55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
1853s
max time network
1858s
platform
windows11-21h2_x64
resource
win11-20240221-en
resource tags

arch:x64arch:x86image:win11-20240221-enlocale:en-usos:windows11-21h2-x64system
submitted
23/02/2024, 01:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 17 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 37 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU\SoftwareFallback = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU\VendorId = "4318"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "13"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionHigh = "268435456"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListXMLVersionLow = "395196024"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU\SubSysId = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "9"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPMigrationVer = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "268435456"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateLowDateTime = "2874905683"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\VersionManager\FirstCheckForUpdateHighDateTime = "31090194"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Protected - It is a violation of Windows Policy to modify. See aka.ms/browserpolicy\HomepagesUpgradeVersion = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "8"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionHigh = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU\DeviceId = "140"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\StaleCompatCache = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\Main\DisableFirstRunCustomize = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU\Revision = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListDomainAttributeSet = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "395196024"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\GPU	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\IECompatVersionLow = "0"	iexplore.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200"	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheVersion = "1"	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:"	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\ = "0"	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage\localhost\NumberOfSubdomains = "0"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings	changepk.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage	TextInputHost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\localhost\ = "0"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DOMStorage	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\TrustedPeople	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Root\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\Disallowed\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History	Music.UI.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.zunemusic_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheVersion = "1"	Music.UI.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\Certificates	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\trust\CTLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Explorer\DomStorageState	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CRLs	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4280069375-290121026-380765049-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Software\Microsoft\SystemCertificates\CA\CTLs	TextInputHost.exe

Suspicious behavior: AddClipboardFormatListener 8 IoCs

pid	Process
4044	AnyDesk.exe
1540	vlc.exe
4044	AnyDesk.exe
4100	TextInputHost.exe
1008	TextInputHost.exe
4052	TextInputHost.exe
5836	TextInputHost.exe
3512	TextInputHost.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

pid	Process
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
2676	msedge.exe
2676	msedge.exe
5240	msedge.exe
5240	msedge.exe
6104	identity_helper.exe
6104	identity_helper.exe
5552	msedge.exe
5552	msedge.exe
5012	msedge.exe
5012	msedge.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
4912	AnyDesk.exe
6680	msedge.exe
6680	msedge.exe
6680	msedge.exe
6680	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1540	vlc.exe
2032	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	4912	AnyDesk.exe
Token: 33	3692	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3692	AUDIODG.EXE
Token: SeManageVolumePrivilege	4884	Music.UI.exe
Token: SeDebugPrivilege	896	firefox.exe
Token: SeDebugPrivilege	896	firefox.exe
Token: SeDebugPrivilege	4912	AnyDesk.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
3828	svchost.exe
3828	svchost.exe
3828	svchost.exe
3828	svchost.exe
1540	vlc.exe
896	firefox.exe
896	firefox.exe
896	firefox.exe
896	firefox.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
6276	AcroRd32.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
1540	vlc.exe
896	firefox.exe
896	firefox.exe
896	firefox.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
4044	AnyDesk.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
2676	msedge.exe
4044	AnyDesk.exe
4044	AnyDesk.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
856	AnyDesk.exe
856	AnyDesk.exe
1540	vlc.exe
4884	Music.UI.exe
896	firefox.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
6276	AcroRd32.exe
2032	AnyDesk.exe
2032	AnyDesk.exe
992	SystemSettingsAdminFlows.exe
4268	conhost.exe
4100	TextInputHost.exe
4100	TextInputHost.exe
4100	TextInputHost.exe
1008	TextInputHost.exe
1008	TextInputHost.exe
1008	TextInputHost.exe
4052	TextInputHost.exe
4052	TextInputHost.exe
4052	TextInputHost.exe
5836	TextInputHost.exe
5836	TextInputHost.exe
5836	TextInputHost.exe
3512	TextInputHost.exe
3512	TextInputHost.exe
3512	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3804 wrote to memory of 4912	3804	AnyDesk.exe	77
PID 3804 wrote to memory of 4912	3804	AnyDesk.exe	77
PID 3804 wrote to memory of 4912	3804	AnyDesk.exe	77
PID 3804 wrote to memory of 4044	3804	AnyDesk.exe	76
PID 3804 wrote to memory of 4044	3804	AnyDesk.exe	76
PID 3804 wrote to memory of 4044	3804	AnyDesk.exe	76
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 5024 wrote to memory of 896	5024	firefox.exe	98
PID 896 wrote to memory of 828	896	firefox.exe	99
PID 896 wrote to memory of 828	896	firefox.exe	99
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100
PID 896 wrote to memory of 2840	896	firefox.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3804
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4044
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4912
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:856
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2032

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x0000000000000484 0x00000000000004D0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3692

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" -nohome
1⤵
- Modifies Internet Explorer settings
PID:1436

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartGrant.TS"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1540

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\RestartGrant.TS"
1⤵
PID:2268

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\Desktop\StepRename.mhtml
1⤵
- Modifies Internet Explorer settings
PID:2676

C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe
"C:\Program Files\WindowsApps\Microsoft.ZuneMusic_10.21012.10511.0_x64__8wekyb3d8bbwe\Music.UI.exe" -ServerName:Microsoft.ZuneMusic.AppX48dcrcgzqqdshm3kf61t0cm5e9pyd6h6.mca
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
- Suspicious use of FindShellTrayWindow
PID:3828

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:5024
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.0.1683999078\971496501" -parentBuildID 20221007134813 -prefsHandle 1784 -prefMapHandle 1764 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {08ba8863-74a2-4e2e-ad96-24d93f09488c} 896 "\\.\pipe\gecko-crash-server-pipe.896" 1864 1ad736d8358 gpu
    3⤵
    PID:828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.1.1463626945\2020571165" -parentBuildID 20221007134813 -prefsHandle 2256 -prefMapHandle 2252 -prefsLen 20783 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa45a8c9-2298-40fb-8d11-d118c52a3d82} 896 "\\.\pipe\gecko-crash-server-pipe.896" 2292 1ad673dd058 socket
    3⤵
    - Checks processor information in registry
    PID:2840
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.2.492610685\1836187708" -childID 1 -isForBrowser -prefsHandle 2856 -prefMapHandle 2996 -prefsLen 20821 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0089ef7e-548e-47f4-814a-dfd42cb2f543} 896 "\\.\pipe\gecko-crash-server-pipe.896" 2852 1ad787c5358 tab
    3⤵
    PID:4660
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.3.1834724321\312370783" -childID 2 -isForBrowser -prefsHandle 2896 -prefMapHandle 3300 -prefsLen 26064 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ec055bc1-6642-4256-b0d5-f5dfdd1682a6} 896 "\\.\pipe\gecko-crash-server-pipe.896" 3580 1ad77036058 tab
    3⤵
    PID:4488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.4.411493969\1309082226" -childID 3 -isForBrowser -prefsHandle 4600 -prefMapHandle 4596 -prefsLen 26123 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {767da771-fc5d-415b-892a-ff849572a23f} 896 "\\.\pipe\gecko-crash-server-pipe.896" 4608 1ad7a594358 tab
    3⤵
    PID:3276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.5.1397529278\2078651582" -childID 4 -isForBrowser -prefsHandle 4952 -prefMapHandle 4644 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fbfbc4d1-286f-46c3-9354-797fa73c9b0a} 896 "\\.\pipe\gecko-crash-server-pipe.896" 4956 1ad67366258 tab
    3⤵
    PID:4476
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.6.302093043\933553063" -childID 5 -isForBrowser -prefsHandle 5196 -prefMapHandle 5200 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4f144990-b40b-4e74-8b1f-bb9c56a9234f} 896 "\\.\pipe\gecko-crash-server-pipe.896" 5184 1ad77da9858 tab
    3⤵
    PID:2796
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.7.1008147016\1000963511" -childID 6 -isForBrowser -prefsHandle 5408 -prefMapHandle 5412 -prefsLen 26204 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d622bcf9-8f5b-45ce-a070-d5212bffafc6} 896 "\\.\pipe\gecko-crash-server-pipe.896" 5396 1ad7a6df458 tab
    3⤵
    PID:5124
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.8.1841930369\1166348227" -childID 7 -isForBrowser -prefsHandle 4408 -prefMapHandle 4868 -prefsLen 26283 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {14c32306-6d6f-4ab2-adb6-b5df050f8079} 896 "\\.\pipe\gecko-crash-server-pipe.896" 4844 1ad7c46a458 tab
    3⤵
    PID:6216
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.9.937869557\1216610105" -parentBuildID 20221007134813 -prefsHandle 4792 -prefMapHandle 4704 -prefsLen 26283 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb12a71e-6213-4df2-9931-ebc1d3a18f18} 896 "\\.\pipe\gecko-crash-server-pipe.896" 5884 1ad7a5c8458 rdd
    3⤵
    PID:6320
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.11.214082227\36417275" -childID 9 -isForBrowser -prefsHandle 6204 -prefMapHandle 6208 -prefsLen 26458 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d4c49f06-81c3-4cbc-81d8-f1b625d7bf30} 896 "\\.\pipe\gecko-crash-server-pipe.896" 6196 1ad73477e58 tab
    3⤵
    PID:6880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="896.10.617580666\1745555125" -childID 8 -isForBrowser -prefsHandle 6140 -prefMapHandle 6132 -prefsLen 26458 -prefMapSize 233444 -jsInitHandle 1036 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {4052975e-f66c-4786-9fb3-e9e001341fd6} 896 "\\.\pipe\gecko-crash-server-pipe.896" 3288 1ad73474b58 tab
    3⤵
    PID:6872

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2676
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x108,0x10c,0x110,0xe4,0x114,0x7ff9bc113cb8,0x7ff9bc113cc8,0x7ff9bc113cd8
  2⤵
  PID:5020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:8
  2⤵
  PID:5264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2216 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1924 /prefetch:2
  2⤵
  PID:5232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4908 /prefetch:1
  2⤵
  PID:6132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4576 /prefetch:1
  2⤵
  PID:5340
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3520 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5196 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:7108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:7116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
  2⤵
  PID:6204
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2752 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:5788
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5004 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:6188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2768 /prefetch:1
  2⤵
  PID:6336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,2577597672397021503,5310605983066500266,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5916 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6680

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5628

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5840

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6276

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5780

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
PID:5784

C:\Windows\system32\SystemSettingsAdminFlows.exe
"C:\Windows\system32\SystemSettingsAdminFlows.exe" RemoteDesktopTurnOnRdp
1⤵
- Suspicious use of SetWindowsHookEx
PID:992

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6380

C:\Windows\System32\changepk.exe
"C:\Windows\System32\changepk.exe"
1⤵
- Modifies registry class
PID:6620

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
PID:3308

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DevicesFlow -s DevicesFlowUserSvc
1⤵
PID:4536

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -s LxpSvc
1⤵
PID:6680

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:2556

C:\Windows\System32\conhost.exe
"C:\Windows\System32\conhost.exe"
1⤵
- Suspicious use of SetWindowsHookEx
PID:4268
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe
  2⤵
  PID:2064

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4100

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1008

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:4284

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4052

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:5836

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ded21ddc295846e2b00e1fd766c807db

SHA1
497eb7c9c09cb2a247b4a3663ce808869872b410

SHA256
26025f86effef56caa2ee50a64e219c762944b1e50e465be3a6b454bc0ed7305

SHA512
ddfaa73032590de904bba398331fdbf188741d96a17116ada50298b42d6eb7b20d6e50b0cfae8b17e2f145997b8ebce6c8196e6f46fbe11f133d3d82ce3656db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a0407c5de270b9ae0ceee6cb9b61bbf1

SHA1
fb2bb8184c1b8e680bf873e5537e1260f057751e

SHA256
a56989933628f6a677ad09f634fc9b7dd9cf7d06c72a76ddbb8221bc4a62ffcd

SHA512
65162bf07705dfdd348d4eaf0a3feba08dc2c0942a3a052b4492d0675ab803b104c03c945f5608fac9544681e0fe8b81d1aaca859663e79aa87fcb591ddb8136

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8a1b1f2d1b2a9c0183025aff17889a04

SHA1
aeb4266d7d546afabbb07bda526a55ccdcfa249a

SHA256
c7c88e9c2b1e13a054486586a0429e203d92199797d665d6e3457512aef54088

SHA512
f4a9f7bd3ef1b111716db0d90786c17f3075de4da0e13737b7b9d563b2d6daf7ceeced0be843a841f5156b53caae47423ef4af766c9ac7119bcd50e9f1cb2231

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
398B

MD5
3afe89e5d880c04758d9dbeb945cba07

SHA1
61f1a5d4a1112ce26c0d2731bfebc0d2e3bab56d

SHA256
6c028ff13095386c526f56159c6cccc6a9d33c0b1ededd9273bb31518e66244c

SHA512
445f63744bb9b86356d33c8908087bff08e773f210960cead5d214f26076659637c3a22396337677cfe0f4425bdac24564eeeaee3a8b46028f8c28d42135fbfb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
eb50a44ff21d59f8c7aaf9fc9234ee34

SHA1
ee5835228721c26a8217c00a060d17034278194a

SHA256
9bba6db5c1386cec17780780ce2860ba6aec4e55f7b065b02dd1c89e808090d0

SHA512
8fc5de7c64ac4c199a13f1eb04b2b4794fbc346f6348fa304d7a15d6b7895bfed5bec78ae3d420083b58b80ace100f871c7042565a378f420083a4c49d880ef2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3a09bab5844719e23cb96afe048de595

SHA1
0c77dcc915eeab2151b3dbb25813ecc2d6579442

SHA256
66d92d91223885780fbb8166d73a3a64d5f1bd71db7917e0c772e950f6b49a00

SHA512
8001811c9aa84d8901024495a2a737d3d0556b19cb694e5212a52c56d64dfd97c7a24dacdae638c61d73c78b2962d58fb6494de1cfbb08f9afee84444f377f80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
baf241114e6f1cbda0b307b66886ce74

SHA1
64e2b86c5a74986d3bf8bbde48a5c23bdfac59ba

SHA256
a3b73e53c6980c7a193f1beb33fd48f41d580afe0d7dcc619af33fe5f2ddeacd

SHA512
9f8dfb55e0d26276adb2a9105129b21a4a582fb42eb530f9c1b3e61b658248cb19fa69ae4f143e7cd9fec3c5a6d228ae8ea3c65f80290e9b10d790ad18316d3d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7d4112641351c1c7c50813b994b56d33

SHA1
1bbd0f8317d7e08dd92c9bb5a808b724b6d1d240

SHA256
b2aefbca60bc8ed5fa0e69d720d87a5b2266776c10ede0a04720fe0884c3043f

SHA512
79e36d6ae5da2e088c69b58870d842a4091776f9d1644fa3942f6fcc8655cbf6b45bc953976222f2e734c49da82b0838176f8d8a84261788c6842a026dbdf22e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d6489cd370d8585581a378e3eb81c94b

SHA1
ffdc528dcede5ad33732201bab423b1f6a25ccf2

SHA256
e18e08b85a8073795cea56433939f590c3ddf7115e5d542d90a8b8a8d9f03888

SHA512
b41b3c4ca06305060f0de37a580289adfb34d658e9a710eef111ce285aec7c7956fd26ae23c2e481da877607ace3fdf496d0c95c0ad6649b629763869eb766ad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f5cc45853192502ded7c75e6262d3c2b

SHA1
ef5cde2f729bf3a2aa96f274360d2d8bd7fe4fa3

SHA256
0861a617677f5edfb53a7b4c8819fec3bc89ec46eb47ec9aae46770055ebd6fa

SHA512
c0cc4de26e2c947da535bf44962cdbf7497637faca28914cc77327a54b950c25347f6d075c003dd9e2f1b61ab0adc7f3b759b0723248e57de0d03849b5daba9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
8dba17fead9e166b6f027076fc5555e8

SHA1
71370990ca7a002a6b30c930f8ced6462438ff31

SHA256
32b5e543863a5c2f64a3e03d6e2f5a1b522e8a4818f1552ca800e4b67f104bbc

SHA512
cb468c20616aff233836e08dcace35381f1f5eb960153c5727868175a8c58f8f7599ee155cd897a4f51bf31c28b9c582cc78bbd4f7f42d766a551b984cec29db

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.ZuneMusic_8wekyb3d8bbwe\LocalState\backstack.json

Filesize
217B

MD5
9b18cc7b22f0ac17284814944aa344aa

SHA1
afff8d4b3fa83e6a3324ac9adb3c5401d37854ff

SHA256
5650dbfdeb874725c2e996c47801254f505d8964a31bcb3f2d647e262428dd34

SHA512
fb2f221c621d94cc1dc966221e662f32903a0d5fca07b1f1391dd07022cb17db17e51e55fc4f4e6f1fb62dcba68d070359b420bd2d691b0f898c9b66d2aeec9f

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.4f_mmffcdj8j2z4gm_n8s9vyc.tmp

Filesize
9KB

MD5
24ebdb1228a1818eee374bc8794869b7

SHA1
79fc3adb42a5d7ee12ff6729ef5f7a81e563cd2d

SHA256
92a7d7d3b0bfac458ddcef07afcdad3646653ba7f4ad048fdd7a5ec673235923

SHA512
63764d99a0118fac409327d5bf70f2aa9b31caf5277c4bc1e595016a50c524cd6c3d67924321b0fcad12cd968de1a62bd292151e35fd907034efd0f40b743d6a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.ac558yd5ykzbqx4fwsiq3qlif.tmp

Filesize
1KB

MD5
4085b7b25606706f1a1ad9a88211a9b7

SHA1
31019f39a5e0bf2b1aa9fe5dda31856b30e963cc

SHA256
b64efcb638291c1e1c132ed5636afbb198031cee44384f3ecf67d82b73accecc

SHA512
9537559523839e3e708feabe8c04f40236add7d200ec36bad00c10a69337a15001103c17093dcc0d8cadb4713d911f39a6411624c1db4cbf1ea1af272a716168

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Temp\APPX.b_znzxsa7s910m9v9p6jq9y3g.tmp

Filesize
2KB

MD5
530f1945913c81b38450c5a468428ee6

SHA1
0c6d47f5376342002ffdbc9a26ebec22c48dca37

SHA256
4112d529734d33abda74478c199f6ddc5098767e69214a00d80f23d2ea7291ff

SHA512
3906427ffb8f2dfea76ba9bb8cac6bd7dece3ebee7e94ea92da5bbdb55d8859c41260a2bda4e84fab7e1fb857ad12a2e286694ea64d00d0aa6cab200fbbf64f0

Download Submit
C:\Users\Admin\AppData\Local\Packages\microsoftwindows.client.cbs_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\PWVY4IQH\localhost[1].xml

Filesize
13B

MD5
c1ddea3ef6bbef3e7060a1a9ad89e4c5

SHA1
35e3224fcbd3e1af306f2b6a2c6bbea9b0867966

SHA256
b71e4d17274636b97179ba2d97c742735b6510eb54f22893d3a2daff2ceb28db

SHA512
6be8cec7c862afae5b37aa32dc5bb45912881a3276606da41bf808a4ef92c318b355e616bf45a257b995520d72b7c08752c0be445dceade5cf79f73480910fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
89KB

MD5
cc6bbeabd08bcf0b933cf8fb73904ea7

SHA1
b6ab1b979f275dad296d7d29ab656e534c2300db

SHA256
f68f8d65da3c376f39e107aeda23346dbaa05861505d6a585baa0aaf1099897a

SHA512
cea6e8759a4cd08fa61d230e5772e18d291fb132ce48e0c963be4a543d080c24bf6ddadeb5a63b233f878e3058c65426b6361fbf555d74a10095a555067c1be1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
5e693a2e18a170fc0cccd81d2af4a288

SHA1
9e700da0f39c826d4dc97d51a54fc080989a6a89

SHA256
8a09a0c15a78a8d156c9944cf4862cfa1886069be6a3683837add7517ee708e4

SHA512
b49400541be8a2408af99a04fbf1aa2f7b3ab66d4eae089c6501aa5bbfdcee661b539cfe01c35425117860bd7ef2e9d44f66626821acff15e93d392ac116d507

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
43KB

MD5
54f2d1c900309dc372d63fda01f72116

SHA1
cb010294d6f8da05e5f3b5bff809ef5e291193f8

SHA256
7078fb609753060d4dad495801145897cce46a70a63e5739c5e926a000923711

SHA512
ccacb333539bfc8747b678fd7c66532b153d452327c07d0c3a8b851883f9244b3606e6d5ebed78ca55a454e2ac0ce7cdafd2a96f96c31e5b66ea48490b8526be

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
fb36bee776d14cbcffdfad1502199120

SHA1
03f5ae2fe4385e9f2363584a89308142dd12118a

SHA256
0d522bd6c9dd1fc16571f51964b548ee8830375b8526f8b252f348f24ac527fa

SHA512
365d7d7371e4cfc09d86a19860a284a51eb889df7fd401c011829e3ff000f93478cc1a53559c7bd2fbd17d418447ae7d84801fe0998916f76c7fdd764b331ec9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c77d22f41244e2f7102f330ffc1f5999

SHA1
69bbf6672c2d497e5b2322f9ad5f8abf2feeed03

SHA256
2a1fbb10b70d33256baa7f9c51f3cbe5ffaa6d52860432425ac272c15b9aeabe

SHA512
7edba3c2382209934c66c749482295317c91d60920f5ed650d3b0aa3dac9024b101641f7f6932d9d49017b32205bba8708fffafd667085de04fd6e37a0e64857

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
d707fce43af90bd146fe3c1b2195905d

SHA1
4b6fcba4f65a4071c745a8fcaeeccbda849789c3

SHA256
73573731686c02dc30f83fd02bfc04d540cbb02eb4fd340da4eb6a53f63b2432

SHA512
dd83d86fabf56de31b15dde67da460c397193aa7e85d8b870e332cc807dd45a03503f90aad0707ccb747093cd883a458cfd2fa739324c81768596f85521a10b6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
9c891a095c1b3a79ba9afae2408edd40

SHA1
819fe113975cc27c6e400a1d3300e6b922116d07

SHA256
b9610170d395d2e44bd1126aab6a02657ff011fb628220cc9a2bac124f498e7e

SHA512
5aecd256a5b04285e5423305db8b846f8b2f6bcce61dc39dfe7c0b805abf2450e6b24967c6b8aa555efd0f0b34524aa4f8b382126f5f76ff388a9af8482b0d85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
dd64798f8b21de2bac820e58dfe1afa0

SHA1
05bc022dd6b0776e86bfcef12067f5fad1608693

SHA256
ed078ed723e99ded66de50529620783798a0a28d3a5584255a0ec04c5da27b22

SHA512
b5fa5ca817f4ee4253fad19434fd3d860d7345cf39e84dc08ffd188571aa67d506bbb79212e737c0c8de2ce289b44593dab94f13222d8754c0cbd7f9f35018b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e654249f8e0b2765537685d0f1ca4fc1

SHA1
3bcc7b96c44eff097eeb8fdc43a5aa62a03b752e

SHA256
3165baf420daefaf07865f477251b4f15d750a2b86886b72058187544e3ea4fc

SHA512
695d22e3025bc1f3d93ea04b1b6e912d3c59d2162603a7f268a86567cc0ffae977ae2fc2843b4e0deb670dfb27ddcbc61ebae3878d7bdb825c92a00151735efd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
3dd2e664ab9654b1f338e3f41dd36679

SHA1
deb86191799bec113d7939653063ca64913e3e80

SHA256
f5e8272813a914b842a3281f92dfb9c7d956e64acee06593180e12ffb7773473

SHA512
d188537c9033cfa85b238ef54f9af1b98011039dd80ba4ffbe50d0b7920e5d1194a39bb3a20204c3b4b8240bfdd792342ca6b2a3e686903e5993b577899840f6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
61b98473a4cd6a80cf5b60e0107ba965

SHA1
493342e7146fe6022f54cfc0e99455386f42cb89

SHA256
a39558571b5b0980bc8b3ff55797474ecf83f1a00b419772e5c6fd170c8e18dd

SHA512
4326c34a6f3c0bf41a88e13b886a81e9781a5016df02d86d7af9e94f62053e8fdaccf933861b6cf5fde117fe3bdfb8e3f7521a512ac3d1eb3feac9f3a5cca85f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
567f742a5d0a0fc602f980b692cc2c6e

SHA1
c14f3494f79893bc15b3a237c6c988d27258652a

SHA256
32dbb05b067699c395aac6fe778a0f2571e27f4e62daf86a5e8d4bb9bf024965

SHA512
1516cd819eb22ec0839d1b5d995ce5ce8e0fcb02e7f60a73caae2229ec7e30583d19fd92d8fdb2f031faac1a2211e692cc0eee1694cc6452b446c9ac7724ed3f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
7c2217ee27fb99c7cc95ec5a03b0d9a9

SHA1
d22a5d0108bad31427ad320702933e9f692da29d

SHA256
5add5e3594873b6d830878d14cc87d62c74c6408308accefcccaeb40ccd5d410

SHA512
0b8b5a75ae428c6791334c027e856602eadd5b6d1031a089476703634d4d919bd238d2b2234e85eceed920d49b210d979d64b6c7393fa3223814199975d8aade

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
9834100105c23c8db25ad6dbd16d180b

SHA1
f39bcca24e32e715f0856ee6b563d2cccb403df6

SHA256
5092f8c95661975257ae23a7c3ad6103669216795c3f85a60dd2d735c0e79290

SHA512
f4e79f97c73660f786c1b0badab1e04ad7ad291ea1b000e8078fbcebe91b44bcdedd426e82fde282cf4040afa8e6b5cd4719ce71e21bf1a1fde293b24ac7065b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0c5dbb2ccfc6d0429a86132f39f02ab6

SHA1
38e79b396a60134be0d6988489cc9aeb0c16f88d

SHA256
0664e371b53a3f61412f430585b758e64a406e4db2b71e7848af6cc9f3467865

SHA512
86b330a1dadea94e27050bb0affc791fc3e14e82c88062737496d1705745a2d64333c8a2ad351796942ecfb3705f2e07f32f2b6357affb6eff39dbcebdb7cb8c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
804088328179bcfa86eb6b118f7c4484

SHA1
f29df4567d30b17dae015fb223e59abb9c518703

SHA256
ade7e8c03751bc32e42fe96cc7cc90d6791dba6100e679882c94c2cb1931d8e4

SHA512
72744fdc0f042bb63d175ceb4aaa86fdbbeef7e5b6ae0bdcd6bc009d0f2b8e7fe8af947f3fc1ef5a68203606e6accc1a7a353c1af507b9c37681fd5faac9fd52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c012d1ee077974aa9822bc2f10c3b5ca

SHA1
f6b939820b4418f0fff579c9a17fe6c42354c5c9

SHA256
f010974efd375b5431893289bc25a948f6341cc10301180a26a62cc6bf5fc719

SHA512
bda819e3bf773ed9483fe5632ac7d30168e2d49bdebcb5c8527d46f8397169adbbd0b2655c2eb806cecf4d92782ab81227f889a04bbdf6d65d8140d2b2ed8ef4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e3fa40f4369d75de3a68a9744a9fff9c

SHA1
7c522f80f3fd5bd0aeb9d6128835943be3b66175

SHA256
be674f25120dd2b1c6b3642a1bf4b9e5b6f455970f8658fbb5461882992283e0

SHA512
9cbf3a83f712ab8ba0d417a90304949ccc1cffcf8cef4f770efffa8bc295404077a2a49b1f211485db053957c286396d6bf1180691354760ba1acb80feca9436

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
64f829b3e108374a310d45279f54604e

SHA1
5be4eba63ea95c40a24913016ce9b131764eb7a9

SHA256
03068ba4925c2b3334ce2266889b5bf3de51c92d1c8091de64d0b8838a1c6962

SHA512
800ba09a07f778cfcaf4acc0c41137be061f1773f185dcde1b174e43786f90ae429a99e57a903d21fc2497e804ac8352ad5b010576253b4caa1a0fbdbb549a69

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
aa9a7f452aecb4c4201d57e211e09f73

SHA1
790367a1c1becc28769c3a3087c236de54780c4d

SHA256
e4b57adba5b3daf0147a5d1755a192dcc16c389a78bc89083e26b1e888854c77

SHA512
68206cb61d4e8b5561205b475f6c262d54476745b7e51715b34808412aa009ad5f411fd4b9f4e6098f54e5596627d542ab868d9e113c6d8cca2799d4ee732143

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1dc882e308dd6468dae8f4ed4d4a5218

SHA1
7c7607d513e066b46bead09eb1c9057df81750a6

SHA256
33e647d98a4a93718faad3fbab02171849c237133f557bab9c32b9ef6affd36f

SHA512
d8b18cae15914ff91fe3f5d4557855cba3dac5df052a18a8afe325dc57cac022e3f754e25029618011f380061b858603c4db8435f372a64b6c0d8e3c05664517

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
915f7241b59c91394c86803c8e8c6a53

SHA1
449e429e69c7c78dfd88bf2677ddaa0bc1a68114

SHA256
0bb503ae740f6e4dea652a6feb6efdbd103a72bab49e52a553cdc8e6a66bc81f

SHA512
15762cf9a9c5f48b98139157056ae8db5d76905e033ca4b2acaca8f6f0bbf220e2c704f22bbef29f1ce34c2535ce35c52aa1d8074d9a4a704417e71aa659fd28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fa0d09df0b6083bc27579740affc40fb

SHA1
1611e55a0f38cde15a07e9812d4bd5bbd6ce3cba

SHA256
f24616ccd9f9e23de8c16213477bb43e8404e09970a88477533c00dcb81c0618

SHA512
68253e298ff6b5cfe84d8fd4ccd6f514dee965dd29eec2be9693fbda0e20667bda524470314ce107ba620f0327673428cdf972d450fccd7121729752aacf09d5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ca690c85367c13274b8770e2100b5f76

SHA1
c48db787af7ca9b922fd6d40ff4cf543f30e619e

SHA256
201b2b59457880a05d05d0535ac820b7eb0877fbb2f3a9fd3974c18436983784

SHA512
612b6fe5ec8464453f47b510f918df1866d910488b26e4293d704c482adee003ddd861f961d785030c1b6599346e6190d63d1b9647e292eeb740e2057152dbfe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4dfaace4fa324e2772872190b285188d

SHA1
8ea7cf1a79eeb61eddbcc5c2582751791151f0c1

SHA256
fdeb3bb8905fef01a10fb16ca46095d925ef9a3ee4f97084f1585dca1f0baf85

SHA512
74cf2a9868122973b91938922c70ca386e9c54e1cb5c007b060ac539bfb5e59e1d860bf5c0e22426be3c8f4ca3bb01952d97e753b4961edd547eb618ad54b31c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
764b8c857467787e7deefb029ea6ee38

SHA1
feaee0e38ae7a47efa26128639c6f1d3cdece750

SHA256
4886f46f154382d9fe6b42e106e881b14e2a0ea07e73852f7ad99d5b85253d89

SHA512
8902f9e41789fbef0232b0c905a6dacdd9d5dd55e81edf35a3482a20a050cf17506ab9b7c9bf5974866ee3f00721c5e1c4ce3ebcdd5e14dae71e46eee6cc8e25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
00bce1c0ba1b8c77914a57e753463c14

SHA1
a020ba14eb209dc46cf0365865529fefbcb4c9b3

SHA256
c51d6cbe20c54af32ee14e3581ea91bdc13f911d7a34d7976289b7f831d0834a

SHA512
d2204512c217fdcf3d19f9720b5d5d09ad41286430fd5d2ea33f8e6bb19e4bb2e60a3d818c7b090d9d9382a9596291e7e9b91674d33bd6c307e3f7b7bb61aa97

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\db\data.safe.bin

Filesize
9KB

MD5
6da1dc5a1347b63718111f6452ccc79f

SHA1
fba064004de9e9e3d7cb8ea2d3b4b97ab2c73602

SHA256
d291c85c317b6b55dc40ba86c8b21dec01969ebf62aa878247dea00a08728ee7

SHA512
a267edeb22d621c6ff20b83ffbe9b444e98ac56602417c4e0ddd5aba9dfc6434fa420f788540aeb54eae9dd7351b58cb7b82e7df59324921bf976d987a88974f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\datareporting\glean\pending_pings\4193a791-f1bd-4276-821c-58976528a76e

Filesize
734B

MD5
7ade4824637a953957c63ef9f1d436ce

SHA1
b01202132febcfdae29576226d175dfe5fa5c4ec

SHA256
98945cb4a1722750a52ed83bb141a639b593d823a9b39f5d0113cd9a84475099

SHA512
769d7c9273da00ffa8a3254a8e94c2e8a2e12d904b8aa6e09ed5ded7323080bab6fee2a411c2e675e6a679cc9e67123eddd068ed248afc06f98ec1023a3002a4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs-1.js

Filesize
6KB

MD5
9a4143bea48787c840478adfeec9569e

SHA1
fe3bba8314a058587be4e1bae849e6774834bff9

SHA256
c1d6f7925b9477a603a2a798f662cba1af244cdfa5f37c487ef03c3a19253e59

SHA512
c85a5fa7c56eb26dadc1da718d33ff5ca8c3394af72329346e6c10ff2a0f256ed1046bcaf0995eb73401634832dd60e35c97494c087871c1dd426974fbb93351

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs-1.js

Filesize
6KB

MD5
9eb6c7d71510f2bbcac92574fcefebed

SHA1
a882084f3c4a20d55405568e285d3844d9150b11

SHA256
907a22e7652b9a1c88c28cb6f54eadbc771dcdfaeae0c741aebe38d24c4d02f8

SHA512
c202384dcc71be62a65ac880a9f1de4188ea3ed8b68092a7ee03a1bdfd5b792fa915b4953d80be1526cddcdc56d53b25b3151eca4107dcf699f9224aff173a56

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\prefs.js

Filesize
6KB

MD5
ba829b8554da8a47fa9b2a4af86d7b00

SHA1
6e5bcb37972e58aeaa5789e015e86e6c7d8821e6

SHA256
fc691ceea087810fb86633b5f282b86e779cc8d1de9e399f196e449f78211cb7

SHA512
fca6de11440feff384121af48403735ee726c2677ea058421ac078fe4ab518c04feebdb5bffe0bad74c832d5fc949c0cb67fa8a74e25795e7f1c0057d1c04d9d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
65b4571b31800412d0202c349813724c

SHA1
0618be6751122e85e4a71ea3eefc8f1af535e274

SHA256
ba37141eb5dcc127ea0e57ae61b9ba4587eb6542d5af40a6e56d89ef5821dd99

SHA512
608cb1f6a4c84cc2e36342ce820e8ecdddb8e62bad7268c2d2ca1ccab0945f61d3a29ab76dedc52310052e421036ef54e55e99e9d6cc14afa4b61072c92d4b11

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
515977ea16783591fb634e9fde400931

SHA1
ae4b6110133f6f5ddced6349f0010396f677f49f

SHA256
0cc3fefcaff25bb9c74d935f0c6fb9f617131c9b9fd848b9b7cf94f189f51c54

SHA512
e77763366c24f932fb850c754b1709434999253abc50cd5b2bd88ed9bdc3c90fd2d4f956bc51656bc7c9ac816ab9d015bec69f3c5be903ebaa3d3182daad5f0d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
6a55e19e479cfc48f4d8c330d39e6818

SHA1
666fe22bde9cf6e6046fdaae04833aada0fac533

SHA256
730d70e6c6519d01d535ac662383db64e3967ff5f9a7d680a57fc91959b33991

SHA512
986c68258f5747cc20e7182019fc2caae81763e5d6b7c6f6e5d3c5f2952d5c766f334473fde6c7767eb73cb7e6878241e767a0c712825d146b8b2ddb4adef31f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\sessionstore.jsonlz4

Filesize
2KB

MD5
6f467d7a5e65bb0fbf66c07091f4eacf

SHA1
423074364a443caf683569bee0320e89a8536580

SHA256
2c79a525d4ec672f54dc7328a6ed6e321af20920a7a2d68440e8930e68410ba8

SHA512
792d6c96c661718b400a2962e2263244c6bf03e642d721e0d58da729c0eb36335c6fd372d5f1596b8bd436ca24ec4a037fbfbc03211f97430a2cb06f362aac76

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\obahtjhr.default-release\storage\default\https+++www.pornhub.com\cache\morgue\82\{5364d512-771e-4a0e-ac84-a2bc72623d52}.final

Filesize
456B

MD5
4849126d62348e96de9f534891ee372c

SHA1
04208116ad7cb0edcb2c7c754042554104172d10

SHA256
92930e52c17a5e42a09f648d090ba0e48384fe2b6f4f6b3e3fc70bd8a0e6ac5d

SHA512
bd7769637a8707a21027e442faf6911019a2c731bff17fc11b9da0b74490162ea4eba2fca41942a7c114cc75ab1941f208c1fcc789bdc0a594b5ed269f6e6f25

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
77B

MD5
0d8ff9d7b694628e7a76d29c8624d1b1

SHA1
7e02f522238fe8083aee80fa03fb6537b5f00765

SHA256
fef2b21c7235acfeea847f8bca31194afe0d96849970604add6b89ca1834b138

SHA512
3cb96f0e928cc78500072c9c7d51278c5c45dfc0797a69e2070a8ab40c8868c1751a33bcc68fef3766a845c1f6f5015e717106f964664d05fb3214ac010d1a2b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
c0a8d8fb18ba3599470ac07e9d4c21da

SHA1
2f2224b6cc6a91d2fa459341bcc56939d9aaa964

SHA256
9c779ba622e829246d42aad03d6d5eeb4763d87669009d4910b2a0bb75f1abe4

SHA512
81d1d7b3d1b8faa18d1e735c2ddce71141bab23862bef1649dda90b6d67afc705306a13b352b578f1a30b22522a60524c3382b9a86503c981b6f58c88050388b

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
14bda2f1ac3ff6639c3c240fbfca881a

SHA1
5850f40a49e51fccfd4c45fc251b6e76d1d91d44

SHA256
13530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb

SHA512
f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993

Download Submit
memory/856-256-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/856-273-0x0000000005D90000-0x0000000005D91000-memory.dmp

Filesize
4KB

Download
memory/856-268-0x0000000005D40000-0x0000000005D41000-memory.dmp

Filesize
4KB

Download
memory/856-240-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-271-0x0000000005D70000-0x0000000005D71000-memory.dmp

Filesize
4KB

Download
memory/856-281-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-242-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-245-0x0000000003C20000-0x0000000003C21000-memory.dmp

Filesize
4KB

Download
memory/856-288-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-251-0x0000000005B60000-0x0000000005B61000-memory.dmp

Filesize
4KB

Download
memory/856-255-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/856-864-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-254-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/856-257-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/856-258-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/856-259-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/856-315-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/856-260-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/856-253-0x0000000005BA0000-0x0000000005BA1000-memory.dmp

Filesize
4KB

Download
memory/856-261-0x0000000005CD0000-0x0000000005CD1000-memory.dmp

Filesize
4KB

Download
memory/856-262-0x0000000005CE0000-0x0000000005CE1000-memory.dmp

Filesize
4KB

Download
memory/856-252-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/856-263-0x0000000005CF0000-0x0000000005CF1000-memory.dmp

Filesize
4KB

Download
memory/856-264-0x0000000005D00000-0x0000000005D01000-memory.dmp

Filesize
4KB

Download
memory/856-266-0x0000000005D20000-0x0000000005D21000-memory.dmp

Filesize
4KB

Download
memory/856-265-0x0000000005D10000-0x0000000005D11000-memory.dmp

Filesize
4KB

Download
memory/856-267-0x0000000005D30000-0x0000000005D31000-memory.dmp

Filesize
4KB

Download
memory/856-270-0x0000000005D60000-0x0000000005D61000-memory.dmp

Filesize
4KB

Download
memory/856-269-0x0000000005D50000-0x0000000005D51000-memory.dmp

Filesize
4KB

Download
memory/856-274-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/856-272-0x0000000005D80000-0x0000000005D81000-memory.dmp

Filesize
4KB

Download
memory/1540-326-0x00007FF9BC030000-0x00007FF9BC230000-memory.dmp

Filesize
2.0MB

Download
memory/1540-330-0x00007FF9CDEA0000-0x00007FF9CDEB8000-memory.dmp

Filesize
96KB

Download
memory/1540-332-0x00007FF9CDE60000-0x00007FF9CDE71000-memory.dmp

Filesize
68KB

Download
memory/1540-333-0x00007FF9CDC60000-0x00007FF9CDC71000-memory.dmp

Filesize
68KB

Download
memory/1540-334-0x00007FF9CDC40000-0x00007FF9CDC5B000-memory.dmp

Filesize
108KB

Download
memory/1540-335-0x00007FF9CDA90000-0x00007FF9CDAA1000-memory.dmp

Filesize
68KB

Download
memory/1540-336-0x00007FF9CDA70000-0x00007FF9CDA88000-memory.dmp

Filesize
96KB

Download
memory/1540-337-0x00007FF9CDA10000-0x00007FF9CDA40000-memory.dmp

Filesize
192KB

Download
memory/1540-338-0x00007FF9CB7E0000-0x00007FF9CB847000-memory.dmp

Filesize
412KB

Download
memory/1540-331-0x00007FF9CDE80000-0x00007FF9CDE91000-memory.dmp

Filesize
68KB

Download
memory/1540-329-0x00007FF9CDEC0000-0x00007FF9CDEE1000-memory.dmp

Filesize
132KB

Download
memory/1540-328-0x00007FF9CDEF0000-0x00007FF9CDF2F000-memory.dmp

Filesize
252KB

Download
memory/1540-327-0x00007FF9BAF80000-0x00007FF9BC02B000-memory.dmp

Filesize
16.7MB

Download
memory/1540-325-0x00007FF9CDF30000-0x00007FF9CDF41000-memory.dmp

Filesize
68KB

Download
memory/1540-324-0x00007FF9CDF50000-0x00007FF9CDF6D000-memory.dmp

Filesize
116KB

Download
memory/1540-323-0x00007FF9CDF70000-0x00007FF9CDF81000-memory.dmp

Filesize
68KB

Download
memory/1540-322-0x00007FF9CDF90000-0x00007FF9CDFA7000-memory.dmp

Filesize
92KB

Download
memory/1540-321-0x00007FF9CDFB0000-0x00007FF9CDFC1000-memory.dmp

Filesize
68KB

Download
memory/1540-320-0x00007FF9CEC30000-0x00007FF9CEC47000-memory.dmp

Filesize
92KB

Download
memory/1540-319-0x00007FF9D16B0000-0x00007FF9D16C8000-memory.dmp

Filesize
96KB

Download
memory/1540-318-0x00007FF9BC460000-0x00007FF9BC714000-memory.dmp

Filesize
2.7MB

Download
memory/1540-317-0x00007FF9CE070000-0x00007FF9CE0A4000-memory.dmp

Filesize
208KB

Download
memory/1540-316-0x00007FF657B00000-0x00007FF657BF8000-memory.dmp

Filesize
992KB

Download
memory/2032-1215-0x0000000005C30000-0x0000000005C31000-memory.dmp

Filesize
4KB

Download
memory/2032-1225-0x0000000005C50000-0x0000000005C51000-memory.dmp

Filesize
4KB

Download
memory/2032-1219-0x0000000005C80000-0x0000000005C81000-memory.dmp

Filesize
4KB

Download
memory/2032-1220-0x0000000005C90000-0x0000000005C91000-memory.dmp

Filesize
4KB

Download
memory/2032-1223-0x0000000005BB0000-0x0000000005BB1000-memory.dmp

Filesize
4KB

Download
memory/2032-1224-0x0000000005BE0000-0x0000000005BE1000-memory.dmp

Filesize
4KB

Download
memory/2032-1222-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/2032-1221-0x0000000005CA0000-0x0000000005CA1000-memory.dmp

Filesize
4KB

Download
memory/2032-1218-0x0000000005C70000-0x0000000005C71000-memory.dmp

Filesize
4KB

Download
memory/2032-1217-0x0000000005C60000-0x0000000005C61000-memory.dmp

Filesize
4KB

Download
memory/2032-1216-0x0000000005C40000-0x0000000005C41000-memory.dmp

Filesize
4KB

Download
memory/2032-1192-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/2032-1214-0x0000000005C20000-0x0000000005C21000-memory.dmp

Filesize
4KB

Download
memory/2032-1213-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/2032-1210-0x0000000005BD0000-0x0000000005BD1000-memory.dmp

Filesize
4KB

Download
memory/2032-1198-0x0000000002470000-0x0000000002471000-memory.dmp

Filesize
4KB

Download
memory/2032-1212-0x0000000005C00000-0x0000000005C01000-memory.dmp

Filesize
4KB

Download
memory/2032-1202-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/2032-1203-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/2032-1208-0x0000000005B90000-0x0000000005B91000-memory.dmp

Filesize
4KB

Download
memory/2032-1207-0x0000000005B80000-0x0000000005B81000-memory.dmp

Filesize
4KB

Download
memory/2032-1206-0x0000000005B50000-0x0000000005B51000-memory.dmp

Filesize
4KB

Download
memory/2032-1205-0x0000000005B40000-0x0000000005B41000-memory.dmp

Filesize
4KB

Download
memory/2032-1204-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/2032-1209-0x0000000005BC0000-0x0000000005BC1000-memory.dmp

Filesize
4KB

Download
memory/2032-1211-0x0000000005BF0000-0x0000000005BF1000-memory.dmp

Filesize
4KB

Download
memory/2268-294-0x00007FF9CE070000-0x00007FF9CE0A4000-memory.dmp

Filesize
208KB

Download
memory/2268-293-0x00007FF657B00000-0x00007FF657BF8000-memory.dmp

Filesize
992KB

Download
memory/2268-302-0x00007FF9CEC30000-0x00007FF9CEC47000-memory.dmp

Filesize
92KB

Download
memory/2268-300-0x00007FF9BC460000-0x00007FF9BC714000-memory.dmp

Filesize
2.7MB

Download
memory/2268-301-0x00007FF9D16B0000-0x00007FF9D16C8000-memory.dmp

Filesize
96KB

Download
memory/2268-303-0x00007FF9CDFB0000-0x00007FF9CDFC1000-memory.dmp

Filesize
68KB

Download
memory/3804-29-0x0000000005CC0000-0x0000000005CC1000-memory.dmp

Filesize
4KB

Download
memory/3804-217-0x0000000007390000-0x0000000007391000-memory.dmp

Filesize
4KB

Download
memory/3804-4-0x0000000003D60000-0x0000000003D61000-memory.dmp

Filesize
4KB

Download
memory/3804-1-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/3804-85-0x0000000007380000-0x0000000007381000-memory.dmp

Filesize
4KB

Download
memory/3804-0-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/3804-228-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/3804-32-0x0000000005CB0000-0x0000000005CB1000-memory.dmp

Filesize
4KB

Download
memory/3804-84-0x0000000007AC0000-0x0000000007AC1000-memory.dmp

Filesize
4KB

Download
memory/4044-30-0x0000000002370000-0x0000000002371000-memory.dmp

Filesize
4KB

Download
memory/4044-292-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4044-287-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4044-12-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4044-230-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4912-31-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

Filesize
4KB

Download
memory/4912-11-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4912-286-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4912-276-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4912-13-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download
memory/4912-229-0x0000000000380000-0x0000000001AB7000-memory.dmp

Filesize
23.2MB

Download