fbcc321f10e8ed9fbda3e9d9ce6cc03ad1fa3c83578a2b22ec7f6fd853412750

Analysis

max time kernel
141s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
15-03-2023 08:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.5MB
MD5

33614c059849aaeacaa68422b11a9795
SHA1

baf66bc7a279fcde9fa90708c153e06b89bb60d9
SHA256

25884495d9c27c8b120bfab40bd28b7f5255b4916c54c7fb74a90dd8000bf44e
SHA512

c211cfee30e6f3336a0d4aa8e44d91be4fb0399c2dc7d8a01b37d4264b44865c51037f5b6470f3aecd53cb551951132d80fbdba3b18fe0787cacd6166a66e5f6
SSDEEP

98304:cKYGKdACTgvV6qPvZpgvXM/N3qZBO0cY2YPGvhP0JGom5:cp86qPvZ6v6NH0l7PXm5

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

Processes:

powershell.exe

flow pid process

53 2704 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AnyDesk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation AnyDesk.exe
Executes dropped EXE 1 IoCs

Processes:

Hw2exequível.exe

pid process

4560 Hw2exequível.exe

flow	pid	process
53	2704	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

pid	process
4560	Hw2exequível.exe

Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeHw2exequível.exe

pid	process
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
864	MsiExec.exe
4560	Hw2exequível.exe
4560	Hw2exequível.exe
4560	Hw2exequível.exe
4560	Hw2exequível.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in Windows directory 13 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{B1B01242-A134-4172-8520-EE58BAB12470}	msiexec.exe
File created	C:\Windows\Installer\e57d1ca.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID38C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID498.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID4B8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID65F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID72B.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d1c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d1c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID468.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000206f4107d723b55a0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000206f41070000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff000000000700010000680900206f4107000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000206f410700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1e	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\1f	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\1E\52C64B7E	msiexec.exe

Modifies registry class 24 IoCs

Processes:

msiexec.exeAnyDesk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Language = "1046"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\24210B1B431A27145802EE85AB1B4207\MainFeature	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AdvertiseFlags = "388"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\1 = ";"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Clients = 3a0000000000	msiexec.exe
Key created	\REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000_Classes\Local Settings	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\ProductName = "AnyDesk"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Assignment = "1"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\InstanceType = "0"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\AuthorizedLUAApp = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\PackageCode = "1BD298B5F2ED9B84692DEE45C27D3993"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\Version = "16777216"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\77F933B46D1B7E843A3263A3FC358A51	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\PackageName = "AnyDesk.msi"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Net\1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\24210B1B431A27145802EE85AB1B4207\SourceList\Media\DiskPrompt = "[1]"	msiexec.exe

Script User-Agent 1 IoCs
Uses user-agent string associated with script host/environment.

Processes:

description flow ioc

HTTP User-Agent header 72 Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)
Suspicious behavior: EnumeratesProcesses 5 IoCs

Processes:

msiexec.exepowershell.exe

pid process

4688 msiexec.exe
4688 msiexec.exe
2704 powershell.exe
2704 powershell.exe
2704 powershell.exe

description	flow	ioc
HTTP User-Agent header	72	Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5)

pid	process
4688	msiexec.exe
4688	msiexec.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exe

description	pid	process
Token: SeShutdownPrivilege	4000	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4000	msiexec.exe
Token: SeSecurityPrivilege	4688	msiexec.exe
Token: SeCreateTokenPrivilege	4000	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4000	msiexec.exe
Token: SeLockMemoryPrivilege	4000	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4000	msiexec.exe
Token: SeMachineAccountPrivilege	4000	msiexec.exe
Token: SeTcbPrivilege	4000	msiexec.exe
Token: SeSecurityPrivilege	4000	msiexec.exe
Token: SeTakeOwnershipPrivilege	4000	msiexec.exe
Token: SeLoadDriverPrivilege	4000	msiexec.exe
Token: SeSystemProfilePrivilege	4000	msiexec.exe
Token: SeSystemtimePrivilege	4000	msiexec.exe
Token: SeProfSingleProcessPrivilege	4000	msiexec.exe
Token: SeIncBasePriorityPrivilege	4000	msiexec.exe
Token: SeCreatePagefilePrivilege	4000	msiexec.exe
Token: SeCreatePermanentPrivilege	4000	msiexec.exe
Token: SeBackupPrivilege	4000	msiexec.exe
Token: SeRestorePrivilege	4000	msiexec.exe
Token: SeShutdownPrivilege	4000	msiexec.exe
Token: SeDebugPrivilege	4000	msiexec.exe
Token: SeAuditPrivilege	4000	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4000	msiexec.exe
Token: SeChangeNotifyPrivilege	4000	msiexec.exe
Token: SeRemoteShutdownPrivilege	4000	msiexec.exe
Token: SeUndockPrivilege	4000	msiexec.exe
Token: SeSyncAgentPrivilege	4000	msiexec.exe
Token: SeEnableDelegationPrivilege	4000	msiexec.exe
Token: SeManageVolumePrivilege	4000	msiexec.exe
Token: SeImpersonatePrivilege	4000	msiexec.exe
Token: SeCreateGlobalPrivilege	4000	msiexec.exe
Token: SeBackupPrivilege	4436	vssvc.exe
Token: SeRestorePrivilege	4436	vssvc.exe
Token: SeAuditPrivilege	4436	vssvc.exe
Token: SeBackupPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe
Token: SeTakeOwnershipPrivilege	4688	msiexec.exe
Token: SeRestorePrivilege	4688	msiexec.exe

Suspicious use of FindShellTrayWindow 5 IoCs

Processes:

msiexec.exepowershell.exe

pid process

4000 msiexec.exe
2704 powershell.exe
2704 powershell.exe
2704 powershell.exe
2704 powershell.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AnyDesk.exe

pid process

4848 AnyDesk.exe
4848 AnyDesk.exe

pid	process
4000	msiexec.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe
2704	powershell.exe

pid	process
4848	AnyDesk.exe
4848	AnyDesk.exe

Suspicious use of WriteProcessMemory 14 IoCs

Processes:

AnyDesk.exemsiexec.exeMsiExec.exepowershell.exe

description	pid	process	target process
PID 4848 wrote to memory of 4000	4848	AnyDesk.exe	msiexec.exe
PID 4848 wrote to memory of 4000	4848	AnyDesk.exe	msiexec.exe
PID 4848 wrote to memory of 4000	4848	AnyDesk.exe	msiexec.exe
PID 4688 wrote to memory of 2804	4688	msiexec.exe	srtasks.exe
PID 4688 wrote to memory of 2804	4688	msiexec.exe	srtasks.exe
PID 4688 wrote to memory of 864	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 864	4688	msiexec.exe	MsiExec.exe
PID 4688 wrote to memory of 864	4688	msiexec.exe	MsiExec.exe
PID 864 wrote to memory of 2704	864	MsiExec.exe	powershell.exe
PID 864 wrote to memory of 2704	864	MsiExec.exe	powershell.exe
PID 864 wrote to memory of 2704	864	MsiExec.exe	powershell.exe
PID 2704 wrote to memory of 4560	2704	powershell.exe	Hw2exequível.exe
PID 2704 wrote to memory of 4560	2704	powershell.exe	Hw2exequível.exe
PID 2704 wrote to memory of 4560	2704	powershell.exe	Hw2exequível.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4848
- C:\Windows\SysWOW64\msiexec.exe
  "C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi"
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4000

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4688
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:2804
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 84767479201E7E91F54CDC241CE8CC5E
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:864
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    -NoProfile -Noninteractive -ExecutionPolicy Bypass -File "C:\Users\Admin\AppData\Local\Temp\pssD748.ps1" -propFile "C:\Users\Admin\AppData\Local\Temp\msiD736.txt" -scriptFile "C:\Users\Admin\AppData\Local\Temp\scrD737.ps1" -scriptArgsFile "C:\Users\Admin\AppData\Local\Temp\scrD738.txt" -propSep " :<->: " -testPrefix "_testValue."
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2704
  - - C:\Users\Admin\devir\subordinado\Hw2exequível.exe
      "C:\Users\Admin\devir\subordinado\Hw2exequível.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4560
  - - C:\Users\Public\Documents\AnyDesk\setup.exe
      "C:\Users\Public\Documents\AnyDesk\setup.exe"
      4⤵
      PID:3060
    - - C:\Users\Public\Documents\AnyDesk\setup.exe
        
        "C:\Users\Public\Documents\AnyDesk\setup.exe" --local-service
        5⤵
        
        PID:4148
    - - C:\Users\Public\Documents\AnyDesk\setup.exe
        
        "C:\Users\Public\Documents\AnyDesk\setup.exe" --local-control
        5⤵
        
        PID:5100

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4436

C:\Program Files (x86)\Internet Explorer\ielowutil.exe
"C:\Program Files (x86)\Internet Explorer\ielowutil.exe" -CLSID:{0002DF01-0000-0000-C000-000000000046} -Embedding
1⤵
PID:1768

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -Embedding
1⤵
PID:2596
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2596 CREDAT:17410 /prefetch:2
  2⤵
  PID:4428

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d1c9.rbs

Filesize
607KB

MD5
e9d8704f704eebaa50f7924c265e3dce

SHA1
ae0bb94a8e01022ecc10d786b7a0c71b23415105

SHA256
d219e1e01a673b2c4fe1f9492a995aa79e6f2cb9a483188781eecf1cb1d318ba

SHA512
7f2f625d3dde26943b076cbd35a4a0055786508a51425c74739eb3f662f4ede4e8bf2b8a4309fbf17b0abd028ee300731e4b0f4638c498fefe4996be4f243d7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi

Filesize
5.2MB

MD5
1b71048c460473fd82ec2de1c98798b0

SHA1
a139134145c4eb2fb460a319d1727540ee264927

SHA256
cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f

SHA512
d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk.msi

Filesize
5.2MB

MD5
1b71048c460473fd82ec2de1c98798b0

SHA1
a139134145c4eb2fb460a319d1727540ee264927

SHA256
cb6901ccc6c51ab46b327eb44c5dc7cc597e38c89a7584177e58d5d0f26fe45f

SHA512
d3e09b1533f4b479090b97aea372e8eb720fb7fbcb9bd5290383a432da855ec4a780b50f61dc558595d3b9098ede0cde513b548570dc9293b3cf1f53eb4a0d29

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ktxsp4q3.luc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\pssD748.ps1

Filesize
5KB

MD5
fc1bb6c87fd1f08b534e52546561c53c

SHA1
db402c5c1025cf8d3e79df7b868fd186243aa9d1

SHA256
a04750ed5f05b82b90f6b8ea3748ba246af969757a5a4b74a0e25b186add520b

SHA512
5495f4ac3c8f42394a82540449526bb8ddd91adf0a1a852a9e1f2d32a63858b966648b4099d9947d8ac68ee43824dacda24c337c5b97733905e36c4921280e86

Download Submit
C:\Users\Admin\AppData\Local\Temp\scrD737.ps1

Filesize
17KB

MD5
573c661545a080753d80b02e5116212c

SHA1
4905b0e15d7c6daa47ec99f8536306b8dcdca702

SHA256
9f636f81baf940aa6c51f47bbeb3de89c3a70fcc524bebd4333fcf2e7a690c25

SHA512
0d8c3979a02e0a11207cd5d9dddad6d704fe4aa2c979106e56019c3d2eddfbb93f650e59f1c8ed0336d022cbcb89ce82bdcf5c7ab1635ba096944aa5f743b10e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
5554e38a35014934f563f7b292269cac

SHA1
e6507835610540e53b97a43aa3a0aca76620dda6

SHA256
948c9ebe6b291016cac178813d6709b4d6462d819d79f7eb21c0e2603fa3bb08

SHA512
36fb5f1021457cd4bfa64dfa76de3677537439349f688db2d83f9d2ae7dee4929ea1be2123d079e6e309ac49a988cca96474ed73287bd7f0654690e5820ae838

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d76f0d778200a72ba131d41e3eac025a

SHA1
29e4d529e0c87cf354cf7994ef548edf1e7f4b65

SHA256
4f8e5caa86fbe35d6187abc50e858edf516b3849e98891d55b9ddba4c2af7c37

SHA512
2144ecd72a8afbda0760cb68a6c46a56d4f310d6604bdf7a0cb1287c843866106b125bda6a59a29cbf25c4a0d24760a14190367b3684ff807072114bae95402d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6410c9b813edd795a134d6625c1121b3

SHA1
2ef8551e88317e306a3ead132945ee422f5ffd4a

SHA256
fc4fc6c121bd65b22a394cc5a159733f1b82e5c81d8e813aeb13ffd55ba0f994

SHA512
af6a492000f3f857422f3904a68342f9f44bf6f1a2f54c0bd2c3de49136b6a006c2bd9241bafc35cabfd92d53f4b094460875a4aef538df9c6b52f3cac34bed1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
6410c9b813edd795a134d6625c1121b3

SHA1
2ef8551e88317e306a3ead132945ee422f5ffd4a

SHA256
fc4fc6c121bd65b22a394cc5a159733f1b82e5c81d8e813aeb13ffd55ba0f994

SHA512
af6a492000f3f857422f3904a68342f9f44bf6f1a2f54c0bd2c3de49136b6a006c2bd9241bafc35cabfd92d53f4b094460875a4aef538df9c6b52f3cac34bed1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b12e2b68d0926d80cdf5a89c215a37aa

SHA1
5d8557b40157d9ee3fa8a9b1ea1244a6491de4b8

SHA256
75779197f4d26eba1a2ab720386103e05283a7c76220a0ffd3bc474a2c93a126

SHA512
e506d6dfa886bcae86f049bd768728833b45587e739aad74049b231d4bc7c1ae5d36e491371d522977f973a18b420519a2d7be7e80300a7735c0e9e7263afbbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b12e2b68d0926d80cdf5a89c215a37aa

SHA1
5d8557b40157d9ee3fa8a9b1ea1244a6491de4b8

SHA256
75779197f4d26eba1a2ab720386103e05283a7c76220a0ffd3bc474a2c93a126

SHA512
e506d6dfa886bcae86f049bd768728833b45587e739aad74049b231d4bc7c1ae5d36e491371d522977f973a18b420519a2d7be7e80300a7735c0e9e7263afbbe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
afe20fb6edc0d60b89a8b3b12696f730

SHA1
2593f3f133700a016ab52727fb493d920b8ecd42

SHA256
ab88a3830a0c9a4f8bd0af95dafc0b2e2474df44438a11d48d6c6b20f1057c0d

SHA512
240da3daddde81d4841d026aa8a96774168765a50dc7cba73276f922adfa3b438e66210be671fa28e886a08112fb1080a3877316c92914325faa548585d6d4a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f324d8a46e40c9eacba25bcd1acd4dca

SHA1
37c735877aafc910dbe4c9b1b33274b0a0fcdbee

SHA256
0e5ca476e87b56e5a1d00a907bb512ac5fca5e2dcbd2d25fbeab232ffd4a28f0

SHA512
5c691fc344c32648513c56578caac1f4045b260aa589a293f62de0bb9ecfcebd9791323452e32d7ab6322a1574f8af74352020bac18db3d0c45a905bd8735477

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ffdb2567645f9754012496b3c60a172e

SHA1
bda137aa11646172074d871c3be5562d33b7471d

SHA256
57a3bf2a8940cc0f8e1d0532831416dfbbb94eb34dfe95f11a803aeab55b5c4b

SHA512
c4a9865321b02fee15b5bc90878279941ca570a51c88339edf5acfd46294d3e1c1c8ae1548e0d10e4e5217c01baa9ccb6eeadde24907179c8ccfffb5a3ce6432

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cbad533bfbca67d90c67bff663b8bad

SHA1
28303654acf9e8f7bac49f4bc82af0fb74ddbe58

SHA256
9d87c69f69b63b6eb8950700c513868c95003d9a7b8f1bca444ff78b904b5378

SHA512
5991416df2d43be1f04149812939f1e71edf112e831b0044243c29da2f417f3e78028e809e7cd297bad85702f71f2841df77cb73ea4f1022ba4958add9a26b07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cbad533bfbca67d90c67bff663b8bad

SHA1
28303654acf9e8f7bac49f4bc82af0fb74ddbe58

SHA256
9d87c69f69b63b6eb8950700c513868c95003d9a7b8f1bca444ff78b904b5378

SHA512
5991416df2d43be1f04149812939f1e71edf112e831b0044243c29da2f417f3e78028e809e7cd297bad85702f71f2841df77cb73ea4f1022ba4958add9a26b07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cbad533bfbca67d90c67bff663b8bad

SHA1
28303654acf9e8f7bac49f4bc82af0fb74ddbe58

SHA256
9d87c69f69b63b6eb8950700c513868c95003d9a7b8f1bca444ff78b904b5378

SHA512
5991416df2d43be1f04149812939f1e71edf112e831b0044243c29da2f417f3e78028e809e7cd297bad85702f71f2841df77cb73ea4f1022ba4958add9a26b07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cbad533bfbca67d90c67bff663b8bad

SHA1
28303654acf9e8f7bac49f4bc82af0fb74ddbe58

SHA256
9d87c69f69b63b6eb8950700c513868c95003d9a7b8f1bca444ff78b904b5378

SHA512
5991416df2d43be1f04149812939f1e71edf112e831b0044243c29da2f417f3e78028e809e7cd297bad85702f71f2841df77cb73ea4f1022ba4958add9a26b07

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7cbad533bfbca67d90c67bff663b8bad

SHA1
28303654acf9e8f7bac49f4bc82af0fb74ddbe58

SHA256
9d87c69f69b63b6eb8950700c513868c95003d9a7b8f1bca444ff78b904b5378

SHA512
5991416df2d43be1f04149812939f1e71edf112e831b0044243c29da2f417f3e78028e809e7cd297bad85702f71f2841df77cb73ea4f1022ba4958add9a26b07

Download Submit
C:\Users\Admin\devir\subordinado\Hw2exequível.exe

Filesize
213KB

MD5
7fb1c5dfc2605843cec69a6fc4e96576

SHA1
b5e591d23a3798b89648033760d3710a403b32be

SHA256
330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5

SHA512
0c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7

Download Submit
C:\Users\Admin\devir\subordinado\Hw2exequível.exe

Filesize
213KB

MD5
7fb1c5dfc2605843cec69a6fc4e96576

SHA1
b5e591d23a3798b89648033760d3710a403b32be

SHA256
330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5

SHA512
0c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7

Download Submit
C:\Users\Admin\devir\subordinado\Hw2exequível.exe

Filesize
213KB

MD5
7fb1c5dfc2605843cec69a6fc4e96576

SHA1
b5e591d23a3798b89648033760d3710a403b32be

SHA256
330c1d3dd702af11b01ae38ced101e4c4217816e4887e9ebffe2e529cdc857d5

SHA512
0c62d01a97d01044a7f4083f2cf6a0e18397bc50cc9f0847bf6da2f604d1d89cd3010d005785077aca2d8249f870f2817a6b4d845235cda55ac5519aee5dc1b7

Download Submit
C:\Users\Admin\devir\subordinado\MSVCR80.dll

Filesize
3.6MB

MD5
650316f36cab9b31d6d743109c55b87a

SHA1
2016b0aa7d44bff91f292acacd81998cc5ca79e1

SHA256
8e48344a0637941d305d3d368a96adeeb791b1ee1d4c4b7316fa492962f5e7fe

SHA512
8b69198d0f20e34f87b458ce90c19e5a7e3ecd53a6d896a356b58a9e2232e8d450c7b31d33e1a9439f5e705faabfdd7ed2be36b312c231fd60f116328207cbd8

Download Submit
C:\Users\Admin\devir\subordinado\Update.zip

Filesize
34.0MB

MD5
2d3ba64c6b91723bcda584b7b086a7e7

SHA1
b00f3b74f16c29546427d27a70c85d63dc87601c

SHA256
bb5e945b4d14207d543169e43b1e39e6565a7a8ecdba3b663b73d7b653f9c911

SHA512
84c5af14cff7c2a20a7505032bee707248af6b79dd184752e308551b5a2aa3703f6d19e5151ec87eba04242d917da7a34584d9f69c69e095db352a09fdd20f9d

Download Submit
C:\Users\Admin\devir\subordinado\custsat.dll

Filesize
33KB

MD5
1ff80ebe5082a13d02253b415aa26f60

SHA1
7da7551ec7f3f1e606edf9313595e4ebe45ac8d1

SHA256
e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f

SHA512
8c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90

Download Submit
C:\Users\Admin\devir\subordinado\custsat.dll

Filesize
33KB

MD5
1ff80ebe5082a13d02253b415aa26f60

SHA1
7da7551ec7f3f1e606edf9313595e4ebe45ac8d1

SHA256
e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f

SHA512
8c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90

Download Submit
C:\Users\Admin\devir\subordinado\custsat.dll

Filesize
33KB

MD5
1ff80ebe5082a13d02253b415aa26f60

SHA1
7da7551ec7f3f1e606edf9313595e4ebe45ac8d1

SHA256
e0088b6361c7ea8e611ba32542beff7ac12955991c82a5fe9ef5d9a97d6ca14f

SHA512
8c33e9427227835229d27f59206e55cd98c372e6a20981c6b0518a5f9b81c127b0f40276c21adac06a433c1947ab56f7f2166135d184dec1162b5071e3037e90

Download Submit
C:\Users\Admin\devir\subordinado\msvcr80.dll

Filesize
3.6MB

MD5
650316f36cab9b31d6d743109c55b87a

SHA1
2016b0aa7d44bff91f292acacd81998cc5ca79e1

SHA256
8e48344a0637941d305d3d368a96adeeb791b1ee1d4c4b7316fa492962f5e7fe

SHA512
8b69198d0f20e34f87b458ce90c19e5a7e3ecd53a6d896a356b58a9e2232e8d450c7b31d33e1a9439f5e705faabfdd7ed2be36b312c231fd60f116328207cbd8

Download Submit
C:\Users\Admin\devir\subordinado\msvcr80.dll

Filesize
3.6MB

MD5
650316f36cab9b31d6d743109c55b87a

SHA1
2016b0aa7d44bff91f292acacd81998cc5ca79e1

SHA256
8e48344a0637941d305d3d368a96adeeb791b1ee1d4c4b7316fa492962f5e7fe

SHA512
8b69198d0f20e34f87b458ce90c19e5a7e3ecd53a6d896a356b58a9e2232e8d450c7b31d33e1a9439f5e705faabfdd7ed2be36b312c231fd60f116328207cbd8

Download Submit
C:\Users\Admin\devir\subordinado\netonxx

Filesize
17.5MB

MD5
6409924309476f7fae876b16da19ad6e

SHA1
2975e5f750d29747647ebd8307f664d9e8bd266f

SHA256
5cc122addb8d5068d1778e15430061b400ee1f041ba678ec18df16013ec6199a

SHA512
3c4d7595fca168ed78bb0ddf8d59158001527f8b22b2fe6ee1b9e2142983bdd9bf256e129c1e72ad1091aabe0550eab31ea200deccb096a61df4324d7345acb3

Download Submit
C:\Users\Public\Documents\AnyDesk\setup.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Public\Documents\AnyDesk\setup.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Public\Documents\AnyDesk\setup.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Users\Public\Documents\AnyDesk\setup.exe

Filesize
3.8MB

MD5
9a1d9fe9b1223273c314632d04008384

SHA1
665cad3ed21f6443d1adacf18ca45dfaa8f52c99

SHA256
0f4bf8506a2560c568b9815124dfc43a11c561ed611829df841ec7aba8302359

SHA512
3ec400acd075a4078d7d9f06c853be4ee0fdd7a9d1628428326534df6c0f3ea8f745af9d29031e9259a1bee2f78dd48dfaebcb7e897c22736909a9d6b4f24ba5

Download Submit
C:\Windows\Installer\MSID38C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID38C.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID468.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID468.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID498.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID498.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID498.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID4B8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID4B8.tmp

Filesize
436KB

MD5
475d20c0ea477a35660e3f67ecf0a1df

SHA1
67340739f51e1134ae8f0ffc5ae9dd710e8e3a08

SHA256
426e6cf199a8268e8a7763ec3a4dd7add982b28c51d89ebea90ca792cbae14dd

SHA512
99525aaab2ab608134b5d66b5313e7fc3c2e2877395c5c171897d7a6c66efb26b606de1a4cb01118c2738ea4b6542e4eb4983e631231b3f340bf85e509a9589e

Download Submit
C:\Windows\Installer\MSID72B.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
C:\Windows\Installer\MSID72B.tmp

Filesize
574KB

MD5
7b7d9e2c9b8236e7155f2f97254cb40e

SHA1
99621fc9d14511428d62d91c31865fb2c4625663

SHA256
df58faba241328b9645dcb5dec387ec5edd56e2d878384a4783f2c0a66f85897

SHA512
fbaa1560f03255f73be3e846959e4b7cbb1c24165d014ed01245639add6cc463975e5558567ab5704e18c9078a8a071c9e38dc1e499ba6e3dc507d4275b4a228

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
d78be930303e5e7ad6310bbff425c98a

SHA1
6db394a3586b5728de17ea7ca941d8bae925cce2

SHA256
0922f8ff3e88c4dad4494fda8bb6e92205bf22e1d7b5f7ddf75af46371cd000a

SHA512
955eb0aeba52c35f9ef39d719ae5f5de0911c528a3ce72c50ec08c6c3530b3a5f3e1acaa5dd2c1d4135a209cba2179235e0ea53d0b5da6b9ef57d9093d7b76fe

Download Submit
\??\Volume{07416f20-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{cdcf28ce-f615-4d15-9766-99757bb995fe}_OnDiskSnapshotProp

Filesize
5KB

MD5
0a77133d098bed7609780dc0ef5e95d8

SHA1
f905c157530b8a9d0a0dacb8c7b0697dd8710a18

SHA256
74f3300924ba9a403e40312f1b177140b413ecfe237d05ec6d43619b928b4eba

SHA512
64718e86fb0b48720d9e31bd8519bf2e136a21a66e8ebe82be2d29fb3bb9d8d54e6a3fef21b2ac962815a82f3d1c478c3bccca217d199ad0b11cc9ab81e7250e

Download Submit
memory/2704-208-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2704-184-0x0000000004C20000-0x0000000004C42000-memory.dmp

Filesize
136KB

Download
memory/2704-199-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2704-200-0x00000000074C0000-0x0000000007B3A000-memory.dmp

Filesize
6.5MB

Download
memory/2704-196-0x0000000005B60000-0x0000000005B7E000-memory.dmp

Filesize
120KB

Download
memory/2704-186-0x0000000005510000-0x0000000005576000-memory.dmp

Filesize
408KB

Download
memory/2704-204-0x0000000007B40000-0x00000000080E4000-memory.dmp

Filesize
5.6MB

Download
memory/2704-203-0x0000000006140000-0x0000000006162000-memory.dmp

Filesize
136KB

Download
memory/2704-180-0x0000000002580000-0x00000000025B6000-memory.dmp

Filesize
216KB

Download
memory/2704-201-0x00000000060B0000-0x00000000060CA000-memory.dmp

Filesize
104KB

Download
memory/2704-185-0x00000000054A0000-0x0000000005506000-memory.dmp

Filesize
408KB

Download
memory/2704-211-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2704-202-0x0000000006E40000-0x0000000006ED6000-memory.dmp

Filesize
600KB

Download
memory/2704-183-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2704-209-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/2704-181-0x0000000004D70000-0x0000000005398000-memory.dmp

Filesize
6.2MB

Download
memory/2704-182-0x00000000025C0000-0x00000000025D0000-memory.dmp

Filesize
64KB

Download
memory/3060-359-0x0000000005040000-0x0000000005041000-memory.dmp

Filesize
4KB

Download
memory/3060-353-0x0000000005030000-0x0000000005031000-memory.dmp

Filesize
4KB

Download
memory/3060-328-0x0000000001A50000-0x0000000001A51000-memory.dmp

Filesize
4KB

Download
memory/3060-322-0x0000000000430000-0x0000000001489000-memory.dmp

Filesize
16.3MB

Download
memory/4148-352-0x0000000000430000-0x0000000001489000-memory.dmp

Filesize
16.3MB

Download
memory/4560-302-0x0000000000950000-0x000000000142B000-memory.dmp

Filesize
10.9MB

Download
memory/4560-341-0x000000000F190000-0x000000000F191000-memory.dmp

Filesize
4KB

Download
memory/4560-324-0x0000000008F30000-0x000000000E8A7000-memory.dmp

Filesize
89.5MB

Download
memory/4560-321-0x0000000000630000-0x0000000000631000-memory.dmp

Filesize
4KB

Download
memory/4560-305-0x0000000000950000-0x000000000142B000-memory.dmp

Filesize
10.9MB

Download
memory/4560-304-0x0000000000950000-0x000000000142B000-memory.dmp

Filesize
10.9MB

Download
memory/4560-303-0x0000000000950000-0x000000000142B000-memory.dmp

Filesize
10.9MB

Download
memory/4560-301-0x00000000004A0000-0x00000000004AB000-memory.dmp

Filesize
44KB

Download
memory/4688-198-0x000002B4A21C0000-0x000002B4A2C81000-memory.dmp

Filesize
10.8MB

Download
memory/5100-396-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/5100-349-0x0000000000430000-0x0000000001489000-memory.dmp

Filesize
16.3MB

Download