b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

Resubmissions

12-02-2024 14:18

240212-rmqw8she34 9

12-02-2024 14:14

240212-rkfngshd56 6

12-02-2024 14:08

240212-rflzpsfe9x 8

Analysis

max time kernel
1800s
max time network
1792s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
12-02-2024 14:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

3.0MB
MD5

eb80f7bddb699784baa9fbf2941eaf4a
SHA1

df6abbfd20e731689f3c7d2a55f45ac83fbbc40b
SHA256

b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78
SHA512

3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47
SSDEEP

98304:6aJXyQTrRGlSMoIuORmKBQielvZlpkiSti:3olMcR9BTY3WS

Score

9^/10

discovery

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Drops file in System32 directory 36 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA836.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA837.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA838.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA838.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA85A.tmp	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriver.gpd	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA85B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA85A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA836.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA859.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA837.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA859.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\SETA85B.tmp	DrvInst.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe

Executes dropped EXE 3 IoCs

pid	Process
4444	AnyDesk.exe
4580	AnyDesk.exe
2480	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 13 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe

Checks processor information in registry 2 TTPs 11 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Modifies data under HKEY_USERS 57 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "248"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	AnyDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Key created	\REGISTRY\USER\S-1-5-21-3803511929-1339359695-2191195476-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe

Runs net.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2352	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
2480	AnyDesk.exe
2480	AnyDesk.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
3816	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe
4444	AnyDesk.exe

Suspicious behavior: LoadsDriver 64 IoCs

pid	Process
3112	Process not Found
2636	Process not Found
3624	Process not Found
5012	Process not Found
3208	Process not Found
3716	Process not Found
5136	Process not Found
1232	Process not Found
464	Process not Found
2912	Process not Found
5452	Process not Found
4556	Process not Found
4208	Process not Found
6092	Process not Found
5016	Process not Found
720	Process not Found
1368	Process not Found
6056	Process not Found
4468	Process not Found
4960	Process not Found
932	Process not Found
1856	Process not Found
4772	Process not Found
3496	Process not Found
232	Process not Found
1044	Process not Found
3552	Process not Found
4236	Process not Found
228	Process not Found
1176	Process not Found
4308	Process not Found
5640	Process not Found
3132	Process not Found
5104	Process not Found
1500	Process not Found
5376	Process not Found
2140	Process not Found
6120	Process not Found
5516	Process not Found
5700	Process not Found
5132	Process not Found
5992	Process not Found
5100	Process not Found
4904	Process not Found
4708	Process not Found
5508	Process not Found
5128	Process not Found
564	Process not Found
2840	Process not Found
2636	Process not Found
6020	Process not Found
3716	Process not Found
2208	Process not Found
5248	Process not Found
4764	Process not Found
3664	Process not Found
456	Process not Found
6116	Process not Found
1152	Process not Found
3544	Process not Found
1676	Process not Found
3668	Process not Found
1368	Process not Found
6056	Process not Found

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3816	AnyDesk.exe
Token: SeAuditPrivilege	1972	svchost.exe
Token: SeSecurityPrivilege	1972	svchost.exe
Token: 33	2384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2384	AUDIODG.EXE
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	3700	taskmgr.exe
Token: SeSystemProfilePrivilege	3700	taskmgr.exe
Token: SeCreateGlobalPrivilege	3700	taskmgr.exe
Token: 33	2840	AnyDesk.exe
Token: SeIncBasePriorityPrivilege	2840	AnyDesk.exe
Token: SeDebugPrivilege	3816	AnyDesk.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4444	AnyDesk.exe
Token: SeDebugPrivilege	4444	AnyDesk.exe
Token: SeDebugPrivilege	4384	firefox.exe
Token: SeDebugPrivilege	4384	firefox.exe

Suspicious use of FindShellTrayWindow 41 IoCs

pid	Process
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2364	AnyDesk.exe
4580	AnyDesk.exe
4580	AnyDesk.exe
4580	AnyDesk.exe
2352	AnyDesk.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
4384	firefox.exe
4384	firefox.exe
564	AnyDesk.exe
564	AnyDesk.exe
564	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
4580	AnyDesk.exe
4580	AnyDesk.exe
4580	AnyDesk.exe
2352	AnyDesk.exe
4384	firefox.exe
4384	firefox.exe
4384	firefox.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
3700	taskmgr.exe
4384	firefox.exe
4384	firefox.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2364	AnyDesk.exe
2364	AnyDesk.exe
4384	firefox.exe
3044	LogonUI.exe
2840	AnyDesk.exe
564	AnyDesk.exe
564	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 3816	1036	AnyDesk.exe	86
PID 1036 wrote to memory of 3816	1036	AnyDesk.exe	86
PID 1036 wrote to memory of 3816	1036	AnyDesk.exe	86
PID 1036 wrote to memory of 2352	1036	AnyDesk.exe	85
PID 1036 wrote to memory of 2352	1036	AnyDesk.exe	85
PID 1036 wrote to memory of 2352	1036	AnyDesk.exe	85
PID 1036 wrote to memory of 2432	1036	AnyDesk.exe	96
PID 1036 wrote to memory of 2432	1036	AnyDesk.exe	96
PID 1036 wrote to memory of 2432	1036	AnyDesk.exe	96
PID 1036 wrote to memory of 4304	1036	AnyDesk.exe	102
PID 1036 wrote to memory of 4304	1036	AnyDesk.exe	102
PID 1036 wrote to memory of 4304	1036	AnyDesk.exe	102
PID 1036 wrote to memory of 2608	1036	AnyDesk.exe	104
PID 1036 wrote to memory of 2608	1036	AnyDesk.exe	104
PID 1036 wrote to memory of 2608	1036	AnyDesk.exe	104
PID 1972 wrote to memory of 3576	1972	svchost.exe	106
PID 1972 wrote to memory of 3576	1972	svchost.exe	106
PID 3576 wrote to memory of 5072	3576	DrvInst.exe	107
PID 3576 wrote to memory of 5072	3576	DrvInst.exe	107
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4960 wrote to memory of 4384	4960	firefox.exe	112
PID 4384 wrote to memory of 2640	4384	firefox.exe	113
PID 4384 wrote to memory of 2640	4384	firefox.exe	113
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114
PID 4384 wrote to memory of 4472	4384	firefox.exe	114

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2352
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:2364
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --accept
    3⤵
    - Checks processor information in registry
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:2840
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:564
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-drv --update-auto --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf"
  2⤵
  - Drops file in Program Files directory
  - Modifies registry class
  PID:2432
- C:\Windows\SysWOW64\expand.exe
  expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
  2⤵
  - Drops file in Windows directory
  PID:4304
- C:\Windows\SysWOW64\rundll32.exe
  "rundll32" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
  2⤵
  - Drops file in Windows directory
  PID:2608

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4444

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4580

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:2480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{e6080711-2d39-c248-a13d-61b5427c0e9e}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000148" "WinSta0\Default" "0000000000000160" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Modifies data under HKEY_USERS
  - Suspicious use of WriteProcessMemory
  PID:3576
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{c36e1ada-be3e-d148-bd7c-3572e9b83307} Global\{fa23d3e7-15db-3049-8afd-8377a7225c65} C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{a0942b04-f74c-c744-a454-6ae14be2bfcb}\AnyDeskPrintDriver.cat
    3⤵
    PID:5072

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x300 0x510
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.0.1874537103\819352228" -parentBuildID 20221007134813 -prefsHandle 1884 -prefMapHandle 1876 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {094c7fc7-e524-4b99-92f8-8ff7b24c93bf} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 1964 22ab9fd8358 gpu
    3⤵
    PID:2640
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.1.1967167332\449392367" -parentBuildID 20221007134813 -prefsHandle 2336 -prefMapHandle 2332 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {12746d19-3023-4a3c-b02a-1dd53561675d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 2364 22aad772858 socket
    3⤵
    PID:4472
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.2.233177357\1284843840" -childID 1 -isForBrowser -prefsHandle 3228 -prefMapHandle 3224 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {73d8a84a-9287-4e68-9204-3cceef46e41d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 3240 22abe194858 tab
    3⤵
    PID:4972
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.3.1863693428\1254832923" -childID 2 -isForBrowser -prefsHandle 2512 -prefMapHandle 3504 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5af9603c-6051-4c53-a10d-3c7f512d8cbd} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 1060 22aad767558 tab
    3⤵
    PID:4152
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.4.292762741\565500232" -childID 3 -isForBrowser -prefsHandle 4620 -prefMapHandle 4616 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0990b11-2366-4d8b-9daa-efc64b7d2776} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 4636 22abfde0758 tab
    3⤵
    PID:5248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.6.1457782578\1669593113" -childID 5 -isForBrowser -prefsHandle 5144 -prefMapHandle 5148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c8f80eb7-d032-42c5-b8c5-ecd6301bceea} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5136 22abcd38358 tab
    3⤵
    PID:5616
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.5.759259598\2105403907" -childID 4 -isForBrowser -prefsHandle 5012 -prefMapHandle 4976 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {39842c15-8608-4932-b790-ca8b9156cb1a} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 4988 22abcd36e58 tab
    3⤵
    PID:5608
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.7.447326513\780011790" -childID 6 -isForBrowser -prefsHandle 1668 -prefMapHandle 1684 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1701feff-db21-4fd2-b1fb-25afed89c8e8} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 1672 22ab9efc358 tab
    3⤵
    PID:5668
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4384.8.669448278\222834078" -childID 7 -isForBrowser -prefsHandle 5856 -prefMapHandle 5836 -prefsLen 26460 -prefMapSize 233444 -jsInitHandle 1420 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f8194ea-7928-4e8b-ad80-058d9c5d334d} 4384 "\\.\pipe\gecko-crash-server-pipe.4384" 5852 22ac2306558 tab
    3⤵
    PID:376

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5468

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:1784
- C:\Windows\system32\net.exe
  net user bar /add
  2⤵
  PID:5956
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 user bar /add
    3⤵
    PID:5452
- C:\Windows\system32\net.exe
  net localgroup administrators bar /add
  2⤵
  PID:228
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 localgroup administrators bar /add
    3⤵
    PID:3552

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3700

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0 /state0:0xa390f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
3.0MB

MD5
eb80f7bddb699784baa9fbf2941eaf4a

SHA1
df6abbfd20e731689f3c7d2a55f45ac83fbbc40b

SHA256
b9ad79eaf7a4133f95f24c3b9d976c72f34264dc5c99030f0e57992cb5621f78

SHA512
3a1162e9fef849cb7143dc1898d4cfcfd87eb80ced0edb321dfa096686b25ae8a9a7f3ae8f37a09724d94f96d64e08940fc23c0b931ddd8a1e70e2792cb3fe47

Download Submit
C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
704KB

MD5
fdab8d042ab0a8da2857ea2fb4f2460a

SHA1
8596fa13b1b2a0f223c3bba3acc798b8d0f71c1a

SHA256
d09eb379393d05a31435c577052d0acaebc5f0070eeb6031f53e32a95ea10964

SHA512
c01f46b788945f796c83f6f51a5ec040e7b8dc0715acf4e2ea3b8b704f6ebd8687c3ee1acaf1942c185a9909e2ba65ef1046f703ef0c65e27cf69341f6903a6f

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
da6913184bdcecc7e80ce1b512998138

SHA1
fd49f81be7ba276d1f5062c635f1f4f8aa0ebc1a

SHA256
501a2f965e78616bb5ce5ab1c1f18237e3af4c8f41c7602979cc536344d66dd6

SHA512
7ff7a6ad75ad8bc20337abb2a7644cc9ac40dfc9a1db548e56fc213b97b424e19621a92b3337b48b01c0f493e7734ad203fd9009e1f7cd035028548062578e64

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
60B

MD5
25e71767a94343d45dd3e066c05784bf

SHA1
901ae90156458e9b91f29cb0789964a5bfbc1127

SHA256
1b7467f3f2b0a63dc29701aa97c9e7b76757e4aa6c44d61e48e067068ca88525

SHA512
ae538706623ced39a44622e9fd0f0422c4824bf9e8cc2ef6b143458873d142230ad949efeb8651fdba70f9488be935ace6bf40a8da842d74ca7895c85abb4bd6

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
165B

MD5
dbd572bc28e3c9749e6b369c8a87349e

SHA1
ed7fc97324a396c1d4fb4f3147658d7bfac871a2

SHA256
7ee560c8b2abc8418ff8b21e52aff5394b9f8a4e7098046d51a638505098279a

SHA512
72dffaee191c4e56aaaefeb26be8d575e76068b45cda363c8939aed08837d0fbaa4b49256b14443edfb6801d076c4c1d9982d9e195a2ab245addef4a590be4e9

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
414B

MD5
fcf907f79714c1ef52ec3dc22ec8fac9

SHA1
7e01674b62f0e96017f05cc3612a1caf5db6e973

SHA256
8db49f84c3fe8dfcc76b505b0f0836f88a071605b21209e96ce761a0b7b83f0f

SHA512
5db3ced95cca99d741acb21e79c4df38c8e522a53b98fc59f2a37b4ab11013cfd33fc686dc7d6964a2ea6988dd76837d62eefc6d3625feb9ee4ae2100642a9ae

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
414B

MD5
2ebcbc982d263944d164a906542bb478

SHA1
ef5278e413cc8eae5785b49fa20f8bb3479e54b1

SHA256
e6f2230dcc3b841ede1059b5860df7552da3b12bd2337893f41e05e00254d93f

SHA512
a08a02e09167ee3f4e39a859770ff615d01df6e5f0dc344d1a2738340984905369dcd922711e1cf90fe33a7fc7340ed12f7cf7937e875d616503fdda18da77e9

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\AnyDesk.lnk

Filesize
1KB

MD5
6c755d9abaae2b31c3e0a7101c673ed0

SHA1
ca6fdab610b7b2662cbaed81168aa76c8112fe7c

SHA256
7c4e75de956ff35c07848a946a3daffddd0e3d29e2a0be02c0a8cdee8cd83268

SHA512
9ff1b463001eb45775f4dbde4a3e0e78e0a0577278b5ab286133af7a15b452311ef59a3eb10c69fdf966822960f8ec46b5b96054acc30ecd840630e4a2d515c3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nbjxj16p.default-release\cache2\doomed\23619

Filesize
10KB

MD5
58254e74bfe28ba2897d3000a78fb779

SHA1
2abbd84192a5aa0c4451c09b521268c8b94c6ec7

SHA256
a7916e3962e3ff5f7863d874078610503f94b6804baff47f71ac20ecb4da84f7

SHA512
d86255b5592fe5ea1687014f5db7bad68b342924b5f21e71ec9ad8b9c9b8ed19ea4df2b6b983f1aa9f920e51d547caacb74c9d0d212b17b9a35d9ea31f1f42b5

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\nbjxj16p.default-release\cache2\entries\4832D199584363B876D3E7D57CA02A9B0F4D91CD

Filesize
13KB

MD5
16c549e50700030d9c413fe82c7caa34

SHA1
9bb04496391c170fd263db55e6090df63ed8e7ba

SHA256
415eadd8a6d9b818daaceddf49ab0d7a1241ea8281bb2f90f131bc20e9c191f6

SHA512
cd82c4c63846cd1e8dce4a623a4ae11bd226058fa0efb6aba003f9eb0bf4451ea61d382de123b707731e86fa76401b2dfe1e554fa0b3f0662872f9ff669644b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6080711-2d39-c248-a13d-61b5427c0e9e}\SETA70D.tmp

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6080711-2d39-c248-a13d-61b5427c0e9e}\SETA71E.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6080711-2d39-c248-a13d-61b5427c0e9e}\SETA71F.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{e6080711-2d39-c248-a13d-61b5427c0e9e}\SETA721.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
44KB

MD5
b9bcd2ca15641b7a56a489fa2eb81609

SHA1
d2b118e2236183a43ca49b99fc3ff9135007e105

SHA256
7039992cb146b719fa7ebc3e9fcdeb189306779153e85353a4c38e8db6a43140

SHA512
866ddafedb8e8441c2c0c5cec986919a1c88360d048c8fa8b8265bb65d73e7f484de46b92612c684133b19fe65e16662bac854cd09fd8af6c7322b131f7ff48b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
50KB

MD5
1418371b59ce674b87ce43e285f0d94d

SHA1
fc6f4feab643a0cf579880b1840f23ffce11b5f3

SHA256
a96adceb1f75369a1e8ee54edc28ac93fdc337e5191367c6eb30340bcd91012b

SHA512
ece6f7e7a3f79d3de31b1dfad904cf8a78532d81a1c33442b7d375c1b720f90b22f4b370b8c0f134df34f6687cb3345a4c1894eeb209d4137b893d9a9a8b7953

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
113KB

MD5
348952a427f7b7a1001b6bdb32221bc5

SHA1
03fc5429683a66f4decfb063853ab95558ee7494

SHA256
58d7ebd9817b0c9290b7d613ceb9f68b2af644fb4bcbfd051eb8176f830b3e99

SHA512
c5ac4fd45d6a8cf3dc1bd406d8219adf5720e4666aa0714b45d570e08734d9b23c4109444c7a3dc3c84e1ad8beb8f6cc1fbbb24e535945ee735af7c03aea44e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
e107c11f3c01ac4fa215020db4f3627e

SHA1
f7175dbc251becb728a6c8fa8207bd6f5cffad2f

SHA256
17e6886c0023b470d0eea7358017c893dd378e6b0223f70afdb32866094f88e0

SHA512
fd3563c4076d165a0ef0fb2dffd6cc6c8f3b125bccf260d81f4da73f61a4b6c306fcd842a2f98eccd48ce560c507b4b4a73d2ff5d02351b1acbbfa69977ef240

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
78KB

MD5
240ab8de82617d71bd2e275f1b7f071c

SHA1
8f6acb0f0ff84f54fd883012d24d01bac8dab5ae

SHA256
be72ae96511a2dff28db5aa184257794493f6923d0eafa02feb7df4c32d4d2e0

SHA512
5f6725813e2f0149dbeb0d415e10417de695d85b216c58393f300d735c6b5d0f23480e0b2d3b79df99e8423c8a0e0f70d83094258d86d2538a9f3feaff07d32b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
96KB

MD5
1f723b8f6489680b2b7a53532579a8ce

SHA1
42ef2bf9112bb9a800a3d4e932fb5d54e8af55ae

SHA256
7672714d330396d761e342d7c609f8ab1b98addbc47240efa3c9e527e4a84992

SHA512
926c1b5329157f2af39599ba888723d94078e75f7917f1955605d5e8f9ef65c3e23d836780c3ea6281af79e9ee22007ac500b6802733329734fe1a68d315862b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
4a7a27cd50209ed6249782270a75d922

SHA1
45887b6ea498eac2f0f93f9cb51841b1b5281a8a

SHA256
c549e743d71d75a66e79f0e8aa56492085f0962a992098adeaccc7f8663f6e1e

SHA512
9427c50d6f88779624a938c93d3c2f71cea8d10160c74314bd39654391b4e16dd1e40072a3c67fec83ba54a032cc9bb9ae8623729ea582656858d0eddf93229b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
83e3c4c1254ae3882e61045f7519fc8f

SHA1
c712dcc92c64b714b04a6e2265b7444967ae76ef

SHA256
2fba95652f9f1cfbb5110a9855299536953b44b885af71fe2ff1be11ad69c10f

SHA512
21aaa68d57026f0c8f17b6f5f834b1e3584c1c0559782b62b53b53b5b4a41ae9844a6f20b2daebd597d874036a3c33403dd269cb1fffe403f6786752bd98008d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
105B

MD5
8a8d22743c1ae13e3892e81058c8c241

SHA1
2fce058713c37063e73ad4ef043226e15bc25466

SHA256
f062e5b244536b42c7c227755363d4ef2f4f7939f3a1299f5a1f0ef64376bcb1

SHA512
08ed099794da806fd368b0fc68f11610566afbba0d5152935bbe71a057d02cce7c5fe6430a787d2cab9acf10b07eaeb098dfa3797e0f5713b6407da7462497fd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
329B

MD5
8fb9283a3019d8ba60215f6fd6b3062a

SHA1
ae788fb04054ff22837196f19f455e6ed1e7f909

SHA256
1b5f834d521e05225007c2b2b08e55242548f25fcaade72146ad788f7960159f

SHA512
60d72afe901f8b357cb407adfd8ff8cda94569662859fb35a66de6cc3d30688c7e8dd8b212b16241eeb55b36120126fc390494f35d7d6a5f50e1c6965f05a0bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
107B

MD5
f25e48e1d9e1e1398bc5fbc6885570b8

SHA1
46557c8ebb9236af6c28c9bdd317d1d25749e710

SHA256
0379e6a5dff30a991e0acdb9932cac828eb3e30ca8cc23447a2bc73ae78181db

SHA512
41e61480f5141b6950d7b96f3e4dfcca19bc480e0b11eeebdedaeb266c6e525f41f3d29a3c1c0bf8f17a3c30111d8fba7e269d5fcf84b336bee916e21881acb7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
245B

MD5
22b9e4e628573bdac8cb04791f575ad2

SHA1
2446b2c4343ca89d1aa687718c7734d695784ccf

SHA256
c5968aa38c37ee9e4956d04bae2e1334535f171259efacaa914ddfe587f81059

SHA512
c4f7b0387d64cd67d0a452d25bd737e1f69af73f010510eb33d8278335e44a25b882eaae95d85535fbde69081b88a0044ce642dcc149a68aa9d1eea061f1b730

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
205B

MD5
59352c2b0c590c5fd96365d3168d723b

SHA1
53ab571639cc3e3a38032c1095985f7f4278d8fc

SHA256
079db0d18cb8ca55e8653f3d67608c5e445d32e368feb874ed3fa1d797c7c286

SHA512
2d21bcd26ef934095ca5b37aa1e66091547870f5e09c2d203dfd75923d2575f93f1a42f31e4fb7b2423b766984464ed65b048f49519837918de246a892c82828

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
245B

MD5
3f630ef3d79b3f33c704ba8057f30aca

SHA1
3ea20d908551c49e314414856d2b48af883545c9

SHA256
2d0b475a8d60ee81137af342831d1e07da0922b55558ba524132c703d9d741be

SHA512
acf38ac560ddb13478d7761b1c47528f41af52d13cc968db3cd1cc1b307b5a7742a109787e49f2ea5370b31e0ca13a2a0bcc32c65a7e5b3a3ef7c1ff11eec7f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
280B

MD5
32a95b2730f83a0ed3a44742b6afb560

SHA1
2901ed0575564934d8baa851b46229627f64a9ad

SHA256
54d2ca1f69efcf8fa0fb796b56e21f95e5137491f21f6415d41a452b36744928

SHA512
7a62bd5bcac5a85ea75c13078442facec4248364d4e92197fc3d1e8cacaf2300b0d8da222eb420568bb80981c9267f201b83c24d1d56333e3a848798db455a8f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
280B

MD5
88a5fb2e651fa5f7fe870da5fefcb55f

SHA1
5f7c58f006216d5db45c7ad2ea3f47538b642f44

SHA256
2aaeb566400a1a37c7542985960b77776e38aba59639d86406997ac00afda750

SHA512
603cee010be7ca43ab99c3b9a9d6503a7a76ea9bf73c9bda8ca2ba26c9c19705ab35d471000d3e7d47c17e03fb063baeb74f4a942f6d7dd966cb7a0a35adb993

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
9KB

MD5
8ac152c5f99b9eb686b13986b3b0b6c8

SHA1
253bccc8f2f7b6aa8b53e906a388d9c8fc76308f

SHA256
a9c7d4551f419b4a8bdd69448b9ed3ee1882b131ae428357d06119cecc722ecc

SHA512
34b61cf1c83a12fb2f997184864eb8228b656933047655b8dd33f748a101d7b59965a9a07277fd3ca90e5c2290d342ec0607339a1674cf963e2a8cb38c743b70

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
89e70b6a744706e21e864ad168a41c7d

SHA1
ca2dc49511a50cc5b59c2e712daa7ffd19c17645

SHA256
887e64324a09f5f5e9585938786e5d8debd0a15f46a5f8e2a03a5fc7eec9a584

SHA512
8c7d5f7d48bb775dd8b784fd36e9d2ba96cb71c4996791d7454b7b43431fc887503b959edb936505402a12f59e29fe23ee54baf01966ba41fa637fcb396a9d6e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
cbe117d6dba2b7b874d5157e7e86e645

SHA1
f6f3ae649e35849136655a45553dd610d99e4286

SHA256
845f27108b097d8073d6c8c4159da54df6ec9c3e5569eb7a3cb6279d08eb127c

SHA512
b8d0f60065b9fec34d07447323d17b26701c70fa073fce8aaa96d966546e84cd30436d4c2f3c9d74e510941dd4e22017eed477b142d38d59b9981787d984bf8d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
4af2cc1abe4567c543f5ce41dec67be3

SHA1
585afe06476492d3c539784a25861756d9b13db4

SHA256
094cd7758cd574a5a9d311dd3ce1ccd42dd39dd857cf7bcd7a8d501839634ed9

SHA512
fb025a0ebef592577d67c1d3d1fc41b7ebe31de5a41a8bae10ad749c5061077a74c24925dd333bd245f3c2a616ab3d95fcc8ac29c2c082618f330bf4754c8d3b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
c7db3d85a096ff0819915354e4a3ea6d

SHA1
62e6780c5ab2fae78ed38c655f66c7903685f9cf

SHA256
3cbabaf57d01f0a6254f1baca40f4fa2b6411a01f2399da4b2d9cffccbffb655

SHA512
d7812bd96151544456e51634c6f063fd872ad0165acf6d669c95986adb28c496ce0e4455f3ae3e38497a320a33268e9a1dec78ff68e248c11b83ad90ed47f199

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
1394d33363ccb30dbd639c1e37a06ae5

SHA1
67c3ea03c942c438e6fe924c36cbd509b802db60

SHA256
15756bbc753fb6309de0966d1e4526dd6522e71b6330f485ba26934f100be9cf

SHA512
6f4d71899ad7a8a278e27e3404ac2b364a354f3afde6dede219f06e5d4cd4b22dba90b7326ecdf3ab456e49e17be50af946f0a38170d69139de54ee19c13c34b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\bookmarkbackups\bookmarks-2024-02-12_11_grVx-X3BxQbeKq7ztIKxWA==.jsonlz4

Filesize
944B

MD5
4ad200329f3da1d8db160df28c5bc015

SHA1
b5341199cb262ea6d4331510c006de7f52c77df8

SHA256
c12d2c1d66817b3ac755e4bc5102fd0c5a7f4c22d7933a6c58aec819c4c893a8

SHA512
fa6773333791df6db465816546ea37fd245537856286717c64d42b233d8403c72e19368a2626bee70ee74d46630fd008be298019817dd7d8405088c012033509

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\broadcast-listeners.json

Filesize
216B

MD5
b93f6343af6a94a3e9fc8bf9988fd9fe

SHA1
7de2fedfb809b5b2fd01e93827e74508307d442e

SHA256
18623f2fdb9aae9a76567dc88865b80734a1cda736997920a8aae6973e5fc758

SHA512
35cdd02da8978baacbfc4b321338ee6190be613b2653413745a9e91cdb8c87691abc42b30a17dbb61910eb3e8ba8173bd6378f63acb60377b60f665b084e4a09

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
619feb69ba89cb119ebe62d46657e6f3

SHA1
fd53ed2d77a1ffddf9950a856060d51be8d369ef

SHA256
57a3996ddac5b1005b9d319cf4d5650e1b203d46a7d8966c8ee47c50c787ad49

SHA512
56d9566cac0f672fe04942ded592b747b97c98d3698a90a5fd162d49d08bfd4cfc9e2ef87cc7a506525d66899882d8e8499d54dd2e2bf99b8923d8caa6971b25

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\datareporting\glean\pending_pings\6a20a342-b378-4e10-b3ee-ed44a4bd3cb0

Filesize
10KB

MD5
9d7db050eaa3ff84ece544477e82ed22

SHA1
623cf1dadf772ba612c4c956ec85161fe187395b

SHA256
fe918a7175de3c47a4a4b73baf57551f9d1cdc73e815d8b46e2f2c6fd441c986

SHA512
a459d446c59c7a7ff4a993432da6eef97505c96edaff06f1b8b45140a020756f9920861ad9e0a733c6da506fdf294b099cd690f054fdefd9a9fa52528ae11a85

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\datareporting\glean\pending_pings\e2e8b123-cb84-4599-886d-3d484b577342

Filesize
746B

MD5
fe2b2cd53fc97ab43ff1f3d96c4721c0

SHA1
42c59319f693b19410446b867204d3120c7af6cc

SHA256
b8de1756fbae9e5fc1638c3123fa626000456d8b75ba7d2879c18919bf47334f

SHA512
b66c47eeee1619d966893d1199b3ad8d9ec9ef30b7afa3aec281e7512025fd8b3b0c9f2219a11125e0f26dc624d6478d29fb2f7ac9a42c081294d57565a10b3c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs-1.js

Filesize
6KB

MD5
7e3d516b2f77ff59081fefb88c5f04ce

SHA1
26b0a0081f59db2a0cf5fed8bb72f4dfa9132c98

SHA256
5a6ef8d7f599d1abbad3e360caeffb31817c8b7a8e8b26b01823e1264a057877

SHA512
e40db72d18912825cd62fe33d0373ebd2941ca384812d73ad830c4a882759b47274faaef989c805468dcf8e1f341ef1ebd82bcc60e29caef781f94a5668d392c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs-1.js

Filesize
7KB

MD5
2e3dbc6ddc6d2b6e1fe29a5886ce09dc

SHA1
41d63e0cd1d613ecd17d80d613ba1a04cc7dfd7e

SHA256
69965818aa4d14c33757acdf416df02e8d16a77ddbae2030fe2df75b617e3710

SHA512
77841e9cb0a9ed850fe534bf27059cc9b034d51ba090b68d4cddf5995c65d45272adb5b2f8b3d185161de7a2d9b3c800803b2d53f3f9b0c75dc83605a34f050a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs-1.js

Filesize
6KB

MD5
57c6a2ac27f4d3dc31155e911bd086c8

SHA1
f75cc4f7a99acd8430329b4de0c5435f5a13b639

SHA256
e03207737688fcf0d4175a918a9c1f43225d3506ca264d4a8024d42964ed32ea

SHA512
cc8d74aac37556323fda99de046d129788e527c14ad784e3a739bd214ec44214af9ca6582e07f141b677e4ae1375cbd16155894bdb6f46e7cf6adcc10daeb227

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs-1.js

Filesize
10KB

MD5
45bcf00051470954d7f705477ae40578

SHA1
024306a023b3408c28ec619e457db1f9f53cf3ab

SHA256
b5a5fe67c7e9e9a57d71ed1994d65993ce902236e5308d54b1c6367d35da02fa

SHA512
f93d23af2436f1c37c508ad55cfa6f27def8ee8568672388d077e67d8307e593dd23a7ee5d1196660a12d69f0ae2ddc1b74907b45c89c644e2ccd54f82c74011

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\prefs.js

Filesize
6KB

MD5
0215314b8ca23cacb498c50de90a757c

SHA1
a6bfdb627327443eaabacb93d30ed4811b83a77a

SHA256
303f8cbf6b1a43de301c6dae11d075d317eec129b61fb5dafb090a5cb85cd363

SHA512
7b94424454696c74c99838690495ec588599fefa7b23f99105e2dc2881a9ecdaa96693841401927cdca1ede085552753c3f98ac2b61198b46e795ddda58d00a2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
30KB

MD5
f81ab81dce463a9163f4ada51e7c2ddf

SHA1
9546c87ad12f7a476fadc611ef424bd529ff238a

SHA256
b752b0d773c858ad5846bee7cd224f879ee8413dadf0a57264c0eceb9a113a58

SHA512
8744933e40794fb15e4f68ecf091935a589558f24e5e8917836cfda66318fa2affa7ad0a68aa47e22a3f74d8af04bcd1e02b691ee32f5bfa59b4e5c3e376a8dd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
30KB

MD5
92971eb5c5b01d6ff600b9233c4507b8

SHA1
b303c50905a59aa14e6347dbfe1dc2017e928363

SHA256
0a6fec9a05f133872262871d350720002211aebf2cd543a9491a6b4406eb88b9

SHA512
26f1e20bf47ef0c9e27d078e00c6d67401481efc388d826d4486458262adf17584e785555f00b44a9659144b632c8cbcdcfe36bcf8faaaaaadb3e6b812e15bbc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
b4e248b8f969358a7bfa32c68bda5789

SHA1
201120599bc3a747d419adc989473b524b7bc56c

SHA256
53bba6be73ce1c9b4ae9b1810a5225aaa7dfa9abd0ac1eb3e9b9bff37b266443

SHA512
bd21e656c602c09e140eb153225054a947e3b446927d8bbe0720e2e6cfeff0b237e0a5deea5d575ee170479e0b8472799f19c553cf3955982123e32cca006c35

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
1.3MB

MD5
43ab537c33fc9bbf221a1bfe87622698

SHA1
1804221834456b4ced7a2c91ebd59f10f1b6beec

SHA256
03803453c30e8b5c9633d1d3cbcb98d4e2c0e1365586ad1e940022283ddc3b08

SHA512
c3b3e779d334204697e5e66247b8017c5feb6f96d20f4813805bb739e354a3a3a2f40812afa5a1166b80ff288d985a8122e9a76646c58c7e837eae6d6137ffe0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
3.2MB

MD5
63ea103b185d439a2ec5c1931b8c1b56

SHA1
29dbd8e9e4adf7d4dcd30991ddc41fd8603e7659

SHA256
1a877c71a31661151969527d091a36850e7a00475dfb20b2a349bb90465bd7c7

SHA512
b6cdc2c67db4801e4e42b0cc4a894977ffe0c7735059da19d954dce9712251374325731984ac909cdc5c1e337a18f4bab3e7a03b50c8173845b50e46019ef42c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\targeting.snapshot.json

Filesize
3KB

MD5
f0b18f442c3c93929a97d817736b1f9a

SHA1
f1e50aab814ecd7c40380dbb27cae4f0d7d702b5

SHA256
e0a67f4efedd560c2b4af1ad574f6e99b8aa468a4a04fe5d6a899a69ea898340

SHA512
df01eceb90965338f7a1631f2c19c6db323a60688ed13e9672bd22407240061e5fcfc9fe03d89c274fac39df153420129c844c0cfdde44d429305b83c88ecd22

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nbjxj16p.default-release\xulstore.json

Filesize
143B

MD5
b216b18f27f05f6198240d75115dca9c

SHA1
033ae22290a073058aaa253ef33871b5bae9b987

SHA256
b1e0986ef1ebe44b14efde0559b783f701a7afb65be99d64c509a63e8593d5c3

SHA512
b754687e7c2981c517f1b4a144c640008e5f45f7f6ca5d2ac4cb4f5a5ac4f017e07b63f74519deaca28ccb9d14aeab64ac7c5e2f561cf3d4e9086b9f071b24fb

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
5120931921bffd1031ce80023e6bacca

SHA1
14f04720e68c9feb3c9bedfaaf2b44e33994f358

SHA256
766cec83331fb9a964881dba8a4d6f764e7fbb05f73d1f6ba73257ec9bfc8312

SHA512
ccd7bd8e8eaa6afba4caf95056d29ec4716aa7870384da4b56c81a2ecfc378bb106677d0bec937adf9cd43502f746090b82f2e3bd5b6ae3cc3aa0b553fa52df3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
14bda2f1ac3ff6639c3c240fbfca881a

SHA1
5850f40a49e51fccfd4c45fc251b6e76d1d91d44

SHA256
13530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb

SHA512
f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993

Download Submit
C:\odt\config.xml

Filesize
653B

MD5
14f1e4dc616ace92a8ffa57cbd78872b

SHA1
eb2cbac8498a988d9fcf679c1e3c641669544999

SHA256
cfb541bc948bb67112f6212d82e66bee1864dbacbb07a41f34e0de013d9c07da

SHA512
297d4c4a84c37d2c91c8d237f59b1e3acd9114df0fc2ba4af2496d48ce7b30e73cadc920b400a3b0e7f5212ba4c4e1715f3abbc84a2cd9fa899a7522c6aa6946

Download Submit
C:\odt\office2016setup.exe

Filesize
5.0MB

MD5
5b51ece9852b92cfd1d3946d5940eed5

SHA1
ca8a14be1997603317b44b497724269a85112a92

SHA256
4f5c5cbcbf63115d0fa4f79988f80b9753b1c43d5a2b2c1dd1a6597ea9038e6e

SHA512
4ff82b2a93a5d1599b41d0f512ddc4434804abda59287281f8379a36fc6fb73f03c85e5fab3ff6d0e8b7378508e2b0855599fc3dbc33937f09861899357ff258

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\AnyDeskPrintDriver.cat

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\anydeskprintdriver.inf

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
\??\c:\users\admin\appdata\roaming\anydesk\printer_driver\v4.cab

Filesize
127KB

MD5
5a4f0869298454215cccf8b3230467b3

SHA1
924d99c6bf1351d83b97df87924b482b6711e095

SHA256
5214e8ff8454c715b10b448e496311b4ff18306ecf9cbb99a97eb0076304ce9a

SHA512
0acf25d5666113ce4b39aa4b17ce307bef1a807af208560471a508d1ecadfa667d80f97c191e187b8ea6af02128d55685a4dd0ddc6dd5aabe8b460f6bc727eee

Download Submit
memory/1036-84-0x00000000079E0000-0x00000000079E1000-memory.dmp

Filesize
4KB

Download
memory/1036-26-0x0000000005EF0000-0x0000000005EF1000-memory.dmp

Filesize
4KB

Download
memory/1036-1-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/1036-3-0x0000000000E70000-0x0000000000E71000-memory.dmp

Filesize
4KB

Download
memory/1036-13-0x0000000003F70000-0x0000000003F71000-memory.dmp

Filesize
4KB

Download
memory/1036-14-0x0000000004340000-0x0000000004341000-memory.dmp

Filesize
4KB

Download
memory/1036-15-0x0000000003F80000-0x0000000003F81000-memory.dmp

Filesize
4KB

Download
memory/1036-19-0x0000000005E30000-0x0000000005E31000-memory.dmp

Filesize
4KB

Download
memory/1036-20-0x0000000005E50000-0x0000000005E51000-memory.dmp

Filesize
4KB

Download
memory/1036-21-0x0000000005E60000-0x0000000005E61000-memory.dmp

Filesize
4KB

Download
memory/1036-23-0x0000000005EA0000-0x0000000005EA1000-memory.dmp

Filesize
4KB

Download
memory/1036-22-0x0000000005E70000-0x0000000005E71000-memory.dmp

Filesize
4KB

Download
memory/1036-24-0x0000000005EB0000-0x0000000005EB1000-memory.dmp

Filesize
4KB

Download
memory/1036-112-0x00000000079C0000-0x00000000079C1000-memory.dmp

Filesize
4KB

Download
memory/1036-27-0x0000000004310000-0x0000000004311000-memory.dmp

Filesize
4KB

Download
memory/1036-88-0x0000000007A20000-0x0000000007A21000-memory.dmp

Filesize
4KB

Download
memory/1036-25-0x0000000005EC0000-0x0000000005EC1000-memory.dmp

Filesize
4KB

Download
memory/1036-28-0x0000000005E90000-0x0000000005E91000-memory.dmp

Filesize
4KB

Download
memory/1036-29-0x0000000005F10000-0x0000000005F11000-memory.dmp

Filesize
4KB

Download
memory/1036-87-0x0000000007A10000-0x0000000007A11000-memory.dmp

Filesize
4KB

Download
memory/1036-86-0x0000000007A00000-0x0000000007A01000-memory.dmp

Filesize
4KB

Download
memory/1036-70-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/1036-85-0x00000000079F0000-0x00000000079F1000-memory.dmp

Filesize
4KB

Download
memory/1036-81-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/1036-80-0x00000000070A0000-0x00000000070A1000-memory.dmp

Filesize
4KB

Download
memory/1036-82-0x00000000079B0000-0x00000000079B1000-memory.dmp

Filesize
4KB

Download
memory/1036-279-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/1036-83-0x00000000079D0000-0x00000000079D1000-memory.dmp

Filesize
4KB

Download
memory/1036-0-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2352-73-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2352-38-0x0000000000950000-0x0000000000951000-memory.dmp

Filesize
4KB

Download
memory/2352-30-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2364-110-0x0000000007250000-0x0000000007251000-memory.dmp

Filesize
4KB

Download
memory/2364-78-0x0000000000EE0000-0x0000000000EE1000-memory.dmp

Filesize
4KB

Download
memory/2364-96-0x0000000005310000-0x0000000005311000-memory.dmp

Filesize
4KB

Download
memory/2364-97-0x0000000005350000-0x0000000005351000-memory.dmp

Filesize
4KB

Download
memory/2364-95-0x00000000052F0000-0x00000000052F1000-memory.dmp

Filesize
4KB

Download
memory/2364-94-0x00000000052B0000-0x00000000052B1000-memory.dmp

Filesize
4KB

Download
memory/2364-369-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2364-89-0x00000000050D0000-0x00000000050D1000-memory.dmp

Filesize
4KB

Download
memory/2364-113-0x00000000053A0000-0x00000000053A1000-memory.dmp

Filesize
4KB

Download
memory/2364-90-0x00000000050F0000-0x00000000050F1000-memory.dmp

Filesize
4KB

Download
memory/2364-91-0x0000000005290000-0x0000000005291000-memory.dmp

Filesize
4KB

Download
memory/2364-92-0x00000000052A0000-0x00000000052A1000-memory.dmp

Filesize
4KB

Download
memory/2364-93-0x0000000005340000-0x0000000005341000-memory.dmp

Filesize
4KB

Download
memory/2364-114-0x00000000053C0000-0x00000000053C1000-memory.dmp

Filesize
4KB

Download
memory/2364-540-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2364-115-0x0000000005400000-0x0000000005401000-memory.dmp

Filesize
4KB

Download
memory/2364-100-0x0000000005390000-0x0000000005391000-memory.dmp

Filesize
4KB

Download
memory/2364-116-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/2364-117-0x0000000007160000-0x0000000007161000-memory.dmp

Filesize
4KB

Download
memory/2364-99-0x0000000005380000-0x0000000005381000-memory.dmp

Filesize
4KB

Download
memory/2364-101-0x00000000053D0000-0x00000000053D1000-memory.dmp

Filesize
4KB

Download
memory/2364-102-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/2364-118-0x0000000007240000-0x0000000007241000-memory.dmp

Filesize
4KB

Download
memory/2364-98-0x0000000005370000-0x0000000005371000-memory.dmp

Filesize
4KB

Download
memory/2364-75-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2364-103-0x0000000007140000-0x0000000007141000-memory.dmp

Filesize
4KB

Download
memory/2364-111-0x0000000007260000-0x0000000007261000-memory.dmp

Filesize
4KB

Download
memory/2364-108-0x0000000007200000-0x0000000007201000-memory.dmp

Filesize
4KB

Download
memory/2364-104-0x0000000007180000-0x0000000007181000-memory.dmp

Filesize
4KB

Download
memory/2364-105-0x00000000071A0000-0x00000000071A1000-memory.dmp

Filesize
4KB

Download
memory/2364-109-0x0000000007220000-0x0000000007221000-memory.dmp

Filesize
4KB

Download
memory/2364-107-0x00000000071E0000-0x00000000071E1000-memory.dmp

Filesize
4KB

Download
memory/2364-106-0x00000000071C0000-0x00000000071C1000-memory.dmp

Filesize
4KB

Download
memory/2432-121-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2432-159-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2432-127-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/2480-368-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/2480-355-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/3816-72-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/3816-79-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/3816-120-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/3816-32-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/3816-361-0x0000000000FB0000-0x0000000001BC2000-memory.dmp

Filesize
12.1MB

Download
memory/4444-338-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/4444-145-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/4444-501-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download
memory/4580-163-0x00000000000E0000-0x0000000000CF2000-memory.dmp

Filesize
12.1MB

Download