SHA256
686fd554ac095fba0ccd386fb3f041a480bd3c21d1283e28999a10f6328baa5e

SHA512
536db036c0fa39451066b3c77ad8b23c4335dee5439665bbb2d765b7cf5f29fbbe87240ea2b19b15c138130af2290c4322faec244349add6c7a2fcfdf19544eb

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
c729ce15a64c4abfc2ff917208383773

SHA1
55d19affb2c10e82593e9282a5f4f67f2b57451c

SHA256
dddca9cf295257c063f8af644bc059416000983e301c650069340905defca1a7

SHA512
855c2c78dbbd3ee6e9be4e918f1120663387461eee112a508aecfdccf2a405fcb7c2454b75e797b31906de98148adb4f4b68bdc4f497b30d027c5a2df9dc4b7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
7KB

MD5
5cdad5ac4b1da6415bfbeed091c7e71c

SHA1
3809c184612e7dcf184cbce41f8d4e6791c2b83f

SHA256
485c01edcbf3986dbb292580618fb0174c136bf9b415c163fc3047e87868905d

SHA512
030a1e1c7a012fbc1c6fd3c8b1d7d7114c22c333fddf7f82724d5cc4ba24dadc1692221abecfe55c7ab0f95c4c9447f10f69ad2b86796bdf59d72e966e61e148

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
d7f86fecff8c65328eafaf43f1f9c7c6

SHA1
2a904c070138a32333bdd1e59ffd2c97f648bfeb

SHA256
d4f0d76e7218aae9f07325dc049171c14bef54a4852524d5f9cbef86d9cf50b0

SHA512
6bd7747c9f8a1a10b3a735a7c316b70de45fc162816df0a42990eb33798f9b9de89df027c7086b15da83330935ff0a7da4ea57ef16eec0ab7b38ec3eb5d2bf5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs-1.js

Filesize
6KB

MD5
b17d5635c1c492e5f6ca5620006b782b

SHA1
c4e91d52915edc67ed130dfd9e58ae918c373a56

SHA256
36728e9bdb61e3070c96443b4f686f0b45db7bcd54546cd69982fc612a692855

SHA512
5614f8dec3801d08fe84c225294adadd7c53a45ee985205dcb93fdf2043060e3db39cc53ddb5c87659151173bca83b173d51507a1cb196e142f7132a420eb65e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\prefs.js

Filesize
6KB

MD5
f73e52d124620d05267ba934f3b312d3

SHA1
34121aa291d9f88b3e8e3a2fa37cb1c06cac2d30

SHA256
fc898a91ae8ce9d241c586f5dee2e60450dcdc5a31f1a7015d6dc2f4fefe4ac7

SHA512
4ef67626a2ba584817d707c71ddf7e7ce75a780921c3fcdfa8a03de0de9303c4b548ce3c3b493f1c4876d511271978bcd3cdbc2d1003b23c2459847180045d46

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
4a8c25f3d5ac074e71b992969678be65

SHA1
1a347b1e80a0613dc6cba7775970604190f04e88

SHA256
7abd2b30cc5666f8984dfa1c750eb906e78bcb424d5331e9928c1ee91a9feeb2

SHA512
7af55a80da7e4e268c99fe84cae5192f5d1b872ed6536f3861cab939d1d63d91933ba331aad588a1e53539d16630afd07a0b83742f1c5baa8fffe77181c73f52

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9402c81052ccb4f0f9dcbe1212d04da8

SHA1
a470ea2035967a86f17fb724f02eb8aa9f7616ce

SHA256
378e81e95d54f51e22d48d339ec1d47665653c13c9b43abb4fc8df95b320ac46

SHA512
ec375cf004565def49957ea3aa386584487fd76ef3bce12a2d43ae714dd526128deac60b9f617c410c1040e1ffafb7c0a5cc3a7f2a879f0a6bbca50603d148b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\sessionstore.jsonlz4

Filesize
5KB

MD5
5824e60e6c79a9dec649b217dcf9a74f

SHA1
192d232d8aff2b609f8b6ec461579b55735384cb

SHA256
34fbee9002a158dbaae4aad10454ea705ca4f4398008b9198a63c161ccbe45d3

SHA512
52da26a2b3fb78f814fe04a672b8f9489c72cfb00cef955f5b7deb61d4a4ec22f073609ec141f5a832bedbcd57d4fe542f7d2f30055e029c7838a358c8edf18e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\default\https+++www.youtube.com\cache\morgue\129\{2bf683e8-d272-43bb-a717-d8791f331581}.final

Filesize
3KB

MD5
2e0f3be456b4a7854696a35ce38f13ea

SHA1
5096a8d7474827760e2137b55df81551f1bdffcd

SHA256
de9c243b65e76c4610f9e8102e13e15e22a675af7ff3741e644b2494b7292af3

SHA512
e91a5c3bc05c6befecd6452aadf96951c5f50bd6791bd2c6f38ff89bba94f793d9bcacca8608ca87a00eaa380c09f0434dc4d46dcac503f6ceac7daf31d29898

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\85w5cth6.default-release\storage\default\https+++www.youtube.com\idb\2232182701SeesravbiacteaWDosrgk.sqlite

Filesize
48KB

MD5
ee0fcd111a80d3fbe3537005ca798dea

SHA1
1dc7b1ff4ea1c8196b0a34eb128cb806d3f1ed0c

SHA256
0b8bbee09ba620b0929316e590e9280cbdd3bb7514687836fc6bd170e2a56da8

SHA512
a63e2a4d950002ef70ff910e7acd4eb49ed60a68e7645763e354ec7a31dc4a993f897e8896c5c209f00f866d2af28bd074207e2fe9c83cc52e42b858b7f21eac

Download Submit
memory/2200-142-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/2200-891-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/2200-325-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/2200-1167-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4316-985-0x0000000005250000-0x0000000005251000-memory.dmp

Filesize
4KB

Download
memory/4316-1122-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4316-1004-0x0000000005430000-0x0000000005431000-memory.dmp

Filesize
4KB

Download
memory/4316-1007-0x0000000005450000-0x0000000005451000-memory.dmp

Filesize
4KB

Download
memory/4316-1011-0x0000000005460000-0x0000000005461000-memory.dmp

Filesize
4KB

Download
memory/4316-1014-0x0000000005470000-0x0000000005471000-memory.dmp

Filesize
4KB

Download
memory/4316-1017-0x0000000005480000-0x0000000005481000-memory.dmp

Filesize
4KB

Download
memory/4316-1020-0x0000000005490000-0x0000000005491000-memory.dmp

Filesize
4KB

Download
memory/4316-1023-0x00000000054A0000-0x00000000054A1000-memory.dmp

Filesize
4KB

Download
memory/4316-1028-0x00000000054B0000-0x00000000054B1000-memory.dmp

Filesize
4KB

Download
memory/4316-1034-0x00000000054C0000-0x00000000054C1000-memory.dmp

Filesize
4KB

Download
memory/4316-1039-0x00000000054D0000-0x00000000054D1000-memory.dmp

Filesize
4KB

Download
memory/4316-1054-0x00000000054E0000-0x00000000054E1000-memory.dmp

Filesize
4KB

Download
memory/4316-1057-0x00000000054F0000-0x00000000054F1000-memory.dmp

Filesize
4KB

Download
memory/4316-1063-0x0000000005500000-0x0000000005501000-memory.dmp

Filesize
4KB

Download
memory/4316-1067-0x0000000005510000-0x0000000005511000-memory.dmp

Filesize
4KB

Download
memory/4316-1068-0x0000000005520000-0x0000000005521000-memory.dmp

Filesize
4KB

Download
memory/4316-1072-0x0000000005530000-0x0000000005531000-memory.dmp

Filesize
4KB

Download
memory/4316-996-0x0000000005410000-0x0000000005411000-memory.dmp

Filesize
4KB

Download
memory/4316-1000-0x0000000005420000-0x0000000005421000-memory.dmp

Filesize
4KB

Download
memory/4316-11175-0x00000000045F0000-0x00000000045F1000-memory.dmp

Filesize
4KB

Download
memory/4316-992-0x00000000053F0000-0x00000000053F1000-memory.dmp

Filesize
4KB

Download
memory/4316-988-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/4316-1565-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4316-11176-0x0000000004600000-0x0000000004601000-memory.dmp

Filesize
4KB

Download
memory/4316-980-0x0000000005210000-0x0000000005211000-memory.dmp

Filesize
4KB

Download
memory/4316-983-0x0000000005230000-0x0000000005231000-memory.dmp

Filesize
4KB

Download
memory/4316-2518-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4316-914-0x00000000020D0000-0x00000000020D1000-memory.dmp

Filesize
4KB

Download
memory/4316-855-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4784-149-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4784-326-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/4784-161-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/4784-11201-0x0000000001C00000-0x0000000001C01000-memory.dmp

Filesize
4KB

Download
memory/5060-133-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/5060-135-0x0000000001A40000-0x0000000001A41000-memory.dmp

Filesize
4KB

Download
memory/5060-324-0x0000000000700000-0x000000000177E000-memory.dmp

Filesize
16.5MB

Download
memory/5060-150-0x0000000005110000-0x0000000005111000-memory.dmp

Filesize
4KB

Download
memory/5060-152-0x0000000005120000-0x0000000005121000-memory.dmp

Filesize
4KB

Download