1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

Analysis

max time kernel
150s
max time network
158s
platform
windows11-21h2_x64
resource
win11-20240704-en
resource tags

arch:x64arch:x86image:win11-20240704-enlocale:en-usos:windows11-21h2-x64system
submitted
08-07-2024 17:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.1MB
MD5

aee6801792d67607f228be8cec8291f9
SHA1

bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256

1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512

09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f
SSDEEP

98304:G5WW6KEdJxfpDVOMdq2668yIv1//nvkYCRThGXBJdicotUgwoAo5beyjF:y3vEbxfjf4Y8yofvktkLdurH5iyR

Score

5^/10

Malware Config

Signatures

Drops file in System32 directory 15 IoCs

Processes:

AnyDesk.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exeAnyDesk.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133649322442351436"	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings firefox.exe
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

AnyDesk.exe

pid process

3044 AnyDesk.exe
Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

AnyDesk.exechrome.exe

pid process

3328 AnyDesk.exe
3328 AnyDesk.exe
3328 AnyDesk.exe
3328 AnyDesk.exe
3328 AnyDesk.exe
3328 AnyDesk.exe
4824 chrome.exe
4824 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

Processes:

chrome.exe

pid process

4824 chrome.exe
4824 chrome.exe
4824 chrome.exe
4824 chrome.exe
4824 chrome.exe
4824 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3234977864-427365696-1522832567-1000_Classes\Local Settings	firefox.exe

pid	process
3328	AnyDesk.exe
3328	AnyDesk.exe
3328	AnyDesk.exe
3328	AnyDesk.exe
3328	AnyDesk.exe
3328	AnyDesk.exe
4824	chrome.exe
4824	chrome.exe

pid	process
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AnyDesk.exeAUDIODG.EXEfirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	3328	AnyDesk.exe
Token: 33	4484	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4484	AUDIODG.EXE
Token: SeDebugPrivilege	2112	firefox.exe
Token: SeDebugPrivilege	2112	firefox.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe
Token: SeCreatePagefilePrivilege	4824	chrome.exe
Token: SeShutdownPrivilege	4824	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

AnyDesk.exefirefox.exechrome.exe

pid	process
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
2112	firefox.exe
2112	firefox.exe
2112	firefox.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

AnyDesk.exefirefox.exechrome.exe

pid	process
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
3044	AnyDesk.exe
2112	firefox.exe
2112	firefox.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe
4824	chrome.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

AnyDesk.exefirefox.exe

pid process

840 AnyDesk.exe
840 AnyDesk.exe
2112 firefox.exe
2112 firefox.exe
2112 firefox.exe
2112 firefox.exe

pid	process
840	AnyDesk.exe
840	AnyDesk.exe
2112	firefox.exe
2112	firefox.exe
2112	firefox.exe
2112	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.exefirefox.exefirefox.exe

description	pid	process	target process
PID 4760 wrote to memory of 3328	4760	AnyDesk.exe	AnyDesk.exe
PID 4760 wrote to memory of 3328	4760	AnyDesk.exe	AnyDesk.exe
PID 4760 wrote to memory of 3328	4760	AnyDesk.exe	AnyDesk.exe
PID 4760 wrote to memory of 3044	4760	AnyDesk.exe	AnyDesk.exe
PID 4760 wrote to memory of 3044	4760	AnyDesk.exe	AnyDesk.exe
PID 4760 wrote to memory of 3044	4760	AnyDesk.exe	AnyDesk.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 3324 wrote to memory of 2112	3324	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 3584	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 4712	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 4712	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 4712	2112	firefox.exe	firefox.exe
PID 2112 wrote to memory of 4712	2112	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:4760
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:840
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:3044

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E0
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4484

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:720

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:560

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3324
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.0.526751070\317388907" -parentBuildID 20230214051806 -prefsHandle 1776 -prefMapHandle 1768 -prefsLen 22074 -prefMapSize 235121 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e88332b-eee8-48b5-9a78-e79183dabc9a} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 1868 1ada81ef158 gpu
    3⤵
    PID:3584
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.1.280014707\1749631948" -parentBuildID 20230214051806 -prefsHandle 2360 -prefMapHandle 2356 -prefsLen 22110 -prefMapSize 235121 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94617cb7-b773-476c-b3bc-9f6260665781} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 2388 1ad9c489658 socket
    3⤵
    - Checks processor information in registry
    PID:4712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.2.340007293\118018275" -childID 1 -isForBrowser -prefsHandle 2720 -prefMapHandle 2816 -prefsLen 22187 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ee2fcabc-ff4f-4fc8-baeb-6a241054fa9e} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 3152 1adacc15b58 tab
    3⤵
    PID:3680
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.3.1919576029\1787681104" -childID 2 -isForBrowser -prefsHandle 1260 -prefMapHandle 888 -prefsLen 27653 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {105bd597-87e3-4f66-adb1-b9f960d2548a} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 1268 1adaf71cb58 tab
    3⤵
    PID:1880
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.4.1180241248\2090735256" -childID 3 -isForBrowser -prefsHandle 5176 -prefMapHandle 5160 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a1e7037e-4fd8-4876-9e6e-a23887ea2ce8} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 5188 1adb1fe3858 tab
    3⤵
    PID:484
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.5.291900176\1170049775" -childID 4 -isForBrowser -prefsHandle 5324 -prefMapHandle 5328 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {76e9eedf-5e57-4b2b-ac32-493407bd2807} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 5208 1adaf731258 tab
    3⤵
    PID:2388
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2112.6.502178088\230744527" -childID 5 -isForBrowser -prefsHandle 5604 -prefMapHandle 5600 -prefsLen 27734 -prefMapSize 235121 -jsInitHandle 1300 -jsInitLen 246560 -a11yResourceId 64 -parentBuildID 20230214051806 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7a39e89b-0673-4ef4-856f-e633953ba360} 2112 "\\.\pipe\gecko-crash-server-pipe.2112" 5612 1adaf731558 tab
    3⤵
    PID:1460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb14e0ab58,0x7ffb14e0ab68,0x7ffb14e0ab78
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1516 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:2
  2⤵
  PID:3224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1792 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2204 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3056 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3200 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4056 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:1460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4612 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:2984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4732 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4908 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4164 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4940 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:3104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4476 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:8
  2⤵
  PID:1336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1.25 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1472 --field-trial-handle=1956,i,11434998930152235037,11721126895511887312,131072 /prefetch:1
  2⤵
  PID:2280

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3596

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe
"C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateBroker.exe" -Embedding
1⤵
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0fef05520b5b4f0e1b64314957dbad33

SHA1
c0448d4f5310fff41c5948590a10ce51a28b964b

SHA256
b2932e9743bfefdec8ab9f2014fce93ca58469778e08f5fdced883279384a16c

SHA512
228140d027a310ef86c2837132cb556868820460c24564cb8ab151498319804593228c86495b57c1de906b319ccfe2a81063542fbd6bf4229a1e8b13bed12f2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b106ca01c7d7ab808a97acf2b92d43af

SHA1
4b1383c8df6277402d75dd1cb642da048c02afd2

SHA256
5e5342a93dc328aba7ab9125f2607a8e3be69b350abb7655a15b1d6b8db5d45c

SHA512
4923bf1b5a9f8e4634af63e1a286901512d733ee52eaea20e11e112ec620f5e5a0fbecc68db27f43cb9c1f3cc3cc33acc9828654551019106f521145350c0fcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
16KB

MD5
a456dc0a586b83a0f47d19cfdf71e476

SHA1
a4a088e019011891d6a0d0a05a43668c62cb4fd2

SHA256
bcbd3937cb62f7ef2a6a5f3464bc2a3c05b7dd654d95a56418e9ec31cde604c1

SHA512
8bfa55b50640a87c4521544ac0d79e9b3f958ce7d188b971d461035f1a6e3cd0cc88fa7c05bc3023dedbf5492aa1f92b000caa0bdbbc677b43f8ed8ed7d50b98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
fa997d0e18fb6cf6774d9047de430847

SHA1
ba97656f142b1aaba78e96234d7d28faaa644777

SHA256
ca53057ad2df274c4b09895888211d1b90879ecef822f4387cef5c816a094e26

SHA512
1cbff518cfa6c895ce867711a1c303b8fefed51f2aa3b71a00daa632d97a777014266d2a52ee8f78d820cedf9c9817a111e00ba59715e08293fbce09769b1f54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
285KB

MD5
4e866f08dc07d7a17c90766278344430

SHA1
9107701603f6055ff676c4a2f404d278168fcec1

SHA256
579d5f444523fe48ae4604e61b457664bffdf8b9e7c48f3a81eb31e9d5f9426c

SHA512
79c49e44a008d925bf6ffeb1983511b87c848304b694e3d3c17ea9bf596902708479d2d4bd57047908482f9d689a4b26a50ca4abca4e3050cc2cb1c228c65a95

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
22KB

MD5
2b23cd8dae26129baaf2f1f7e71b06b5

SHA1
f72e187e4124bbaabaef54441c98dd6a0ae7da74

SHA256
6f2681ff7d6dd8c9fb3c0e1ca6cc6f912d5804488410773f0b1fcd018f0d5581

SHA512
49c29f84b9445f2f554d90bee0f98511217a12197cda317bcf2f5e061e219baf6c23610b1f048bd5ecf3d91032f27cf0504b0ccea94b356e6a3d60b9cac67a54

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\tmdby34e.default-release\activity-stream.discovery_stream.json.tmp

Filesize
23KB

MD5
cd00acb483329c17622d2a32eec67d56

SHA1
7690aafedde661184f2ca739301c53f95a0f98a9

SHA256
631490a37a69c48e025e0e8c14ee585f00517262b62cc22b247643d29d8491e7

SHA512
d521bde5c515e9b6ffacbc3ecf0244c4a8be9f4b35e09b30022a842414c6572ed7f8f693f4e6620c2d8f5f812e116b9b061a25d0a59684d6171ec8f8904efec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
5ccd9a86b9fbe32af6ea41f132c65860

SHA1
e1237cf0cf29dfb56e7ea7286d4c3ad345bff0e6

SHA256
7f30eec491ae30eac8cd4acb0b06fde009ce33eb9be90b1442b503f30da6b236

SHA512
1ba9ada7e902a4f6fbc7c7d38b620575f3ca87d23c96c4c9b458836b567c91837a0bee3d26ce7907ccf081c17bddbe71aa36f5a8b9c7726ed3dd339d9c50b7b2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
64b8d51a5ebde6969d8a9a9370f42109

SHA1
df4a6333a195fd74fd2ce9fc6069122c037a6464

SHA256
d42286900a9bee6fb1b5860feab4f9ae2ecf5035e6010809a789e6f8a0f539ea

SHA512
28a24211e915762b3ed10023e393cc2be86eb3c6a5a0820eaff066f8b6583e56c05c4e231e627d605486738ae05377d244ffd8022fed0c690a89fe18326cd67d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
45KB

MD5
25ff03fecfe73747435770ae765279d1

SHA1
e22f50e2dcb080ac5f0843053e142ba25e9051af

SHA256
ca39a3b796e80d22cca40c794ac33acea8a4f88481a38e1911b90142badd48a5

SHA512
b06bb5d6b7fd9e463082d440a292df43c96149ca6d0cbdb7c2980672ec7d53fb1877c59fbd65297312c997b7bcf8b7203d1f4ce1ccf85b1ec119e59d19b61770

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
8c7ae2e0198d92aae32b36004a20d8c8

SHA1
871f26469cceb8e504faa61f2259900850d19de7

SHA256
94696c1bf9bc86bcc3a05ce617a0e7377ae0b16fb67e35aaf1fc5c76117e0f24

SHA512
ba0ec8e89e675199baff0d849249f7985eb88fbcc0c678435987b6e236fd075d177f81840715142aabaebee958d73b4e315fa96a40d22e593c32e41707c79f52

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
5d4d7f63dba1d7db7e013573fa88d4ca

SHA1
72666b294f2aa44f5ac1f4f61f3d3b974e7b352b

SHA256
10721a26c2d7044bfa5546e909f265a10cc1e56d2c3cb09ec7722305bd3d5e13

SHA512
77c7c9710e4e13824c60b7e9778aab595ed3962887c325e9bd4223cd114cc7174b68b002142dd13d48f766f47ad7bae10fbd220db15dc1890c38718cbac9e0ef

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
632B

MD5
4b587877447fc3d3b30ca760955aa9a6

SHA1
b2ed044e8171cb25bb5e27e970322ecc8a60a9de

SHA256
f317d44aa4c1f589ba3baf73803a7173adab73748ad828f071afa59877fc8714

SHA512
bcd5c0718bca69d6519e7df98a5fe2791dcec8d40d580ee4bf7d47f6070b940e3fc6cd674e42c5582884f1ae1915485d7fee9b2aefd51032f281304a4784ce59

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
689B

MD5
7f04eda8d378385e5dc76bdead3d3720

SHA1
35e68ff574a28e17735b0966b64ddb89dce301e5

SHA256
cef427507f3d0aaec7dbf798d444492e0b15c4e6a950b6f018fb0465b37c7b36

SHA512
c14caba54cc4692883983b42766688becccafe3a8ddbfa77501ccb3c66d4ad7be488e430a96f1dd0ec2c6808a47094c330a928f3adbfc124a57ce867f2ea78fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
758B

MD5
cd00d9decbe3003f1122065f8fc46651

SHA1
59583021790df31a2cdfe3f4c4c323cc94899db8

SHA256
505046dcbcbed1a0074b50fbc89830e93e3dfc8b65b93197805d454ebfcaabd1

SHA512
348d2e6115c96a04fe0e7befb5aead06a78c9db9ced37d62b4b02a04a7ccc2ce3e055922e794f6af376a278530d9e872f086f8176a655c42871a2a9b1e11358a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
4f77b6b6a384a8016c7ed5abdace8a18

SHA1
0be893a7cacd86c8413ab54eed283540c4d5a17e

SHA256
0e45783004bef6c9f88a1a58c3ae1ee0b9a2845f192156a5757000f461a23149

SHA512
222e2c4f970fba562591c4f0ed8694fb5a14e6d0a2baf4822d24c102715a90fd6f94456f8d609f9cf78dc67a8f09afdbd41121ada363fb45463881d409cdc410

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d0f2aef52bbebc4b72079ef0fe30c60d

SHA1
098cb81547d0444429398f25453092d5366d610a

SHA256
681178dff3c67edea0ed8f6578c9764297ef4af585111ac04625c5daa31ca1cd

SHA512
33b8a0eb903afed7e960cd2c6921a42f3469a3340c4bc52e6d9aaa11ce9b44fd741d4ae5c40a76dcd046cbb2d702153752f027ba6ec13ff8e5a3e9be51a46080

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
80a72ac26b55d2e1996b3442db1338aa

SHA1
5686a34d5b0257842d019d5174049da37805afb7

SHA256
8c90eeef180d2b95d5d13d0ad8fbc29901d337b4b2df28dd28f7f0db3a819b8a

SHA512
5db54a8b9b48c07013093415510c753b58503f7c20bf34806b7e6c20db85aed53f69471ae75e56878790cc0e0e0b2d1b79dcfa4c59493a8f5627874a5ffd6f51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e665494044b059391043291542b05bd6

SHA1
74fbf7216aaaef1dc4cead66518bd4178946e32a

SHA256
e0cebc33ecfe8f4f1bc1f5a1ada986fdbf36fd8cfa5b7774865e229e0e91afa9

SHA512
9d4f98f9843be558740a963b696f13381481010e7ab3dd9fbc52ad1d0ab78d94b3f75909ea92b0335cb938ec76585521c3ca9f1eda60ecc53d30837aa6748f23

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
14b3d7c0cc7d711f026d5a1149c09151

SHA1
867083094ffcac050d64e5c3f3e951c6fb1d2ec2

SHA256
4e3b90ec0c0ca72fa59874cdbe7de3255bb6af4b66837391f1e890007469fb43

SHA512
4c97b04d5297997ceee0dc9a0be710518908b3481954d3c51505198c791d39f71ca8c6e9372e88b8123dc7fb144d90b06e61b4bb877311b424b52ab96953dca6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
8cd615a2455a9737928c5a7a8c295a7b

SHA1
d8fdee67f61d13f06ff399b966e4e8eb11a983ea

SHA256
092f39f41cb27575791334625e6605fb0deabacce8e8638e8d82debaf4e79b89

SHA512
d1a85afcbfc892ef418e6c7b68f74273f4f62faf1c2f6615df0adba8e036de3f54d0acdd3e4266af6d287969d48f60c4d9a0633c8c6b1a8f8c3f49aaff900f20

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
08f4eab1fe85698ff7d535183a71e4d1

SHA1
55c93373d550480c6ea48256b171914407e1c3c1

SHA256
618f13e7c88bf4a11e532de95f5b3fc393c10c9907cb0517fe958d7e90b2b126

SHA512
7886283851b4e394220f8f93f3e488c48927c2a390b1b2654d23e1aab913736df771704e13abdc4f4c269c997a4209b838975df48f34cf747f2c283fefb9a914

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4d9019825067853904c70de24e664733

SHA1
35f38ebda480ea1c70cc3f1c23dac2ca391bd3e2

SHA256
0afc9e2d58134538ad832bce8668c346dd926b49faeb54e8619f1f07f0c143a0

SHA512
bf5ea03aacfe69bd2afb39ecbd8cca876da92a0b6349311b7d4a221745ec9acb52f548bbb818a3dedd9d2aaff503276c9adb4c090129584bbd2140310708c731

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
8bed56b2fcdc3ada43aa02d1a950e4ef

SHA1
e992d9703d793abbfcf0ade821a759dfea052cad

SHA256
46f17f16ad8acea83151b154abe52ac38f34b2308a80d09f260b4f42e2cb9a72

SHA512
c5b766143ed33b60d1b494e6bcfc25daae312b56e37ca1e6c667589bfa93e39aa8c24cad139ba66c917181d53f5efb15112c638f4fc76d69a1a6f6d91ef39dc5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1339e6936d99f216344c858e87ca812c

SHA1
2a68be14818bf1e0e6d4354e54f9ef85e081e805

SHA256
d24236d781269bb0143878868f0071b9cd9c7a69900cb009e398068ab363699b

SHA512
7eaea531c5c10105dfa3dba14e51d4172ef45c46c000bec4494ac0f982127c8d9c6e0d99998c108b32d6543d7eb134733da1e76e4e9ae2c8e047735ebaf027ba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2da54d393b785436d07159f7f3fbb062

SHA1
69dc925ec1b10480126a4c14d725e33d1c574fc2

SHA256
ef859e79b31f7d4bbe6e128cf9081ab187229318f5ff81809bedfb6ffad6ac4b

SHA512
6734282e66c47830cf1b9b67d82bbf0ce76a6ab3d9b66617b6f942b9a1a61ccf19d57a8ea7cb449270eb1f5aafbf6c1b7ce9e504ca1f77198ede725e44ff8047

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs-1.js

Filesize
6KB

MD5
913e62714dc51a883c278b91b01eaf00

SHA1
e513138cf38277dcb17bb70c7b32a5fc6ac8bd7e

SHA256
b5ee10bb3693b03769f795ab95596dd009e231507103b3bcc1fa65d092a46073

SHA512
2e374e1ca333d9d866b6bafe8d94025056a9fc90bec2857a87f84f6e41c271810484e5e9674ff5ab1784ca69d26d526ccd3fd0ca84ad9167f13e329e3c677b21

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\prefs.js

Filesize
6KB

MD5
19c98fe12f3aecbf18db78d7aba62372

SHA1
fbb31518e1f204d1c4293a831a0c2513ada6f40f

SHA256
854109094b6b4e833b68970abad417bf78d9016ecc96a8ceedd9d33f8f2eb3f9

SHA512
fb0033ea61d27360caca5cb59867af7ec5e082e87d6b4a863dc383d0b5d42e3aa0d859c0d216c20128ad6371c759c119fea9ddfa0724ffb3dfca560b7023b809

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\tmdby34e.default-release\sessionstore.jsonlz4

Filesize
920B

MD5
ef28b1d722f9c7eaac3e496454a86c82

SHA1
d1ef5e19ef2e9582be44fb4502030e00bc114bc5

SHA256
5605232efcb3a3c282aadbfd31bb24016e2657501b5a8fc222f2bc4aee7d9ee1

SHA512
8f375fa619d2f65281f96260ef13d21df79b3dd4f54b06357facd878dc29063615f991ba023e25095a9a7251970b7bde274746785092807900ec154527128aff

Download Submit
memory/840-254-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/840-259-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/840-351-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/840-279-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/840-238-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3044-237-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3044-262-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3044-253-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3044-278-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3044-12-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-285-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-236-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-277-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-261-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-257-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-252-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/3328-10-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/4760-235-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/4760-255-0x0000000000694000-0x00000000018CA000-memory.dmp

Filesize
18.2MB

Download
memory/4760-0-0x0000000000694000-0x00000000018CA000-memory.dmp

Filesize
18.2MB

Download
memory/4760-9-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download
memory/4760-1-0x0000000000690000-0x0000000001DD9000-memory.dmp

Filesize
23.3MB

Download