hxxps://download[.]anydesk[.]com/AnyDesk[.]exe

Resubmissions

09-06-2024 12:29

240609-pn445sbb92 8

09-06-2024 11:10

240609-m972taae48 8

12-02-2024 13:20

240212-qldd3sgb59 8

Analysis

max time kernel
960s
max time network
962s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
09-06-2024 13:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.anydesk.com/AnyDesk.exe

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 3 IoCs

pid	Process
2288	AnyDesk.exe
1088	AnyDesk.exe
444	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
444	AnyDesk.exe
1088	AnyDesk.exe

Drops file in System32 directory 11 IoCs

description	ioc	Process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	mspaint.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
444	AnyDesk.exe
1644	vlc.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
1088	AnyDesk.exe
1088	AnyDesk.exe
2288	AnyDesk.exe
2288	AnyDesk.exe
2044	chrome.exe
2044	chrome.exe
4324	mspaint.exe
4324	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
1644	vlc.exe
3356	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe
Token: 33	1320	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1320	AUDIODG.EXE
Token: 33	2288	AnyDesk.exe
Token: SeIncBasePriorityPrivilege	2288	AnyDesk.exe
Token: SeShutdownPrivilege	4836	chrome.exe
Token: SeCreatePagefilePrivilege	4836	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
444	AnyDesk.exe
444	AnyDesk.exe
444	AnyDesk.exe
444	AnyDesk.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
4836	chrome.exe
444	AnyDesk.exe

Suspicious use of SendNotifyMessage 48 IoCs

pid	Process
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
4836	chrome.exe
444	AnyDesk.exe
444	AnyDesk.exe
444	AnyDesk.exe
444	AnyDesk.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
1644	vlc.exe
444	AnyDesk.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2288	AnyDesk.exe
1644	vlc.exe
4324	mspaint.exe
3356	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4836 wrote to memory of 3196	4836	chrome.exe	81
PID 4836 wrote to memory of 3196	4836	chrome.exe	81
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 2040	4836	chrome.exe	85
PID 4836 wrote to memory of 3092	4836	chrome.exe	86
PID 4836 wrote to memory of 3092	4836	chrome.exe	86
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87
PID 4836 wrote to memory of 4136	4836	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://download.anydesk.com/AnyDesk.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1a21ab58,0x7ffd1a21ab68,0x7ffd1a21ab78
  2⤵
  PID:3196
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:2
  2⤵
  PID:2040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=1256 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3012 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3020 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:1
  2⤵
  PID:2180
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4548 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4784 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:1588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4808 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4140 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3544 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4540 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:8
  2⤵
  PID:3452
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:2288
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1088
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2820 --field-trial-handle=1752,i,5114707263915211671,15731682635006576955,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2044

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3164

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2d0 0x3d0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\SuspendConfirm.mpg"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:1644

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\StepPing.jfif" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4324

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:1972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
f7d013c2abc62fb16e920d3a16066f45

SHA1
7fb13522369841f3e0afaf24cac705acc8d15804

SHA256
42c9210bd149845522535eb5e9dc3c0889430b364502ac24e0cd1f52f767937c

SHA512
b36377afb963de8e7d00eb129a5a9b08c25659d7c5c2f0f7f7ceff9e49fcc3b1338cd3ec26abfcd63445c3fb652ff508db79069c9a5e1f2864888e0c116a21e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
90382be8c7b91d74c5382fcd5630cc1a

SHA1
3eb27e5f3cfc313add798a060d4d0f89daba6e09

SHA256
e83f1d68556571b768017ecc0726b208c2bbe53f048eaac4c2a97c782ef61bff

SHA512
0339dc2ae574a067d14ce7725ef278a0dc82d8af1fbce83983109aef84b572f354fd10d809458f55c88a9537d04b0dd48c74d7b483dc1d51bc259876677b010f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
69d2ce993b2c8d08db81bdfff64c3cc6

SHA1
7b2d7a0923b3b03b0a2d69a3d1dd8682a996e1cc

SHA256
125fb1bdf882c5f134048734cefbb89e2b974e6b41b98aebef974959a0f67188

SHA512
715fff2f64767656b35af12cacdd88d0ecad44bac8d0cb87f8edda7d9662eb13edf8948cc8648aa2bd92500686f6838fa85097d6a5205e4075f3cdfa895d05c9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
427140a88b70e57193e2a7ce54ed7123

SHA1
aacc4eadb5e53e4ecc4ba72982cc0a504705af93

SHA256
6755b9ddd3e231b6c51f2708256a29110b5133fdd68afaef522994866b389f45

SHA512
f68a6f831865853c975e0c73ba63cf78b96edc7b00d41a4c96e26cba9dd23825f1c02845ee9ac484f8a6a3440bf720f96e135172d73e3202e24d2666f5c0c819

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
3696edffc8ce9fa08db7886e0cbf5a8f

SHA1
2f26f8741a768e47fb9226baab419965c627956b

SHA256
edd551e8cdcfe8808f09b2424940db14c001f63a88dd496aee42acdca1163293

SHA512
75a8e1563d76160fb8b215921c40473a43717e048b348c2ebc2cd41e0e2557468980e09872645dfaa25bcfad4e78eda6ed39f5fef2bc438d02089fce7c005dc9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
3f80f6cb0b36446d04a8b65f2039658c

SHA1
8da51730d1826a3b21c2d54f3b9a08c7abb9c6e9

SHA256
7072c56b80e4cb45db694a419bf378423c689bde8e75196842e36c07cb0f6e5d

SHA512
55ce144d1b03378252f093872ba1594c0a68d85981e0d79dadb7211d1c6f082834ad8f3eb8b91c7222c4208474e5a7733d542227187a66966552af46b9db00da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
dc364f87b71dcdfa4f181036cdfdd71e

SHA1
38ad8346490ef206bb1b1cc18b3e0f844ae86dfe

SHA256
84e982e2063e7aa8e5807f0c1ebbdc3c30d793abf28d76d7fd9af05ee08a610a

SHA512
f0565f9ab2a41c18f65d7603bf4cd2b7d26fff471b4d61a9a1385f248544f4db09a1dd0e6445628e5f34e0ba2ab4bab285be6373e77a630dd3fba1ef26962b40

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4c545139803400a576f7e399714562af

SHA1
94006905f956d08d8b1796cff3a3ba44615b708c

SHA256
cf6e59b6a47d72934831021f920d0d7262659087dbe038fe23e5ffdd2a3136b0

SHA512
70409b889471c3f78565b9b9ae43b1a4ef993a266f87a8879fe3f55b958001165d92428490a8348675b7f8514299dc4e351814bd5dba78bad4c1dc77591c787b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
4724605084242d66b44586f57b45c44b

SHA1
71b6e61c8e6f1ddf1012b0ec988cf929a3fe43b9

SHA256
0bc481211c0ec140d5f2cf54948a84df875db5583172072b9eab71f0e207df2e

SHA512
1af77f09bb6561eb9b456097e0796920f7e6f0a3a364ad190a2013f303bc7a702ae48b58a05763b0406fc993c93aa2f6db662dad8a627084f86f814624070c88

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
4452ce3dbced20a6016de7f31722c637

SHA1
fbb86f10221e32aaf7d7e4c4fe01dc5eff954124

SHA256
4cb27a35475edc07927e8ccd88301df5dff65351b3cb61631b271020e9c89272

SHA512
5b7654065e6cceec39cc1c8f990934af1395c516183f0459a4b26045f7253edec39c1852c16e1646e355ba8b7afd4f36ecf654975d7ec87e8d590b2a63c1a244

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
fbd18aaeff6b139f19ea7dc865cd887b

SHA1
3dd0fca42f2e62386f5dd707409d73105dcdfbeb

SHA256
422b2548606cb7d3cdbf353ba4345c0a7b5d86520d738fa96d8c168ebc1c591b

SHA512
673c1a025229f46b77c78b2facdb45458f1310a70ab3c1131c419fb8cdcfbca2121abd50ed23b819fe57c463448e3db63c8080e96e87178a081ff09696d464f4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
73c5b9e6fea335cc338329587be5b382

SHA1
325b931a40f33eefb2e4d47dbc0a66a55eebba8a

SHA256
090627ae26083ef76f14c9a7a00e9599893a7e1ef3d331da7bc0b2545e4121d3

SHA512
52131cb7ed906a52bd6e06287e0947359576ed4365798dcfd7aa014217a0fc086c7a9bca580bc9aafbe41f0210c8911c2947757589beb631e33d19bb82e4a9c2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
14ed650d160c4ca042f5e3dc089724b7

SHA1
3f067b8094808095cf67c33886112634a3511ea8

SHA256
4c30d222b8327a0f734c7f2d170355631277aa487153115e0bed6835da483064

SHA512
f0978762006c3a86d9086db8ea48713c005a0ce10da58384d356c5e45875e0428339ab93ce5f26ca2e1c382fb7e849a03b5711b5723735006fffd5bd41e10ad6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
7bfc694b72fa5405a006ea527645eda5

SHA1
5aed0afe247a69302d46e0edb1294e83261c8c94

SHA256
604718e25e7479f42a971c5d669f128d7391e52d212abb4455ab8869d32e509c

SHA512
0c1cf6ace88b99ca5266ac0fb27e23999320dad800d18836f5842de9d9ddb1e8d38a26807f33f45000ec95ce56ae7523c41433d50d3c7b34c06ec7d1e93ac909

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
dfabd6b7b59d38bc45ecee63238f8df7

SHA1
f19074eb1294a73c5dae0676eb01b64ed16c3f8a

SHA256
54af4b56fd85520ff31b5ad8f8df01931baf09a2c12ce12306941936642ce10e

SHA512
6aea6ddc5597560a33b7357a527bfaaf6a1eb51d34f592ee3663abdbb5b6102775ea43ac8f6a62991dc1247911779586b3d144ba5109f3f54ee3b4d7dee7202f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
9967ebef95dd5d46aaf93d9b87fd74ab

SHA1
0b48202b6fdeef22d363f85312b2e98e48f00e7d

SHA256
ff29b36eb0df7825d31349deb3b3f828b537321c33e5eb4ad7cab8be9221a312

SHA512
f0b54fdb4c87625d80baf0fe04e6094f6a4e4c710be8d2aa2b5e6246d454036932634bff3edcf2b753703f54ff11777dbb0fb5f38efe06fa1063dd26d2972be5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c8adbca98dfd2222def2c63d11ff6be7

SHA1
5840a187643ddce0272845f2ca1aedfe2dc9b811

SHA256
25a69e47099cb4faa0f7b1a7c68f15e228f409368160f56c2adc493e110179ae

SHA512
6aa5aaa7884a13a19d2366c1edfead4aaf8db978fb04c175a2bacfc29420d37e0b96c9342e2a8651abee081f266da73077022e8a12b0d372f595334212ec0361

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
686ee86d5fe7275dce3249a5ef668f1d

SHA1
2e2eb788d1f4ab4ff5d2361691ff2633ef5cc9d2

SHA256
e8be693e8e800b0b04e120117f24db62991142c506a1f0466dfcd262774427b8

SHA512
3897d5848420b3e0fdb06c62efe76d3b86e1ffe5f2b08dbe594f6f2184dbc75e59266bd4755acc4614ecaa1243a1776fa2baf02dc9f0a76691ff4145934139c7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6acbb3bb2ab71a16e6547dbed49b54e2

SHA1
807f46abfaab0dc9d945727d59a885585438c21d

SHA256
9541e001ddfc840b721ddeaf044f9e70e0739b3ed38718a1f8623327bf056f0a

SHA512
ad2d748c6f6d9fa746c27f1a3de09c258ae119240235accc31f3a10f7664f971c720af802a1c8448a45c6236cb07cd940ab71de7f9541a7b2b5bd2af7fc771da

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
090a14f3359e12a3c8692f64d7085da0

SHA1
6f47b582e580c77ca8f42b5568e67dd5e162f177

SHA256
0a15df843adc16c7c087c47834743d600dd35ffff93c4f4072010a944234d2e0

SHA512
15261773d9f8bd943c9cd5637c44148e6f19161a4e6aa81c1a74ebb0a3b1f2ec4fd2b25b4f9668319e49d021968b62890fb09cf28dacd997ccddfba7f4e53085

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
16e2698afe5bb69da3670f7dbff24114

SHA1
5ef2b230fa4a35d524fad84c3d02afce1616637f

SHA256
163b5389583756afaa21d21cc88dea20bcd7973976bc001b51597e73f5e1ab30

SHA512
56eb791b23b884a4d6fde422b665fd2ff83d2745ada1e80fef56a387e2f3ee0664051212dd9229d8326719ff84d3a9e7f6b89f47160cadf81eb90fb8d5c0c600

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
1e9047bded5206a466845868713ccf52

SHA1
24d462185c105c775a0353c99fea476abecc8099

SHA256
75ce772c32bf6be40cdb7e12eef9cc67f0b74ac795e3c850b35987b07765f877

SHA512
58a0ae545c9930b77ac574239f4764950ad0377db8e09a86799f2b960b386791d3fc651f8e81f9d7d8a5a7540ecfbc0c9ec973bf33f96159dc56eacd553642e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
72c5fe81a12bb28f4763d0ddf76ded78

SHA1
2003265cb5ab3281a79a12333cec5a80be51ea11

SHA256
91c64bca67c5fbd152bbcb4434e960015e99b4ec07a56eca3f757db054a84ff7

SHA512
ca26a65ba13a9a111a570a6eb7289d9feca60c10055a377c930dbe667ea35ae43e96164d11b2c427ab3b468d19f78d2134494fb5edac33b6d1f01313154dbf64

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
49e5a5f625e8818ab8f5957ad1ab37b2

SHA1
70b99a4c9601bd9f09c1064c391ba10bc04b465d

SHA256
65d48e284a04ee58f108571c1153a0d31dad5daf685048567768a69ba8caaf70

SHA512
67204f55b5aaba2e8f14c54d166041d07ea742e8e78a48c57f30991adb465ff06fe9a943519dbf205b5709ac879e4b3f7cf98c72dd7f2953a2195eede08c9e81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
18c57530272e098e1db74583832bcb75

SHA1
a45e83f44347941d00cebd18438c9f4b44a210d9

SHA256
2ee04f9c9231e3564e7a2312752ee74bfdca20d1228899dd9151d4feddd45dac

SHA512
32fa1dfd4d39dc411838f28f853f36c54c4f403833a61f884d6d74d994a116f0d24acb390bf9ba202b944222c2e53b846879c2c01d7fe8053c0c94d7e574f4ff

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
139367705c709e96eddc417cdda90640

SHA1
8336626d789097da70d6867453b828d92166412b

SHA256
8ceca00151324032165f22497887c1b70d032899417ce09ef0af73e2548d75f7

SHA512
111381ec36781dcb2132a6ac413588abaefb5b53de4710b190d9f1cbe836240589341795c097a3da13f7471fd8fa9eb903db6e226bf5e2bdec76ca7909590206

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
1403770d3bd0035a8ea94fed1213c252

SHA1
b97bc84e28116cdd00fc2acb9c539d1de1869c78

SHA256
d760cff05774a091289391ff65faafa17cd8852312bc5e3650d10cfedac3cf67

SHA512
45716d7d813c37405c2cf0f83a7a58d41350a02cfab67823c27fe17620f59aa76fad4059d24f9766df0f1c1e6c2302ddff928f5d5a1b4ce45c5b83e815f25408

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
5416826e12da57c171174552dc45304e

SHA1
45570e63d4828b31367e5f8ecb8ed7a1e85288fc

SHA256
fec17fb05dac78db5faac74f6450c6858854bbac0760631f6b017b0cc7cc5f1e

SHA512
9c6ea6c40c610aca24a4cf45b66410933dece5718c6469dbefcf1ad60365d7f20f400a427018c9b48b0b208e6cd04f436da8a17e9bf3b3fbb8838e4b8b1f87f0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
eceb6abc4f4a33c1d66f6d021d567ec7

SHA1
cc4557044b523628dfc9c140ad66f0d790e0a01f

SHA256
4c10477b528c148ddb6956da9bc2dcc33cceb7a56bc66b00275091e260d7b249

SHA512
f29ce83264ee3f720231de3f50560de20052f50fb7c0e88ba9faeddd2c412283466821a7d6319a1eb87571ea88bff9a55b5ab068c0db21d7a9180b67c4e2bedc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
4KB

MD5
8852a1a28a5ebbb6f33810978be6c747

SHA1
cbe6d4059cb604cfd8e5c26cc6679eaa09930d8f

SHA256
d77209e057507c6212b47ac5729feecee667f21fac938e2735d8a94cc04ffad4

SHA512
8e3158e91e244c77a0225c035fe056a532eebf8a99110a0ec3505034e2437156cc689222df68e1acc41446ee7ad393ef9c32f077b0dc6cc534b0e3dea3e7654e

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini.XC1644

Filesize
79B

MD5
e2653c827d5d70cea467208c34d8897e

SHA1
7f99fc4856955e1398588370f0c8ced5d83e222e

SHA256
57cf60785cfa6da3aaf61dc5455d8155629b15be43208d0b70264d82468ef274

SHA512
9d28ddb0c95db2c3990dd93abdf511400d5a40cab8179208b8193e094740d329a3d34028941983c1b48504c801ad4bd2522e48a87a2a32a07492fa2bd08746c5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 939394.crdownload

Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
memory/444-327-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/444-379-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/444-71-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/1088-68-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/1088-326-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/1088-354-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/1088-378-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-376-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-389-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-325-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-417-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-375-0x0000000000B84000-0x0000000001DBA000-memory.dmp

Filesize
18.2MB

Download
memory/2288-442-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-353-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-63-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-55-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download
memory/2288-57-0x0000000000B84000-0x0000000001DBA000-memory.dmp

Filesize
18.2MB

Download
memory/2288-854-0x0000000000B84000-0x0000000001DBA000-memory.dmp

Filesize
18.2MB

Download
memory/2288-855-0x0000000000B80000-0x00000000022C9000-memory.dmp

Filesize
23.3MB

Download