55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1800s
max time network
1804s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2024 14:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

8^/10

discovery

Malware Config

Signatures

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8F2DE7E770A8B1E412C2DE131064D7A52DA62287\Blob = 0300000001000000140000008f2de7e770a8b1e412c2de131064d7a52da62287190000000100000010000000aa6fd6bd7df2864341e10de037f41dc6040000000100000010000000a7c9563a13f15ee0e171ef6aa4c7a7870f0000000100000020000000dcb8261fa22c834b1ffb69470c0cc7baff034b5c656a6c297259addfbf73f1e320000000010000002c0500003082052830820410a003020102021003e9eb4dff67d4f9a554a422d5ed86f3300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3138313032343030303030305a170d3232303130353132303030305a3065310b300906035504061302444531123010060355040713095374757474676172743120301e060355040a13177068696c616e64726f20536f66747761726520476d62483120301e060355040313177068696c616e64726f20536f66747761726520476d624830820122300d06092a864886f70d01010105000382010f003082010a0282010100c670a0d7fd91b6a5a0608435029365d11e529a2d43df54680357ad83dfb4ee6cbf54d74c4bc9205fbbca3b436d0fe3370b3200d8c655e242c92b4b2a2fa6040c81e530fcc1a60d849d52886bf3e29c50b52413e2a321f756b314f3bcbc47e550ea4b6ecf895132ae6f99a947ea9ad00982b86ebce0cd6a198bc65f1cc1bb6a1638931cb630c26ca343eb7f2bb394f36cb302bec93f3828dcf165700e7a00712cc914ce5f4b6c6945f201d769ca2fffe1268b6cf57965bd8d5c4177a2d176f32c9c9e60a7a96c3f775e64b84734394983790f56701d1b8f9614028ca180e7d03ffafa30bb51149059ae4d93d8b696c1160319e9945a760a640dd6bd134ce6db270203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e0416041437566615f0b266ff2f5295d1ae83c4e065330e43300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010081f8e7b945d68610bab4057f23259843f454fd9c7aac4180dec936794e4a664dda255b30644288538121e30a69d4447dbc04c2da21e44f5c4ba41e706c9de0cb51c67931e31207ba3ac11791f9e551deb1aa3feee2a6e199a4d10b0cd71c05143f4466d6c84747d9bc3127e47102d90a2487440ea1b9a8e7317ddeeee3a0f42c296bf03314fa6e86f3743b9a4a6e756a54e67b0513c343e9e9f7c730af9f00acb32a27f707d3d04f22d58cbbb588c2fc72d5a37c4acaaab650c9533e96aa7a0bf53a60d86fb6ee8c982ec49b49130956b064d62e010da8a75e786a4445cff7b506eac4a40ab672d91dd23a272c7e28fb670cb502ff0f5572d88d8706580c5caf	BackgroundTaskHost.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 42 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriver.gpd	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\anydeskprintdriver.inf	BackgroundTaskHost.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4A8.tmp	BackgroundTaskHost.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4A9.tmp	BackgroundTaskHost.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4DA.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4DB.tmp	BackgroundTaskHost.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4DB.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4C9.tmp	BackgroundTaskHost.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4CA.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriver.cat	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4C9.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriver-manifest.ini	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4A8.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4A9.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriverRenderFilter.dll	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}	BackgroundTaskHost.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4CA.tmp	BackgroundTaskHost.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\SETC4DA.tmp	BackgroundTaskHost.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\inf\oem3.inf	BackgroundTaskHost.exe
File created	C:\Windows\inf\oem3.inf	BackgroundTaskHost.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	BackgroundTaskHost.exe

Executes dropped EXE 4 IoCs

pid	Process
3304	AnyDesk.exe
4584	AnyDesk.exe
4240	AnyDesk.exe
4404	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4584	AnyDesk.exe
3304	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Phantom	BackgroundTaskHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	BackgroundTaskHost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	BackgroundTaskHost.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	BackgroundTaskHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133510985128372654"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	BackgroundTaskHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	BackgroundTaskHost.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4584	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2788	AnyDesk.exe
2788	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
5112	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
3304	AnyDesk.exe
4420	msedge.exe
4420	msedge.exe
6072	msedge.exe
6072	msedge.exe
3112	chrome.exe
3112	chrome.exe
5544	chrome.exe
5544	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4404	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeAuditPrivilege	2312	svchost.exe
Token: SeSecurityPrivilege	2312	svchost.exe
Token: SeDebugPrivilege	3304	AnyDesk.exe
Token: SeDebugPrivilege	3304	AnyDesk.exe
Token: SeDebugPrivilege	3304	AnyDesk.exe
Token: SeAssignPrimaryTokenPrivilege	3304	AnyDesk.exe
Token: 33	3032	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3032	AUDIODG.EXE
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe
Token: SeShutdownPrivilege	3112	chrome.exe
Token: SeCreatePagefilePrivilege	3112	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1256	AnyDesk.exe
1256	AnyDesk.exe
1256	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
1256	AnyDesk.exe
1256	AnyDesk.exe
1256	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
4584	AnyDesk.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
3112	chrome.exe
4584	AnyDesk.exe
4584	AnyDesk.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4404	AnyDesk.exe
4404	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 2788	5068	AnyDesk.exe	85
PID 5068 wrote to memory of 2788	5068	AnyDesk.exe	85
PID 5068 wrote to memory of 2788	5068	AnyDesk.exe	85
PID 5068 wrote to memory of 1256	5068	AnyDesk.exe	84
PID 5068 wrote to memory of 1256	5068	AnyDesk.exe	84
PID 5068 wrote to memory of 1256	5068	AnyDesk.exe	84
PID 5068 wrote to memory of 5112	5068	AnyDesk.exe	93
PID 5068 wrote to memory of 5112	5068	AnyDesk.exe	93
PID 5068 wrote to memory of 5112	5068	AnyDesk.exe	93
PID 5112 wrote to memory of 4688	5112	AnyDesk.exe	98
PID 5112 wrote to memory of 4688	5112	AnyDesk.exe	98
PID 5112 wrote to memory of 4688	5112	AnyDesk.exe	98
PID 5112 wrote to memory of 4348	5112	AnyDesk.exe	101
PID 5112 wrote to memory of 4348	5112	AnyDesk.exe	101
PID 5112 wrote to memory of 4348	5112	AnyDesk.exe	101
PID 2312 wrote to memory of 4576	2312	svchost.exe	110
PID 2312 wrote to memory of 4576	2312	svchost.exe	110
PID 4576 wrote to memory of 3360	4576	BackgroundTaskHost.exe	104
PID 4576 wrote to memory of 3360	4576	BackgroundTaskHost.exe	104
PID 3304 wrote to memory of 4404	3304	AnyDesk.exe	107
PID 3304 wrote to memory of 4404	3304	AnyDesk.exe	107
PID 3304 wrote to memory of 4404	3304	AnyDesk.exe	107
PID 980 wrote to memory of 3332	980	msedge.exe	121
PID 980 wrote to memory of 3332	980	msedge.exe	121
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123
PID 980 wrote to memory of 468	980	msedge.exe	123

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1256
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2788
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
  2⤵
  - Checks computer location settings
  - Drops file in Program Files directory
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:5112
- - C:\Windows\SysWOW64\expand.exe
    expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
    3⤵
    - Drops file in Windows directory
    PID:4688
- - C:\Windows\SysWOW64\rundll32.exe
    "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
    3⤵
    - Drops file in Windows directory
    PID:4348

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3304
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Drops file in System32 directory
  - Executes dropped EXE
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:4404

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4584

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4240

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{541446b3-1fc6-394d-8259-c0d3b03ad3f8}\anydeskprintdriver.inf" "9" "49a18f3d7" "000000000000014C" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  PID:4576
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{005bc707-e949-5747-9f23-2b59d8e7c3bb} Global\{1a06d36b-476f-ce4d-a7c9-c80b5a4dc6b8} C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{3bb73b78-adba-7348-b6fb-6e7366c215b6}\AnyDeskPrintDriver.cat
    3⤵
    PID:3360

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4e0 0x368
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3032

C:\Windows\system32\BackgroundTaskHost.exe
"C:\Windows\system32\BackgroundTaskHost.exe" -ServerName:BackgroundTaskHost.WebAccountProvider
1⤵
- Manipulates Digital Signatures
- Drops file in System32 directory
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4576

C:\Windows\system32\winver.exe
"C:\Windows\system32\winver.exe"
1⤵
PID:3544

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault8b583031h705bh482bhb8b6h9c62aeef0238
1⤵
- Suspicious use of WriteProcessMemory
PID:980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xdc,0x12c,0x7ffe509d46f8,0x7ffe509d4708,0x7ffe509d4718
  2⤵
  PID:3332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2004,17285879895763203924,11144949821229826000,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2004,17285879895763203924,11144949821229826000,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2036 /prefetch:2
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2004,17285879895763203924,11144949821229826000,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2852 /prefetch:8
  2⤵
  PID:2108

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1724

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --default-search-provider=? --out-pipe-name=MSEdgeDefault3794c50bhd6a2h45cah9d38h2371661452c7
1⤵
PID:5780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe509d46f8,0x7ffe509d4708,0x7ffe509d4718
  2⤵
  PID:5792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,13007700762908630558,15862715173221634126,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,13007700762908630558,15862715173221634126,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:6048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2044,13007700762908630558,15862715173221634126,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
  2⤵
  PID:6128

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffe507f9758,0x7ffe507f9768,0x7ffe507f9778
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2024 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1788 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:2
  2⤵
  PID:452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2300 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:4392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3180 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3152 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4624 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4584 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:1412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4940 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:1432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:6052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5316 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:4536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5220 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:5912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3976 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=5544 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4940 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5728
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3732 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:1
  2⤵
  PID:5960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3924 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:5932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3476 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:4648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4636 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:5504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2836 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:2464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:6048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5036 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4068 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5448 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:5616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4056 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2840 --field-trial-handle=1960,i,11859966859216961152,4880841511226271800,131072 /prefetch:8
  2⤵
  PID:3096

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5612

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:4048

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:6000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
955KB

MD5
d4c51937f64b87534ffe614ab4005472

SHA1
e5f223a7134feea98cc4103e3429fcff34036310

SHA256
3ad62a6eada784ce1fdd17bc3ff46ee26efc6aa999f4dcfbfbb92713aac418ea

SHA512
aa42e786c920f5b339eed615f8f5d358cc0cf0dde597a0d99c0c9891c953262336320bb517f6b89d05602f58a9a8bb8ce1c47145568619f5b84c13364d114b0b

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
759KB

MD5
69148c1170a74666928f06b37286d082

SHA1
3f6bd58a1f8f415636710dffdf2c9d104ce542f6

SHA256
9c8b863f29add4f2fdfbe3c4ea9d37a7d7c61e8f900466d86a06f175f5235450

SHA512
2c8c57119bc54e93a5b55fbd2f368da419a490feb814c65d637a7d3e4a8c2886cc9dce87bb953e2f30778315366ac5fb8747ebf4f73e7a8df765bda10ae4c1d9

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
862KB

MD5
e1fba5403021490dba5122ec4572b270

SHA1
36b2f0f96ebfec2ca9489f76bcfc0c905c4e2754

SHA256
534a8eb95c8f0d114d9d14905384b4599376998e898cf27ae9a89d1ed784eba3

SHA512
0818acae8b514be9a853cc393e0fc64589f7623c7a51bdfd666fb7e6c5550f41dc61dc14e88165fc9712168be85321d61d8cad739567c764c4e1b7aeb19e65d3

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
767KB

MD5
8b54fe5288fd9ca39d68f924d1394e58

SHA1
ceb3711f1162d671d91637259e62e902b0e972e7

SHA256
56359bb2565c79dd8edf54c1e2bd0363de636f5ff3093134f119ad4a45c0a136

SHA512
924c4f95f3865a178b18db125d2f977faf4eb4e3f8b5f461d3393df000da09c189a5be1d8f43de4a8e90b42409490e2d223ce28cd2db42106b9b3f41f78af2bc

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
483KB

MD5
46838151896b6208deffcd650aea2b08

SHA1
f565c52088dccf252785a608ec8e59f5232eac91

SHA256
9f9d18b4cd3d4a5b831e51e3f6d85fc9d9cdea9554f06c076533a5857d17522f

SHA512
6faa3fb0a496ff8ada70d9921c087bb039d240da09baef953cfe17caa388d7e301b1a04d1e408e55b6af3d9c14fa912775d9df65ca7dc3436e71983611c669fb

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
285KB

MD5
81f1fcf7294a35ed9497e7935be9cf2b

SHA1
c9c988d8e41830aecdc205b90eb999fabcd5eb90

SHA256
bff8ba17cde393c29cf15830d8895cf0e5d40e96e8442f42d2f47ff94d9c189f

SHA512
6483a205617fcd12bf3f4d8974808ccabc5bd2a004f2a1624fdb79026668a099ce77a6e3f8f9971e1ce497450af7d62d860e79e88c74500b1f25c33967c211b6

Download Submit
C:\Program Files (x86)\AnyDesk\gcapi.dll

Filesize
42KB

MD5
ba6e4b1d523e289ddabee68117bfdfbe

SHA1
60fa95a39ed92b8c9cf3eb588b2797b51c40e10d

SHA256
8c3e010c4b2efc4870bf0d40beb66e2404f1ace3fa2de3c8d79a25e453381ac6

SHA512
21ffb8acb9716863fd23b19cbfc17312daa395034e89e19b93f679270e93131f663436d7e5221f5910f5aaeefa2fb4bb2302b2f3baed0c4373cebe45f2cebb12

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
16942816b30b353a1473c2a471fd3973

SHA1
b29a496ec58c2ff2212ca7fd8616a864ade76790

SHA256
4159c675c7c91fb7e6cc0e5bf24e7db223d31596ff1f140a92ef396c603f1a4c

SHA512
639c461134b03d74c1109aa9b641d0d325d56d921f1bade52aa0722360185ee065d5d99ed327db4f7965c50d350048bf4fcdb45c4c8df2731016ba858d1dc00b

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
860B

MD5
e6f762e8a741481d0f160007c766640e

SHA1
3fc740807a32db06734dca9ef303d3789ba9b040

SHA256
c62a2afb4dcf6d63197cbcbfdbc524c9977ac1741adbc74056deaa00b1ddd318

SHA512
3da5fb5b022f240e0b4353bf9d0847df5326c764cedff7e27ecb91f8aa5917c45592e27a27692e0cfc8fa3e2f1c672367543dc8231a501fffa170eef88d2b805

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
dafb1d382c2ab950f66d410e09e4089f

SHA1
b76284801d5f25b4b5c569661d84f73feb4fb4c5

SHA256
69df3f3602eba61ba0999474b2d3b6399e8d3707722ded5fdccfb5dfe0eeb5d8

SHA512
b75986f3e5b456a4e4e0ec8d2139c89e1556b4f3e3fce04a646635e7091b3cc88008ec0f6c4d01a45c39a9237e99c6ed789ab4021ac3877d27a8a6d6b1d5e4d6

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
72007e8c0ed9e8100abf7f4767b4afa8

SHA1
798e613d4ba72b345270075ea261767fcfb63361

SHA256
d42511819943677701ca40eb600bcce6ac696cf27493721ba247e20e87ae85e3

SHA512
4be72a04f7e0902e5851bbb2e1aba233c34565db93fc0e24475ccccb5799f9ccfeddb05a1dd1c12c1210363d927821bea6a0a94b692b4ff39330a813fe7c4455

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
65d76a4dced6583e041db0641e4c61e0

SHA1
50a5c3be644357ea43e1ea7bd8f41caebdb57b33

SHA256
53c78916f930c83a1fc0040fdb120a9f009a0d3e3175ef918e9ecf73eeb89e71

SHA512
5d2beeee5a36158b8b40bf7c1ce3c310418f851db27da25831d02c3e8a2fde4db4cab0733f2733fa03a50e76dbf20de47764318a92b79e9ddfa57df8c66a06b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\5df7b697-9561-49da-948a-38657db7ba65.tmp

Filesize
15KB

MD5
301b10544e4495acf21a1aa955a4b4a3

SHA1
da61d851d43be696ff0b76a3c9e5803123d2f12d

SHA256
b5afe9ecdc557b08956ed2b3590cd70e8c7f0604b9a4521f94d93b90e5c719b5

SHA512
9c32f89d4826a052d5df41d721ac23aa3dc5cf4083ceabc8e4a9818bdb616b675a7b2b83dfadc760b9226e23b69b611b88d2564bf0ba02d2f4e0c107d93fcad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\812c3b48-e414-451f-b25c-fa6d1faefb25.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
7c7969d2f4bfc17ab5b8b81e722b6112

SHA1
b0bbe75e97e557748383557e092adfe57761881c

SHA256
b91294ef20d0626c7f98fa6160003ea3a07e9a3aaff2e97cba8c5a66c0fc9623

SHA512
21f24b7b2c6e3e59d19628893643ca5305981e7940123f62801bc43a837eefd9e3114ad782c18236723a64fca5e81ff657560e49d168a9dbf520497a42114a95

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
c5d45eba3f45805ebf75ec204425eb4e

SHA1
5130198868d3f0fbbb752d2be44abb03928a8556

SHA256
9f3270d99c0e248dccb9bcada7b467ff8a9ed4e8903dea62449f325832e43378

SHA512
cd07476db8d7bb92fc4b4f83204d92920e9d540c09456ae21857ed1d2f20e14a6f2686eaff3969e4d03118bde52b9c22ed68c84c8463b37919e03d48540fa64d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
99cad102dd2ca4678e8d44545657a52b

SHA1
a80ad6b894a4b5ad790113e0f5ae0bb775bccb03

SHA256
b3c9bc7224371a92ac97fdcee019a1d95a087c5dead37567823e37c1041484ac

SHA512
578fe7000a2c3514af875506977b86676038428386758822cfaf10ca9bec8c238807d82cee264dd5c1e58814f3fd11e83c382458888e3d32a8ec1179d06911f3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
a2fc292bb80e45a11c918293d382e4c0

SHA1
d06b38b238d286fedaad330df8afb7b7b1b13923

SHA256
5a324a5444abe9de8ac0a33976bea39b024b11fd7921e699da6c354ae390d037

SHA512
eb4a1cd2e854be14c642d0f36d79d95c604ed3b1c515752c5893c65ff8d4dc8991201342d4996bc273e3a3d6cfd088a8992d181f744d1599d557581737f5c9cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
cda8ce782bc3f4626b83f210aa269aaf

SHA1
6125da7db164ac3f2ad73a477b1841f4677e5bd8

SHA256
5060a2a7633e7e0ed1f9e97f7ad6bed71627e8405c0dd5289b7a2e30f25bdc49

SHA512
3ecfc24fd717687fe193d03788bdb033f483741ee19867e9cb5bcd7d07fe815625ea80a8bb549cc8a22b694f66baeb7a995363b8d158a147771ac636228cd7cb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
1db9ccf437eda2e76904c9bae92b2cdc

SHA1
0d58318b8700cc4f2d9bc40bd53c93a4fe752210

SHA256
30b95151c26e80b80e049113e8712f59c72eaf767ab71d989000ef66f860e21f

SHA512
2511f3bedd94387c4e70508d438f7298c269c447b4792a51f9d05f1c0aff2cf91b2f2f5f80012233897e59e49dab06316371ea23e3f4de73e22d9bca6142975a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
eb589f5f7400a5e741e1b3bb5d25dd60

SHA1
2936908786b622f50835f85cd3254ab0f52b8e53

SHA256
dfc91562fa9288abd237fa91e3ad0d46abb3f00b502b23153b0da700e25422e8

SHA512
96e4201f183d703d10caef4c0ee818e87264173de86b83407ae5b9bce3304e5cd9458b4eb6d90a3d1706308a8f9a507fee5413d6f29c869d9f63517069618b47

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
bb18ffb6ca01df94c2e0b68b871c7f9d

SHA1
05badcbaf8a3cb17393fb658046965f14dbb21e8

SHA256
2fd1ffba560ea1c69261792827a2d8345d5e6e5be1406b9bf6e1d44ef1365a33

SHA512
10624e57752786ed47d4e8426ee581d838fe3f7de9981bc6a0319477cb839004dce95712eec0c1a6849f7f94bb07462268a6927bc57d206cb4975b3f9c2dc8ab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
f27fc1ab77c950dcb02bfe4e6198cafe

SHA1
ac7a0e31778a0dd079c7e4e46b2e8317d20e3b5a

SHA256
5f96d5033854a40e2bc54db4494508af321b1d152e9ca25509bf3dd3603faa5f

SHA512
6b05394bdf65058fd1a3a155a4506dbdd8d9def5187ec6ae3ed67f8b036adebf9ff90fe0736cf0551d3d1641d35a6d5e2cbcaa00795b8cdf369ffabb6ffa0108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
fb2975173dfc09e81646b99b8c4315b7

SHA1
712c65020cfe471c71a9aebdbd904c1d7a4c5efd

SHA256
24c7b75a294b033e1a874436653289b7efce2b286540c1c608d46a236c328671

SHA512
2a7834b1ac4d6893aaa1c602bbacca7529a61aa4b1e4ab7e0bf1824d9080755941fa7469b5ec3af1a5954ce6e5f23ade06f521f7e6bfe3a28d3f66f8b9912f3c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
875B

MD5
42e71279fafdb8d8251ff10c3a71fde8

SHA1
76458a46e659e6b43f271d54a228870f5b38b294

SHA256
7b2956951c1efe8a5871e5a978c04ee68169b6579510eeeb01fdc85d4f4c76f5

SHA512
678c7758a0de64c3376e32d45b25bed4edffc5e295fe9043360b1326170b3b2148e812836dcdae786831e4c1bacecb09b4d663af9313ff60c1b1ddda1ef1dfb5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
7a23891499bedadc185fa0563a17ef0f

SHA1
57f5443eb426b09f7a8c87301d607edd579f8db9

SHA256
7dc574c989b8669fd54a49fff18b6e852ab134b9e7a0e8f5c4e03b7340838ed0

SHA512
27170134130cc63eb54daf0d4cbbf3ee47eaf0407b3d000eeda5bef5f602034a841cadd0743a13d4a3322a6d95b0b88575ac494dd8d8060e0273bf37ed654221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
bb29f3b805e9abe26b74857a0269b9fe

SHA1
eed4027e49b1579561d58615a9b759dfb5a8a718

SHA256
308e654c8266ee11d069da0af9409351d84cf1b0063f1c25b9c820dfa7027afd

SHA512
393c9dfd38e0b5a88869b9a3a88c4c64df628df5b76c80ad9144d7e2ce235af73ae83b2a712f237f4db0b7dbc332a23aac2dfa1f186d2da047dd85420a17f315

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
9bafb534c38595de2d8291ac9b98ea0a

SHA1
fb7eae85024b10614a7fb357472a2714cb0f52a4

SHA256
03bd4cb30daf5e86d856f236eeb3645a04a97b767b28276dafb89b9deba32576

SHA512
13d78c3cba2902b8c3eddad3590feb389f6ec66a0040fefe6c1030b9ae138e64521ff68b84a6f78867c8a4e7bc07149de4a24ffcd4853b0e30c51aaa04a71c11

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
5d3eb574f98e3481c28e052a2cb1fa64

SHA1
648cb5f350d6b512dfc6f55b1b437476eb797bef

SHA256
208558c73cd5422e3ca1dbdb7d442feab48aa31105afa423352ca3cc0672b231

SHA512
158131e58d4f38ef0eeb7c2a6df70d676c3d29ccdd5530142e14c1ca97cfe4eb4955f9393004919fd1fe0abcdfe5d9325fee3395418649d6944dfc91191d071b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
56480c161737fd5c4b4bb6b3599e13f8

SHA1
7354d65aae6f26ee1a7ebdef365e4cb4c5add9f8

SHA256
ec6465a31374469b0ec4618fd8858a6e5dc7dbb565b6bccbda34e3bbf960465f

SHA512
dcacfaaaf807b4cd967f42adb20115bfb883b0108774acacdb02ead3bf205d3abc6344ba383bb760bdbb5a2803289b6d28fff973e82260f3fe81a6799b3ea692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
4dc2634c2acd7a06f53cc9a1551b584e

SHA1
e5b423742bcff49f82c37d0d68a2559a182af86c

SHA256
2607e54b229e9d53728841a5dc85daa4c2e9c4fbd0e4853ea49033c31c37cddc

SHA512
0d31817d6ed93255bf9b3e562ed5921a6f71356d3069fb7ab0c17c0a50c3613b2c8ff8e33b0806d70f701d0c6c72d7af9951f1f2bac0c1504734b6081e22068f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a4fe7f29de384170d2f8d84263ea8c75

SHA1
fb0526640fbcbe13e781264e33fe53bdfdb616ba

SHA256
098a5c661b4c4ffeadc8caa0adee2d807934c5e08b6a137a4876e50db818ecd3

SHA512
99854f68066603df1218dac2ed97b447b9218fb9b9a64d57e54a0c4d8833221f4302333886dee296fd0bf4402a543a75b50dbafacaea64e67ec1964434fde86b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
d6721395815f35be24fe32f8ebbcb594

SHA1
d582aea090983b5524e7048ac29766f483adba90

SHA256
df126e2ad3e4e80735b2e45b9c644a4c832dcdfabf486292c6c0a298bedc9bc3

SHA512
48b3ea99bf02235b87934567e38378a198d7b65b5c54016b1829b789b6dd7848dd7f46e784949609205c152411e4efd4adb763c9d1e439198018f8a2d4c4aa0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
4950221f08d99b01e4c4f8df2fac4440

SHA1
6b270f085fa44066721fe1ed3764e5bbe1e9bb99

SHA256
0317d5c0ef1b1ab5c55f86f4bb3578f717e41a219e7bf03107da1e399cba325e

SHA512
b7c7fc7839e4da1205abfa326eb56a85faade3d708b054c2fa8822fbe3eef7021fd4e43fbd660796deac2501c16961b3ec8b79245dd8d14976913d6616fba4c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
232KB

MD5
21dac4c2ab3cbbc929d79eae9745ac7a

SHA1
0db64950b6e69b8a4f4835658043e3eef102646d

SHA256
9724ba429b4d43b77cc3e1b258c2b8e0c90306b39831974701fd7a2d405dddc5

SHA512
a3d11f24fadcb8d57d9e31318417da0341a96e833adb0bbff0d3d08952633bbef957570a9af8430b9b9eb2a3ea4242a2d5a1032c6889575111abf0e7703608c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
c9a76f0899bf67555e3f49229b037635

SHA1
c228a136644e2f46e638f22a245e34577d985198

SHA256
c88f66300c97f1c5c165500b629e6183df910bf0ad79280fac93d23f5e6831c5

SHA512
575e065745d2394d9925ba06bc29945b42292c7acd5ef0c51f697cd604886a2dd7ae83f726f64d82e68a4a043be7fc1a0449b7734e45a934aa54f810f0807c10

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a0476.TMP

Filesize
97KB

MD5
126b3335845feeb6107831f179e3d6fe

SHA1
6903df7b0a3658e5036df71d5b325f4a45e16f7a

SHA256
2bf88326bfb998e6123373bf26129ed56ef66773e7f05f339ee38038db88cfa1

SHA512
51bb35c9f86762c405384679ca87e1b9f40426c3735aea75e6edbab802af4c7d690c8eee30e6a03acad70aa35d650140cc86e5737deccc58b0bf91e47b5054d1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3dbbfaf66f5e555438435d0df12d55ef

SHA1
5e85bbb8135259533158c15591012434b4aad03b

SHA256
4c40870f25f62aaf414e83bbd9a1cb8d233bba92bcd9f5a5747177c2c606908c

SHA512
b5bcda9414c0b5557d7daef2470e6157bac068277686b902947aebb91fd01f1dda2d20c3c017a2bd7c30b1c7856beea779bb694940a246183cb96735ec742a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d5564ccbd62bac229941d2812fc4bfba

SHA1
0483f8496225a0f2ca0d2151fab40e8f4f61ab6d

SHA256
d259ff04090cbde3b87a54554d6e2b8a33ba81e9483acbbe3e6bad15cbde4921

SHA512
300cda7933e8af577bdc1b20e6d4279d1e418cdb0571c928b1568bfea3c231ba632ccb67313ae73ddeae5586d85db95caffaedd23e973d437f8496a8c5a15025

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
61B

MD5
4df4574bfbb7e0b0bc56c2c9b12b6c47

SHA1
81efcbd3e3da8221444a21f45305af6fa4b71907

SHA256
e1b77550222c2451772c958e44026abe518a2c8766862f331765788ddd196377

SHA512
78b14f60f2d80400fe50360cf303a961685396b7697775d078825a29b717081442d357c2039ad0984d4b622976b0314ede8f478cde320daec118da546cb0682a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f92cefb7a1d8772e2a583c8a01397103

SHA1
9d2ccd5876927da95c596b71b6631386df1cd84e

SHA256
02f783a7f203268a9c30390f102bf6c61a4d7d1b3b650b72b16a7c442a701417

SHA512
b7fd0b85e3b025835b4eaae63712a151823990faf370512cfef5b5ffaa3515e7ac92c25a6adb1f41401d734daeeafc8f8ff80072cd438c546c21444973bbf031

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
95bf6c43d2648337df349e4f5a36d1af

SHA1
55f2679db0733cd5ea27bbaeb9935ba58dfd8542

SHA256
69285adc823dea460fb7bd7a8da54dc38c00c851627deb432a581d4a9027394f

SHA512
998436a5cafd0a181c4f2db47a374f3af108168acaa69a3e430ca7f0f05be912b597e34fd7f3483210f8648737773da82337712ea30641520178ef8ac4a4cd86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
3KB

MD5
157ebf03861f389f769c33009f8f2ee8

SHA1
d084b8ae209d07858f9f22a4133394a4a5c68fc7

SHA256
0e1f35010b18df77e08f5a264b2dd11853b9dae1bc590e5fd2d629eb1e6dcbcc

SHA512
af4b76d409334d4faa1ec360b33bc18a1e4b8c381b11a8ba79f7bb6ab82468cdcdb270b05ed18d88747dba600bcc2b9fdf06f7cfc55eaa477ceea1c0edf9d56a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\{541446b3-1fc6-394d-8259-c0d3b03ad3f8}\SETC38E.tmp

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{541446b3-1fc6-394d-8259-c0d3b03ad3f8}\SETC39F.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{541446b3-1fc6-394d-8259-c0d3b03ad3f8}\SETC3B0.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{541446b3-1fc6-394d-8259-c0d3b03ad3f8}\SETC3B2.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{54144~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
207KB

MD5
b1e783b097790eafbb913f0c30dea21f

SHA1
f37100f3902ca04c1c0d5d44fc107967f59bf443

SHA256
c68ba0cf5e18f151502da91a0836f756ba8c993acab2bac4cf7c10fbc519994d

SHA512
d68537bc1c2353e7a4154064cb109e724c0c369e81ae009c65723b4a5101ed15b4557f0fbd41a1b3ec62b8db1707ce7d156b172ed57962235a74e6d1f65756d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
32KB

MD5
6c36a435d98766dae108c06cc2e1fb2d

SHA1
2e2aeef4286a4149ae6eb338cf52b485a1d2de0b

SHA256
a91d69db292f21eaf5e7617f3d4a735c829057347f4b8437d879a8dc42a6ad35

SHA512
53a9cfe890994701ee13f1adafc5cd2c8bb7038d7b21de38e25b42da691cd452a38e7abd3a833c24bcf20646035fbd380701de878aa82bb7ea67c095519001ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
830350b2dfb57db9ec275a558b1c0839

SHA1
4b5787fa28fa9745fb96baacf814388006c5ce37

SHA256
791575c2adeb9f51d09e3fd8de63b225548d11bc16a2eac19abdfcf4eecd2999

SHA512
ca30bd1195b2ef736a4f43d046f513c232fdf59af2efa4b67d951ed161989c382a1bfceb72eb3ca14d975185743de495eea05b31e317a8bb00cba92b1a99e9ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
38KB

MD5
0051e3e5b3462013af9ceb868be5fdd3

SHA1
9da38ae677c14fde22fc896347e87b7ce03812ac

SHA256
291d4769ff8c0eef4d0cf4128befae56e0926cc2a96f208a5d609c6be58a89a9

SHA512
4246b1a0532f764fe9bbc7077bf926b4815676819261b92477cf6e652dc9d2cd08537ae67650a8abe967b73d02099f2a352de1369b66ad752f37cc983fac4730

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
43KB

MD5
042b6902dc1fb6ffe90dcecb07611267

SHA1
4fa6d8dc3e421f8ab23d1e3656a37177c8c43f2a

SHA256
d7be8326333f6109958080335ed3cec9ee70e1f0b097559d1c2e4f98bec5528d

SHA512
3aa640f3abebd88e82a7f09769f93d843402c03ef3377b3493744404739f23bd202ba2a16a0a0ab138c12401002b36c87ae2b29cb998653eb293ab4bc9d4568e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
47KB

MD5
9314ae585a15cc5f97b46570bca7a11a

SHA1
8d9043062cc3f47164b598947e7ae1655df73425

SHA256
b59ed636878c8ddff8eaa906122b45b35db06d059b0ae5a5b4f8b73af7a142fd

SHA512
4f48908a36d1f010aff3af7be8537a3b3f0333d39e1c026e829bedaf59cf94314cf114fcbb700610a9bc059e4ca0afc0a21f1e7eef8ba7e2a21abb2b9f045067

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
d3c399bf88b72f87cc2f6ce8b0ee2736

SHA1
bbe5caf179993f54dcc27a8b0e1c4fe0e9dd7888

SHA256
a043cebf030c3b0441e8f9ef278c39e6bd4f56aaa55dcef1435254ce340c6234

SHA512
a79e9ea2706d124092973eb2bccaf7c49392f5f9b169921bbf22528e2487f6b80dbb039c12c5102ed6e713ecec497e9a75a960be646421c7f3f0d6c590a4bb43

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
1ed7a95c67c3d7417bab52236505c780

SHA1
7b656dc3a18354770182d424528fb1bb48622b3d

SHA256
eaf9e73f626940e7fe9fa711947aef8d37f7a18dfab873784f5d6bc295d49c40

SHA512
3cc2b212a418bac311e184704af724e3d98497094b883f96d8e2f84ec9463a823d0930bc09280bba6bb1e3ebeb98053e48a893769efe11c0420b85bb7585e7b4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
9e871e443fb5ca183d7c0658bdaf2115

SHA1
8df8c022fd4d00e63de4d4bd6538e9df0e402227

SHA256
f40b3b1e6002bcb6eaca1382d0ccfbc11d3cf900d7e1bc802b3bf80c146cb239

SHA512
05416a3a649179ad530b4ffce0c30c6e6521cb505218822cbd6fc97898d7b018828f4d5c72494409ca5b125046534a2f0442cde49afce6a80c4ebb604e796984

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
b398f5abbcb179a332463a464e8350b0

SHA1
f7d20ed403a5fa452066baa437cfd80150d44501

SHA256
e54828c980ec137197519b946748192c1c8269b9941ed33cfb7a32d2e5d9e782

SHA512
e0d60ffaade0a14646d344536077569766afaf93c8a623eeec61eced16f1963dd5b017dccbc45ac33e48e65c02cc5f9e4d4955ec5ee53016eccb275f270c27d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
7187f52c02f471722c723d3af4fc9e5b

SHA1
c3af5ac3a2d26a1db2fb445875944af97e7421e4

SHA256
f5e743fc8042d9829ed066b001a8d1dcd350bdadf9b216854c889b809641fbca

SHA512
25f2e64c4ac47adf67144ca9fba06d1c72057b9bdb22720a21548af9109816171d82b1d890b9671eb61a94e8872ec69867c01e1dca781951405d941fd557b031

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
26141a62a39c962fab414bda2f84cb41

SHA1
3c01f414e9b18fded5f5c886fe4def1e863b3fc6

SHA256
fb6d2e8e6e6ba466c3dcf082e41793b2f73a3810f670be9b21f63f1f9299e139

SHA512
952f310ea19e62270c7d6b9d3180405c32379d4b4db9387ce0d7b832c8bbcc8f92cc7c52cc839f3ce2750821727b794c3fe345e170403ad8e73b238b338bcc9c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
267f716ffb488c95d1e0fe71fb61634e

SHA1
d04c234005df455ba20bcde10bc5a098bb114afa

SHA256
e2f20659ac69d6ed6ba7c7de5559461220d44070983d203e7115f068a6f46e1b

SHA512
a69d88170737f402329603dd9e0e0595c9627bc1d222a25f11eb5b0ec0230efcea55e940f7b96745711688a32800b99b20e1b4d784a62e8550c37bb52fd8078c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
08bbb6ab11652b9c2d20376f43091051

SHA1
2d41af81d58aa4dbc33d27b39a48a08ac5ce4f34

SHA256
1771fc892c34ea0bd93736cef03242c1d9ebe81cff00c95a76e106932b5b86f2

SHA512
114d70590b4b63623f126a58aa78ee70bd369fcb8ab0360801bc8daacc4390187a0c9227c3ce3dcb3def00878d9cb9987648817c84f6c06687d2bfad47eb1ed5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
becb22909f4af27a20677f470e54ce88

SHA1
e260f911bc9cc3e0562fdfa5e4bcdb3cadb85668

SHA256
a5023e33b6689fca947e397d48156b379f67b2bb2ab950c326085f93d13dd9cc

SHA512
a58809cefe519ade30e6c8fae644063c8d3fbfdf6c974dcbf60c4584205330a08c1273dae0f25cf9f93cc959719b71ab43c4170149fb99d6f726789b7c8da170

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
811e8ad0f06e43a7334b64fa40004cca

SHA1
03bdd9e4327455c856d61641d40f41d7a3eb1f48

SHA256
df688db9639a53d218f05d8a9d42ff1480afefb1bd4910ced23ec3d60d13e3d4

SHA512
84d599fc1ac61ef7a071ef9338e15d44a4f0484b4f155a9378de877162771d91459215ccf00e74cf68ea891f2b9e7f6dd1e84449b42bc3e7c3e5b5f3b45758e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9b12a4ba85c236c4bb7569955aa8b5d7

SHA1
89faba334ede5ddadd13c2835e57ac4cc61e6a84

SHA256
833cbc5e431e5918ee1ea7099c5326d9336250b99ace282ed3dbf5679a59494e

SHA512
b59b121088833d332c28bb1e654d0daef882276540d638234a2650e81827997d64b180c32dcca058c6f8820a9860b5b9b6787472f64778e0da5961190f949b8d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ec7ba190db5d0d825ed6ea4950dda35c

SHA1
8dd14aaf63586f8350e8d64a6459f2d038d302e9

SHA256
325c74acd02bc5e0ff7c2d88c70a93640c5b7ae3f30f133e91621d2c68e05059

SHA512
d61d205b3f0a364dbefbf2fedd5c1c07c1da6fe6d6c13e261f3f686454684b1c48c59930b1a2aff949039a847cd7abbb5d800927d35dfcfb77e78055a5effd4c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
e3d4cb0144093e06b5d0484416597b76

SHA1
a44ffd1488f97746d0b9a348f7ab75956e06ee70

SHA256
ff85a48d90bf45f42e4fd7fa3a1f53d79f9dbf72cb2e2e2789b9f1c7aedf971b

SHA512
78294d0e36455c0693c501ce61804a971c4a3a7f09967a76022c641f1e1c424a7514fc4901ee401cba24a379d6123ada52d6a021c42e1743326466afba2cb92e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
fc50cc86dd38f0ebd92f143cde716041

SHA1
212340f4e254534f972d98b57155b69a31bf970a

SHA256
f5d12b74762c216beb247347fa4cd4e56bf5f23c8cbdc803bf44fdabd54e2123

SHA512
abdf9f60df084b3e5e3b1646b3ed9cc1b88e6dca024623e812e6c02788a7edca332939e400b1b0c339ff7119076957ef62b30f0a3b7bb6ee27c22fb6816e125b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6de4146bedf21b7fb724d96a788624e4

SHA1
8970653cb3e72974f2732e2e517831c0c688c9f1

SHA256
38af7ac3715b30c63d357518e0a0bc4c5cf36cd94f8150a658490c678c8efd94

SHA512
be48a880066ceffdbec5f572cc3fe2c0ad057ad1c1747fd552abc43a051ce5d6429ebe2030627b1d7b128113699d5e7c857bef68da68407e3db47dddc82bb7d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e797388350f50a1002547240e329bc4e

SHA1
e946da3eb10ecbb3d7d57b4974f10c3dcb40e2f0

SHA256
35ea8c5768097bf0fa0453c41c00e64a6cd7b9ef33e47ec47a40508f9f0c45bf

SHA512
3f27891f52e4c13a08dca124dbb173e5274bf0093fb21211e4c44a3ac12ddefd385d757e25275210b2053a7e1607b05217edbf4b0cca72a5104b9c1fcea470dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
9f9168335b997c94e10f63a249c9489e

SHA1
b45af29245c53f6d19c6dcaaed12e848c458e9da

SHA256
055e514d45892ad45a2e05cdfaecf896c1950d7372e55a39ca847797575e26a5

SHA512
9bed9d1aea0bda009eede4bf810f45cc4d433d074326a28c3c87780fd3e51a3a3a09a7f3cbf91b339c9c178308272d884c87ca5bc9985bc02e83e93de9cdf3c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
7943856bb2c44f02f55bcd335f208b9d

SHA1
bfcef2bb0baa5d20c32cf4ac964f6cfa72a9715e

SHA256
ba2e091d1bb2eae0f45abb03ae300af7d8d241ffce59961dcfc2cc058b132c8e

SHA512
ac0c7109977e9ce4bbc5a5e957ea55cb4dbba5b3298f058f43f0a2c5286664cd815b9bc404e9674915d6b3475b3baa0a51900842bd2c369edde983b7c6ec6c95

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\PRINTE~1\AnyDeskPrintDriverRenderFilter.dll

Filesize
190KB

MD5
5899a970b51204cdd9f5f57387d4fa6f

SHA1
a8f7780a365ff1a10ce9bde7355626d61c36d5b8

SHA256
627e661d030d3d93e19de5f55b7c28215f8071311fdcb3e4c60fa951cfde245d

SHA512
1a041e58377405eccaddbc321612f40ae6b31917627b01f4be7b9c8e76869823ff66d1d00a5b4fa15144a1baa801b1ec4b712af8159bfe27486fd8d76eedc1b4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
memory/1256-193-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/1256-32-0x0000000002190000-0x0000000002191000-memory.dmp

Filesize
4KB

Download
memory/1256-12-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-199-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-192-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-14-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/2788-29-0x0000000003960000-0x0000000003961000-memory.dmp

Filesize
4KB

Download
memory/3304-223-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-467-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-614-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-610-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-466-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-514-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-221-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-473-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-551-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-546-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/3304-520-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-475-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-424-0x00000000080E0000-0x00000000080E1000-memory.dmp

Filesize
4KB

Download
memory/4240-383-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-390-0x0000000000620000-0x0000000000621000-memory.dmp

Filesize
4KB

Download
memory/4240-422-0x0000000005AF0000-0x0000000005AF1000-memory.dmp

Filesize
4KB

Download
memory/4240-423-0x0000000005B00000-0x0000000005B01000-memory.dmp

Filesize
4KB

Download
memory/4240-425-0x0000000008440000-0x0000000008441000-memory.dmp

Filesize
4KB

Download
memory/4240-426-0x0000000007280000-0x0000000007281000-memory.dmp

Filesize
4KB

Download
memory/4240-469-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-471-0x00000000073B0000-0x00000000073B1000-memory.dmp

Filesize
4KB

Download
memory/4240-470-0x00000000073C0000-0x00000000073C1000-memory.dmp

Filesize
4KB

Download
memory/4240-472-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-542-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-521-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/4240-522-0x0000000005B30000-0x0000000005B31000-memory.dmp

Filesize
4KB

Download
memory/4240-523-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/4240-524-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/4240-525-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/4240-518-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4240-526-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/4240-531-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/4240-532-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/4240-529-0x00000000071F0000-0x00000000071F1000-memory.dmp

Filesize
4KB

Download
memory/4240-530-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/4240-528-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/4240-527-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/4404-496-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/4404-499-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/4404-507-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/4404-490-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/4404-491-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/4404-492-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/4404-508-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/4404-493-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/4404-543-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-509-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/4404-510-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/4404-511-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/4404-513-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/4404-512-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/4404-494-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/4404-609-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-497-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/4404-505-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/4404-484-0x0000000002030000-0x0000000002031000-memory.dmp

Filesize
4KB

Download
memory/4404-480-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-481-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-495-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/4404-501-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/4404-519-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4404-504-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/4404-503-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/4404-502-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/4404-498-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/4404-500-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/4404-506-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/4584-468-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4584-305-0x0000000003E50000-0x0000000003E51000-memory.dmp

Filesize
4KB

Download
memory/4584-517-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4584-611-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/4584-299-0x0000000000670000-0x0000000001DA7000-memory.dmp

Filesize
23.2MB

Download
memory/5068-85-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/5068-198-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5068-186-0x0000000008490000-0x0000000008491000-memory.dmp

Filesize
4KB

Download
memory/5068-184-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5068-0-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5068-82-0x0000000007FB0000-0x0000000007FB1000-memory.dmp

Filesize
4KB

Download
memory/5068-25-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/5068-21-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/5068-4-0x0000000001DC0000-0x0000000001DC1000-memory.dmp

Filesize
4KB

Download
memory/5068-1-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5112-308-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5112-197-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download
memory/5112-194-0x00000000001A0000-0x00000000018D7000-memory.dmp

Filesize
23.2MB

Download