1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
1486s
max time network
1457s
platform
windows11-21h2_x64
resource
win11-20240611-en
resource tags

arch:x64arch:x86image:win11-20240611-enlocale:en-usos:windows11-21h2-x64system
submitted
26-06-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

4344 AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

AnyDesk.exeAnyDesk.exemsedge.exemsedge.exemsedge.exemsedge.exe

pid	process
4144	AnyDesk.exe
4144	AnyDesk.exe
4144	AnyDesk.exe
4144	AnyDesk.exe
4144	AnyDesk.exe
4144	AnyDesk.exe
3984	AnyDesk.exe
3984	AnyDesk.exe
1516	msedge.exe
1516	msedge.exe
1688	msedge.exe
1688	msedge.exe
2784	msedge.exe
2784	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

msedge.exemsedge.exe

pid process

1688 msedge.exe
1688 msedge.exe
1872 msedge.exe
1872 msedge.exe
1872 msedge.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

AnyDesk.exeAUDIODG.EXE

description pid process

Token: SeDebugPrivilege 4144 AnyDesk.exe
Token: 33 2636 AUDIODG.EXE
Token: SeIncBasePriorityPrivilege 2636 AUDIODG.EXE

pid	process
1688	msedge.exe
1688	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

description	pid	process
Token: SeDebugPrivilege	4144	AnyDesk.exe
Token: 33	2636	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2636	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 62 IoCs

Processes:

AnyDesk.exemsedge.exemsedge.exe

pid	process
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

Processes:

AnyDesk.exemsedge.exemsedge.exe

pid	process
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1688	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe
1872	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AnyDesk.exe

pid process

2660 AnyDesk.exe
2660 AnyDesk.exe

pid	process
2660	AnyDesk.exe
2660	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exemsedge.exe

description	pid	process	target process
PID 3984 wrote to memory of 4144	3984	AnyDesk.exe	AnyDesk.exe
PID 3984 wrote to memory of 4144	3984	AnyDesk.exe	AnyDesk.exe
PID 3984 wrote to memory of 4144	3984	AnyDesk.exe	AnyDesk.exe
PID 3984 wrote to memory of 4344	3984	AnyDesk.exe	AnyDesk.exe
PID 3984 wrote to memory of 4344	3984	AnyDesk.exe	AnyDesk.exe
PID 3984 wrote to memory of 4344	3984	AnyDesk.exe	AnyDesk.exe
PID 1688 wrote to memory of 220	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 220	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 3068	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1516	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1516	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe
PID 1688 wrote to memory of 1696	1688	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3984
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4144
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:2660
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4344

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D0 0x00000000000004C8
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2636

C:\Windows\System32\DataExchangeHost.exe
C:\Windows\System32\DataExchangeHost.exe -Embedding
1⤵
PID:3700

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://anydesj/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5fb23cb8,0x7fff5fb23cc8,0x7fff5fb23cd8
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1976,6670168388651057532,13858030389759244725,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1976,6670168388651057532,13858030389759244725,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1976,6670168388651057532,13858030389759244725,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6670168388651057532,13858030389759244725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1976,6670168388651057532,13858030389759244725,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4748

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1208

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://anydesk/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff5fb23cb8,0x7fff5fb23cc8,0x7fff5fb23cd8
  2⤵
  PID:4548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:3840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:2464
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3216 /prefetch:1
  2⤵
  PID:3348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1832,2380432434478929523,4169590518527159231,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4828 /prefetch:1
  2⤵
  PID:2824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3596

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a74887034b3a720c50e557d5b1c790bf

SHA1
fb245478258648a65aa189b967590eef6fb167be

SHA256
f25b27187fad2b82ac76fae98dfdddc1c04f4e8370d112d45c1dd17a8908c250

SHA512
888c3fceb1a28a41c5449f5237ca27c7cbd057ce407f1542973478a31aa84ce9b77943130ca37551c31fa7cd737b9195b7374f886a969b39148a531530a91af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
64f055a833e60505264595e7edbf62f6

SHA1
dad32ce325006c1d094b7c07550aca28a8dac890

SHA256
7172dc46924936b8dcee2d0c39535d098c2dbf510402c5bbb269399aed4d4c99

SHA512
86644776207d0904bc3293b4fec2fa724b8b3c9c3086cd0ef2696027ab3d840a8049b6bde3464c209e57ffa83cbc3df6115500fbe36a9acb222830c1aac4dc7a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5943eb705d8a280579179cd4bfe4d9db

SHA1
e9de28379bfaff7ac806838d7dba15a0e1e05002

SHA256
0e6d5af563d86f903f175f7278f3306b5e01081a0433c728a3126b8bd2cfdb69

SHA512
16e137f691afe87e7c3e6c7091cfc110bd4d6aff022c38b099bbf3e19430fffe66622df8f0c30ee3bced8d605e584895e280cc63e02b34a1970198d953062610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
405fb30421a036c37b35542a36685eaa

SHA1
ef29ed5a3559369be39792f052729c98eb80eca6

SHA256
c0c1070caa38a2f8a25e8d1285b81efada2213284ab866775d8f58f4e4286625

SHA512
481d2df6c0084799caa899f2df04b50821681015e0c1e3c84107cc40cdf2a38cb92ae4ff07ee57526e05520aaa7dbc2fbfcb821f1a1139d255c239231560b1df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_0

Filesize
44KB

MD5
2a39d45aa8cc1bbe409083f663e255b9

SHA1
051885a88af71434e42c634bfc2a15ea7752a597

SHA256
6df1436b95b3fde2778852f8e310461dabf845d5e16690f8e1ee6fc15d5c2f17

SHA512
cb5dea8c13b2665200664a571d90ff140d09e2f3c7bba124cc9474f4432ec179a776a9de9a45a1aa587d2e72146969ef562821098cb40628d238f87f6f4bef08

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\data_1

Filesize
264KB

MD5
b6a32c2b18254e288d1164c2f5eb78b0

SHA1
203a8bf541088df3ddee2c6960782568f8e4ab7e

SHA256
2530ddccc6261bdac911d05fb72d79000ebe5379bce1ba7bad8c44dd9a6b9568

SHA512
01a8165b39b7170c34286c7d0a01da12332d46d043fa441d1ef071e67bbe8b11eb554872f9773dc082c18961d9a128ce30488865d5c9f135e7ce94f639025769

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History Provider Cache

Filesize
6B

MD5
a9851aa4c3c8af2d1bd8834201b2ba51

SHA1
fa95986f7ebfac4aab3b261d3ed0a21b142e91fc

SHA256
e708be5e34097c8b4b6ecb50ead7705843d0dc4b0779b95ef57073d80f36c191

SHA512
41a1b4d650ff55b164f3db02c8440f044c4ec31d8ddbbbf56195d4e27473c6b1379dfad3581e16429650e2364791f5c19aae723efc11986bb986ef262538b818

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\LOG

Filesize
331B

MD5
c30733f8cb516053b93ed08ec245902e

SHA1
022deb2910c694aeae00e70e0ed33bd80f777b95

SHA256
a528c49c767bd213392b1c97da3b6d7930d26fd57bcd85c46dd3351da0bd06be

SHA512
d573f4cec50e6e7e3d16f2b60f8ca707a1af72efbe71a9847384187de2c0fa49701b97ac287ac8d53cfc143db5f084936f6126bd7d6d77b8c5a9c6c80e7eb600

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1d2c1710b1c1548810ef04510b67ffa7

SHA1
bfc7af5ee3400b1415ea60603d951c15943a7e45

SHA256
0fce06f70b98faec131b211a31622a89a7ccd3b69af1bcc0bfe7a82ae15eca66

SHA512
40fbccd7a60251916bbb52116694b4de2b13b11c576e72602c59a621a45084fcc2b5e24b950787d8f00312ee70141a6e6c32f3cfcfa04bab0bbac5a68af9bee1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
af00867ab57eca9802eb4f5b4cdd4776

SHA1
a540e7ce608a5e8ba6324a30a72d7da721edffa6

SHA256
3aad301f531388439ae5b1f26b19db3eaac72a1b0d7cf01ec3f6e8dcde4c09ed

SHA512
11d4ef0024c9431c279dbc14f47c04e3c0d5eb600168667b96b67c4ca3678d654e64b6e91218461ff6b913df904a0062523774fa9c9e13bde693ce6584adf6e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bc5f4efceae5455048836b46294f1c34

SHA1
f2af5ebd8fc54cb109e1ca89b45b42aba479920d

SHA256
d7d25424130e6244f6ed24dabe3025498914a4983849ec872deee97e5298fd64

SHA512
264e76e623d81390442eb39fdc95af253813fa940593ec5ce5b36b369e405894e8eb472dd96276e15f855dbec4f55bdfc7526b1ce6a4a3c19863ded03acef59e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
cc8ad3990923fc44c16757f4ed5fc175

SHA1
eb8e58309dc9110482365a11c8b77f73161143d7

SHA256
638b07b81e0b4e493d604724ce9515a97c3fa95dc088ff6bf4554fec5acd5691

SHA512
ba030c98a6aaf55f1cbdc8d8f66e01e1095013a3d3f58e8661f373fe01cde573f5caaea0e49b4d8d9cb6277cc492e0d2e48314bca996a09e0b116a8cb226d9e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\000003.log

Filesize
137B

MD5
a62d3a19ae8455b16223d3ead5300936

SHA1
c0c3083c7f5f7a6b41f440244a8226f96b300343

SHA256
c72428d5b415719c73b6a102e60aaa6ad94bdc9273ca9950e637a91b3106514e

SHA512
f3fc16fc45c8559c34ceba61739edd3facbbf25d114fecc57f61ec31072b233245fabae042cf6276e61c76e938e0826a0a17ae95710cfb21c2da13e18edbf99f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\LOG

Filesize
319B

MD5
7ce81b99bbbb46f5fd46b1580793fe51

SHA1
01372ee89fdbbb965a045617e3b325cbe35d1dbc

SHA256
8088dc97b0366a280beab84c4ba254d91084b500613e383e32ecd3aa8e660a2c

SHA512
3344b6ffd948d69e12f313083c9428cf0a77fe0dd00c577ca85f9aebbb9f0b8c08db3d442a7a02b2719bdcaaa709aa1a8b7a578f144940a391ecd27036251613

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sessions\Tabs_13363884901327146

Filesize
717B

MD5
0feacca7f67048069d5490f5f927acf4

SHA1
2f76064999ac4636392aa7f77920e8bd0e454ce1

SHA256
30d3999bc2955d59a716f278a96090b2f9708722caf0f622b0188618c2666b0d

SHA512
19f2656e70b0d9826d5192caf937d4f4480a6b5db16749e2f772d8b5e729fb84a1b832f49abf757b92aecaa49d6ac83ce03053d9e2e52b72f9e743e048852fc9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Site Characteristics Database\LOG

Filesize
350B

MD5
f63f3c2cb76131b378db4c2e6843df6d

SHA1
ddd900db1be35970f80f90c406c832bcf1592506

SHA256
00d7b08367a8dc3a199f206b7969126379bf2f4062a193c2f1768f23001a3362

SHA512
8da9e2524814b73642f9b8a68c5cfe54281870c15ff6906689923e8f95727b5beb2538c1c7ab3eb02c3649bec7af019050f6712bbaf450d9a39c2cd5c0c0ce34

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Sync Data\LevelDB\LOG

Filesize
326B

MD5
bbf82154127e8f66b5916469fa94d2a0

SHA1
3a6c7ec2d6c80da70b99defa4df355f9ff799771

SHA256
d11c46602cb28b6ea58e302874c6d2180f4f75e22ca70e3b8b4cde42f770a67f

SHA512
2a21821b98c26c6ae4f01ccfe1272a5e64fdc1a9ee7be92171535cff1316cb18cc61bb40489da5436fb82389fa274e1e223af4d8a28c96ca937415d8a35a364e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\load_statistics.db

Filesize
44KB

MD5
2459359f6ee5564186d1b13513f93c53

SHA1
9b591cf72c52e1f3182da2f7eb24e4b17cfcfee2

SHA256
f6522fb6210522e610d3edd6fe2f70dc512458162c9ebb723a42fa9f01006574

SHA512
06472a3175b9520be4112d34218240cb5477f36e115c1672572004b9ad523c08de1aec3d2873909dc190b2f1388fcad282eebfe09344cc1e00cdaa650c8a6d9e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\LOG

Filesize
319B

MD5
f55667d84ca08c6ab64800140e39ae0b

SHA1
6e50bd2ef83d269b59f21ca9dbdfc5f89fd3cd10

SHA256
dc13b1d589f7a4505437fb316b48cca28203049083aa49ea17d4943b68af36bd

SHA512
827af0b782e397bb449bf058a7b4246d373d91bea9f885c0e0f875ed989c21d7c7c556c0b074e8471c90f23a1dd6d02e5af21d1ebe41871004cea2e420e02ead

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\LOG

Filesize
337B

MD5
14b465a07db68f2de37dcfc4ba93f5c7

SHA1
198936ff355151d4f63f2fe11314f45d592da362

SHA256
4d9326bc5011378ecfd2fe16dfa3fd87907cbdb76cde5d1104affbc9c18c4add

SHA512
3f1d56665e03028da22308050a701bb2c9c47422e9c35ce28c668f779738c70be1c20a5a7297e34f8e461041301ac1cb946cd56c56fa51ad195acf2789dde0bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Last Version

Filesize
11B

MD5
b29bcf9cd0e55f93000b4bb265a9810b

SHA1
e662b8c98bd5eced29495dbe2a8f1930e3f714b8

SHA256
f53ab2877a33ef4dbde62f23f0cbfb572924a80a3921f47fc080d680107064b4

SHA512
e15f515e4177d38d6bb83a939a0a8f901ce64dffe45e635063161497d527fbddaf2b1261195fde90b72b4c3e64ac0a0500003faceffcc749471733c9e83eb011

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
09d17cd9248add3fd9b57ba015cc6ee9

SHA1
8a32124baa39e443fff4c9225d49fc8838f9363d

SHA256
9feb3646be9cc4d6ef1c1e084003565d56da9fbc280f5e7fd874f1ceea9c4a92

SHA512
4e376aba34fdeebc542124fbd7c7134d705c4a94178563e47b6e42055f73853c763d28cccb82a8837c9dcb117d0c0afe5f038ec3a754bc4ce6c76519117ea913

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
43f7cf205e245d1be0bdff4fc56f6687

SHA1
2d743c8207a8a8f784a76fa3597af9213fd809b0

SHA256
dd008592c8e3f1cbfd3a573139920e3f251c08a84a2b15488117ca471778d74d

SHA512
26202b01325c1ad18eb43ba88ec0162c2d13eaa9ec8636da8fd5bc5a1706d077e9dbababe8d6c607bbe6829fa9b43d7f68ba895d01392c3cc2ec3547b24a78bf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
21f6b374bb4967944600f845eb97231d

SHA1
b6369b68f195967a39dd53c2e8f4335284bdf705

SHA256
ce1cd57ea90eee5801a2a8b03c5300860416ed23d6a70c4c8c33eaab25d1fd0d

SHA512
9b87c3c5f3aa5679382a6f8ace2e9a3077be8268010b7e37b0fbfe5a04dd43b91d36a70b5032686d1cd40792a02c993b15d566119e536473789511ebe1868240

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
a4666f058e347f2690a5f1547b6d1ee5

SHA1
52bf4bb952629a9751734bbc0121d1a67397eeb4

SHA256
70f0072b1164d43b993c3e3ccccef9e13c1b5e6c3883c86790c030df802859d4

SHA512
5af93896b196181e6ae6d1e591ac224b69bf5a1895c7c06809d5415b3702dcecbf04cf6e28ce32254b432475bde532d39c2ce4460c330de7796a0dbfabf84b2e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
37KB

MD5
0e265dce9d423557d3b7fd5bb5813b14

SHA1
8fa0ba453b7d3a6dbbf727b0864cb32b89017384

SHA256
6c3c1cdf594b651bcd2c9ed6779673e9d81122b4ac225c19e53012e2eb4214e7

SHA512
aa7b1ac2e65437d080efea9cbcbc71b51fecbcce3390b46f9b4bec30065da4ef609729d8d6a5451e59dffebf564c8d6ff275f1f759b80927fec11f11264b8adf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4161b2dc52f3e8200e4cb3fb4a32af19

SHA1
567d9740b8a52e88c0c56360d10b1af63595e599

SHA256
0c378c685e0e8ae18b5ea21c080b5854a12449a1f1e4712c0d53f292bf8c89e1

SHA512
79fc5c7421c2f17a5331c700a30635ecb60e4ad2fb0c35c8f229b41c2fafc0e7446d6d3ae85ea9ca385942364c68a7aaddca939dfb16e4abd170c1bc8ce870ca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bab182313ddeda30b52dfd9f174c1b36

SHA1
a89e46f644c375f6a33ffe8bf50c008d3ae468a8

SHA256
f7b9dc44f33be094d15165ad1168bb0d298ed8934a3969dc20e055d8e8f0f75c

SHA512
1bea5773fd6d006018d46c44c5aa4911e63ec86b3da478590db5d1cd163e6cb9f705bd9b02c05c4a45d2a69374f429ec1272db78993e2ca833a90c31dd82c521

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
3c43cb4a9effea2d9afea6dff322edb4

SHA1
2fd0c860514f68aa0d028b601a183cc8ffee6de8

SHA256
0d13756d0d77a2abdacd0f4e3ee6670aab3b2bdc5af0152bce190cb2dc1b33ba

SHA512
24e0837a3922a6c68efac1f5969256db4fcce980193a4b06db31d2ec01a90e87c8c0dca94f6523a9903e48253b83927bb0b2426215f64e0ade9b0eebdfbc540e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
700B

MD5
546a5320c9b172e094a74b8ffac3fb2a

SHA1
3052de981e751d4e3512e5e6c12856a5d5d6fd02

SHA256
0e1e637e909f902fe23e09be0820554b2f20798a90cbea15f8b5a10473581c87

SHA512
911e4dab5038f0df522da087b1e131ac8f6986077ce7b0da60b2df142b327f0aa36c39b7e77df0e4f8366305628fc6df5691f89befb32ca17e2aedd0d12da05e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
757B

MD5
1b7c423769130db6dd7e90a298d9d65b

SHA1
16938a50589dafa078094e91860f2ed84b3c553c

SHA256
5e150eff841cd6b7dfe6b1f42fc85faf8551922f5036a9bd885e025698b868dc

SHA512
af5c8a6004f4c43601b06dab8d25abd2f13ead7f5aa6f2dab65c5d08252baf7bd80a2fb6a3424708d102b8256f9e2fbae97ac8a12e4479f0576018462f71dced

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
ebdd5973de0a0923ccda623ea157fefe

SHA1
c45f7324451a9db2619b5620732d3ed248ff0b3a

SHA256
62fe1b718f39ca54734ca64cbc2452fd1a6c3aafc152961689bc3bcf6a72def8

SHA512
3db150d67d3f95160f86acaec6c6b6177e44c7874f81488a75329bc84212343fc3c72b32843fd2d6f2e73c101e4ce29dd1eb542b3c06fadc70ea98b1d839e0fe

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bbd5528fc5ba2e450c3df6984c9f7869

SHA1
6097c323c92599db38d88f24249ef33331625ea4

SHA256
e25230a572ffdc335e8cb5b3c2c633b4ea8bc085447877b7ec07e72722e85316

SHA512
5cea27bb61cec6e64e5f43deed0ae762f44f6e2611aecfc03ca2dac01caa07e3ae053e1c8b26e6cacbc76c22d9f9bd375f9d4b7f9cea7e982159da875b01c33e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
bd406fc31d6e996d3e5e6827a569d30c

SHA1
d369bf34cf69f8edc884bb7f3f1fd920abf799e5

SHA256
9ef37256698930869b98e77ddf8bc322e6fecf403c449199a5b1a2c7d341a42b

SHA512
9e487160e7d413defd56acca892b7ea7a02fc87ddf2ca320ddb04d6efc8a6ac110e3f2d1de887caf9db02c0e740ca7057ee06b95cab2dedf649b01f4aa4d3138

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
98d6c6e5312dfc57c1b457db5eee1996

SHA1
c23faff48e419c412d782b2c2e98fb2a66497195

SHA256
1e36200fe9d48bab40ce3d9e62e721b18c4cb2e45380c8f106cc0a0a21475d9e

SHA512
16f2aa03182944ca8343c0d7f619eb5a54cf97879c1a929602d816c2b1ae99d3dc90a1859d2f92ee62f0917ece8cf056c93d4729df0162ea0e75304ee1211bfc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
23b82387d6f55cd39ae0e40ae4742075

SHA1
ec033c134ef8d92445c4212f01dd8a9e41c33f0d

SHA256
792c3df3c9b9730b716908dbef6d253e7fcafbd21253af3b57f4046a84bb7267

SHA512
362c78921236b0af2984a6ff77b7dfa6305ff933d4c24ac1d9751f9d3fd3e732f94c7f905508818305436521d70a18e3023b575eb3f9b7c1ed8cb139966e6269

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6ea29dac5048eaf40b346c78fa71a944

SHA1
cfcd0d6e2335f22535ada8073b28ab1b9bd57333

SHA256
a08a695ab1be8c47abb95aae08c3a550a65887b2c3d89eb14af342dfe0e93a63

SHA512
5e0297e930c7f2d5aeb268c0517011dbfcb28e233b08ab6e437b4bc5d44280e6190d7c4640a37b4ef05274ca26f565bca86176a1ef81a38dbc684b1a314d860b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
9e97e4a7304adbb4ff4acad869c32717

SHA1
64496ec7369c57714ed081aa889be68c2c88509b

SHA256
9ad425c55a3d26eae5a247cad4c18439b3766948a1102900a6afe3625cad1f8e

SHA512
d6dfa5d7e65fed6b61c1905d8c6a040dddd45b15a6c287f149cbe49f0ec184d5fd75a6f788a007c64f5488922a2258cfb3ce1bd3ac4c5b1bc2249574e1589ec1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a329f4245b031545decd946a21d68c8c

SHA1
b3f34d973c1a720e05740de406e7725b714ca996

SHA256
35a152518e017fa69b3329d4d331d829bddc77721f3d4fe71324424672c8717b

SHA512
69fb5ec1ea7f368f51362c5d6dd63b2de575bd02b60d61e0c69ce711bc684e5ec4c8c1cb0a2753ebe40a5239192bbe96f0c1640ea836f21804a855e59e1576bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4b6c4fe7a9d666ae325e1b9aca4e0c0e

SHA1
ceb60f834cd1851f1637057fd75b1aef18b35e33

SHA256
9d1182250ea4d3d576733b2da7972f30723cec363a215cd1b2f824dc59556368

SHA512
e0260340d1f07d01858084568e3828c890f199e0233ed607ed6cd6016ea18ce600783db10c353816e04815a3616be75a45fde2834279d455b8d047f5f781f461

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
d6aebae225070176bfd626a312a49b10

SHA1
fb72eeaa83d0de65d9242d1467d87c59fc986d51

SHA256
14ab08f1bdc1c9c8fb93beb9221347d6fd3c2451cf07a9a7f2fb8febef50a919

SHA512
b023cedb65c503ef71227df2efd84cc540fd5bc88b428b27a2298e3c0bf69cf05ab9dda9633a12e6dea8f8b83983d152d142ba2e99c122c552914f23ea474fda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2a85b757555400e9198c296102855e24

SHA1
00efd754c95a35de59de8c54e06dfc0e089971bf

SHA256
030c7aad0146d27d77b4f22a9dd3137eeee0c882c3cceda1db8360fc9647abd4

SHA512
752d261295532f8c9bd70cca3c4d65eaaa1080448a15139faf811fc90d8b1a15e1e480fc8c5a8d6a56dac310365518e4451629c15f6099b3e5e3c5521afa8583

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
43bf11a8f49d0b4c105fd22c3ca4cddf

SHA1
30a49851a209b89f3552d649a339b60ffdc1e1f3

SHA256
347bdd509bdbc9aa9ab1d60ee26ec25167ed83c8bbfc12352962394634f83303

SHA512
ffe4654df2ad7f79948da198aeb94a48a8a8201675da5d1ba854561de00771ca42608cd14fa191a131b3ff7fb8c123189a24ed7a118601e0697a14e6cfbcd65c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
45925a5595aed88e69daa809a5557dd7

SHA1
b6d16c288d0b972c6468069a22f37f952acd6b3d

SHA256
7e10f0a0137c32338d8bf57fff8041b8bc164730a4e04c581974372cdea502eb

SHA512
1bf0184ae758d9e9652a59e99c343f6bd3d8a351fc89ae301571587540562df6c1e4b0e644fd3692fbaf849153e351e244c75af51017215427326d3279a2768d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4fa61c2a330e7589edc6c57a5eb2cdeb

SHA1
8e86018a01eaf5ebe6448cea7f467f38edd9f609

SHA256
95534ab5bb73f9b75383165c86fe18b2a8a9a39ff079cfb825416e04e13252ff

SHA512
7ff0810a62f9a59f4d616c63fef9770263cb8ef6619a80b68bc2ef95445ab4acd0e3a7c313a1c4d5598fd691b51c774ab3c66dfdef65e3dac92a177dcc5863ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
6c323206f1e2dc364800d8ce334fdd7a

SHA1
cb06a7f25fcb19cb8a98e89dd528be2bb19b2e64

SHA256
f4a4ca2e669ca37a66832bf0d179f73013f217936a691ddbd3b647799bff2e5c

SHA512
bd21cc6e06ae28712dfd0eebe47aa422a1e59dc9ecaccfc3aa8c94ca12d2131d549b4e3a6c4f56c41aa3684c8e545c5681167de2b3fe5a9c47e617a3d8b2d9e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
3fa4cbec801cc6a2e2a93f5b4ea16939

SHA1
0eedc57623d2eac6c1f1f5fdc5d67ebc4d5b03cd

SHA256
25fe651f3db2e32eaa70a6b3fcd558ee09c11f2b5ad93e9b781550da676ed2c9

SHA512
ef46340b9344c0f6e4c1a47f567cd34f4cccfd39c217a0436c35d13082bade4273e8a49b07aa1740b2c39815943750b3798ca76c13fde345d6bef8e089d945b1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5739ced30ae208e6b8f4f4fe26b1a369

SHA1
0292f6dd8749f6876dd257cb0336b34bfde6f196

SHA256
b703e2d09c1980950d4614e7109f4cd48fddd25097783c506a0921da55249ab1

SHA512
bd3b4d8c3c20ee42fc790e672ced6031c251b57a4b3340dd4bf9a4a8161af906d03618f18dfb1813f1e47463a57d9d8a6f8d93766126277c5302df93328083d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
5ee38dad96147835ff497647fc5f3d41

SHA1
b84caee08f16e25cb748c56ec1f675ae87346137

SHA256
e6c30c8a283a2020a47fb82009e0e5f7e91b6ac950c41f5847c414f9fbb835c0

SHA512
ace550327b5c8b8a1233b44f26d1a3d330cc0ea9dec5144dc786b2a7495d13bb8d32513621841a2fc19cb20a448ae226f8fc4c21c03543481dc3d21bdd56d6f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
d732c75332073056dc6ff97f4e773980

SHA1
6caf69de3faf854c7039fd74d9dc55b8853c209a

SHA256
e26327d6506648c98eee46f95e91eee72e3a25a5ebe112566b20711057383a8c

SHA512
9b930a7abcb49e566f311d1a67bb3e8e7276f03e47bd99441f34f13538634f930962cb9a89de06c75471a606205dfdb37d1b360f5f0c9d9d64bc374dccef372f

Download Submit
memory/2660-232-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/2660-218-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/2660-274-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/3984-1-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/3984-335-0x0000000000BC4000-0x0000000001DFA000-memory.dmp

Filesize
18.2MB

Download
memory/3984-221-0x0000000000BC4000-0x0000000001DFA000-memory.dmp

Filesize
18.2MB

Download
memory/3984-2-0x0000000000BC4000-0x0000000001DFA000-memory.dmp

Filesize
18.2MB

Download
memory/3984-9-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/3984-212-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/3984-334-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-336-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-213-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-275-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-287-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-230-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-11-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-343-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4144-282-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4344-214-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4344-276-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4344-345-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4344-231-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download
memory/4344-12-0x0000000000BC0000-0x0000000002309000-memory.dmp

Filesize
23.3MB

Download