ce27061cd0f707eed21d820be9d086fe0b313e6d93f735d4600126e3fb73dcf7

Resubmissions

08/09/2024, 09:49

240908-ltpd4aygpj 6

07/09/2024, 21:53

07/09/2024, 21:50

07/09/2024, 21:47

07/09/2024, 21:46

07/09/2024, 21:44

07/09/2024, 21:41

Analysis

max time kernel
149s
max time network
150s
platform
windows10-1703_x64
resource
win10-20240404-en
resource tags

arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
submitted
07/09/2024, 21:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

DDoS-Ripper Pro/DRipper.py
Size

47KB
MD5

836fb4703be19909e41c9b5f8db4b357
SHA1

b99ef3621d34d01597c4ebeda84a08584f630068
SHA256

2f8ffe7521b02a75326cbd70a1783294809fb0c6e3f6a02af72bdc86bf1d7b36
SHA512

b941cfa9519f9b021bffc67499ce9552015c72dcf2511b6d5500dc495e63e028fc3de9990ef17e842e0705f338d1520ab76ddac3c674641800b6a7eafaba0bec
SSDEEP

768:0H91otr8AvZxM6DoFUD6iNUTRUvbV8M3s30MoT3ECBY5jZIJZGmwKS:0HDO/6UD6iNYRQJ8Mc30plY5mJwmc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 3 IoCs

pid	Process
3344	AnyDesk.exe
2556	AnyDesk.exe
3300	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
3300	AnyDesk.exe
2556	AnyDesk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133702189214210202"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2556	AnyDesk.exe
2556	AnyDesk.exe
4216	chrome.exe
4216	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe
Token: SeShutdownPrivilege	2964	chrome.exe
Token: SeCreatePagefilePrivilege	2964	chrome.exe

Suspicious use of FindShellTrayWindow 62 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
3300	AnyDesk.exe
3300	AnyDesk.exe
3300	AnyDesk.exe

Suspicious use of SendNotifyMessage 27 IoCs

pid	Process
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
2964	chrome.exe
3300	AnyDesk.exe
3300	AnyDesk.exe
3300	AnyDesk.exe

Suspicious use of SetWindowsHookEx 17 IoCs

pid	Process
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe
1916	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1916 wrote to memory of 3444	1916	OpenWith.exe	76
PID 1916 wrote to memory of 3444	1916	OpenWith.exe	76
PID 2964 wrote to memory of 2316	2964	chrome.exe	79
PID 2964 wrote to memory of 2316	2964	chrome.exe	79
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 4540	2964	chrome.exe	81
PID 2964 wrote to memory of 3740	2964	chrome.exe	82
PID 2964 wrote to memory of 3740	2964	chrome.exe	82
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83
PID 2964 wrote to memory of 4848	2964	chrome.exe	83

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\DDoS-Ripper Pro\DRipper.py"
1⤵
- Modifies registry class
PID:2824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1916
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\DDoS-Ripper Pro\DRipper.py
  2⤵
  PID:3444

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa5f7d9758,0x7ffa5f7d9768,0x7ffa5f7d9778
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1628 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:2
  2⤵
  PID:4540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1820 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2100 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:4848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2900 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4436 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4848 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:4432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4836 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2904 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3240 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4840 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=4648 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:3644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5280 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=3172 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5300 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:1416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5532 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:4608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:4028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5904 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:2900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6124 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:3652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5672 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5896 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:8
  2⤵
  PID:2928
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  PID:3344
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2556
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3240 --field-trial-handle=1868,i,6900326314826649698,8761904122347102850,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4216

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4200

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2e8
1⤵
PID:1532

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
212KB

MD5
08ec57068db9971e917b9046f90d0e49

SHA1
28b80d73a861f88735d89e301fa98f2ae502e94b

SHA256
7a68efe41e5d8408eed6e9d91a7b7b965a3062e4e28eeffeefb8cdba6391f4d1

SHA512
b154142173145122bc49ddd7f9530149100f6f3c5fd2f2e7503b13f7b160147b8b876344f6faae5e8616208c51311633df4c578802ac5d34c005bb154e9057cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000042

Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
dc769eda14b4364ec3738a33bd1cd28a

SHA1
f5a3b8893b2fc24cd5d020831e270ab3b3c28bed

SHA256
cbead5906f0376942c1c090f15eb80722f5c39f8a64e3f2015c35f3d0c529839

SHA512
27e9c4938bbebd920adbecd01505b1a478c99847ec19d4c3248bcdd4e93a9f8a60930028dcc566978a868fa7a2fcbe2313fce8e82ec1f66c6d3c2c327a333f70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
4686b9af5ffecd35d28158e45f0202fd

SHA1
ca5e3543bdf305c447e54a5ce1685d3e7785e1e1

SHA256
70779894e2583d6be4868170f5961a0385232b23169be5f07078c83e1d6332ba

SHA512
29199d07971ea5431a45f40e2034f77282b94b62e6b8aa1ade0108346c61baf6239703f0045cd51d83e3b56957aa38386452b02ad49c2e6e672980b61318ea08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1018B

MD5
b6c1c8523bf516fd76350282d36ceb99

SHA1
8131e9091e9736422a73a1ba7fd1c5882dbd9f62

SHA256
0dd6bd81a36ad5bfa88158273d684964d538a08176822158075d0313d117ff42

SHA512
282be1b0da114e04f719a12fb2e8ec652f447f7d313cd5d71cd6032c20416e527d6abaa1fc4c6b1958eeca2bcaccf2a521d1ea048ba44580f5965f7b39d306a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2a40ec482498e67806f4a95be0e5d3be

SHA1
510266761d7f240e258585fd3c80fd76502f6bf1

SHA256
c37fbe2bd2986a9cae50323ea0c81daa287083239294040f0d7ea94fb7d0f608

SHA512
c840704ed53104032560aff71b2d07a80356cc2b90c99065d0a532a59fda6f3495bc58fef8900473451607126e2056848f3ab585ab87e6f0b0cefbfcd145883f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
d902b03340a6ebf2349456c77c296112

SHA1
d2f68dfc55bb62167fab8a4a6f35606dfc8a8f25

SHA256
5ca4d4600b8747bb7875a17b9f0860cefaa71a88dd88c4788a828ddf55769bb4

SHA512
0cdb093b13df07b683a18b51ff7e65e6e27748b2b5c15a911ab90432649d2fa3a81aeb97ace03e6c4245598053597dae6cbe1193074dd7b3f0851cc8bf1cb3bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
8ad4e9d363005c8e23ce5868d3edff2a

SHA1
ed080472b8c1a159fda2c4a41709445df4a0deaa

SHA256
425c09eca542bb6b4ae568bed02957d055f9c0aeccf1985b4c8cc4447256c30d

SHA512
4a62f60b1dcf4aa55c97c4d3f03e2c3d4a563d01896cdbba5db66b669b8a102d92dfeb8fa85c9b78595eb6d81e4f1a452dd634ec212974f2a975bd4a1ff552b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
81e8292c078e34fd591c586e773493dd

SHA1
f81be35679de88d3f90b04dc5d5a87e1abcd526c

SHA256
fec345ab0e2b54305e8f0369234e9ac36f4a14af4724424bd478d02a7be2fd99

SHA512
6c686be94bf6b08b4b8dd086e85bc4d4fab37c688cfd6b04a28537fb2b44768bc39bd7071b8e92ff4c20802ac4fb92876f29d4b4c079e56ef7d5126c5f2555d0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
d38fd56a74af8b3c057e9779546532aa

SHA1
d6333c6a551909304a9595690a5e147ce4b302fa

SHA256
9b4083ae519cfc6d2b807ce61a68ec5ca91a8fa0f79ec64d4994f8bfb06505fd

SHA512
60fd600911930bc1138f1212a713be3a58bbcc9a4ca7c67b27e83c59ddbba0c51ddd4be72b86c06e78f78ebe0226148ada15794a1329d16bc98f2831a0f45b3a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
ca4dd502401b9b67861fde04af6e1153

SHA1
1a3784cc0da70a46bb444cfa6d1664c5098f26af

SHA256
203370f9b6fe980649b6a26694cedd89b85c61ea0e7ffc9fe1d190dc7670cbba

SHA512
7502ff8a0b79ef7751d5326fc7f2b94c090f88d54b92747e50f0017946b2e1ffb21a944dc820532578862c8343e3d27dda9c1606fa7061e48a9627c82fb812a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
b514cd77f2a53f501cb886d95a7d9088

SHA1
bed864322d90978c0d758413ccc4f298ac28dcac

SHA256
efcb7e243efbae1f831268c386af50ff136a5135dea6bfed51eeb133bc5268ed

SHA512
edcdb56d5a6e6c0a3e373d63c3cfcb5531e760aaf53e69a8e77906b78ca6496867c8068c8345074bed9d42ed1f9c7d4bd6b2d606140ada22508920da523365f5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9e02246ce010a32e070b8e54a180757a

SHA1
3c21bae810c17e71582802a7a6c3f6e416652baa

SHA256
49c4a4dbc9ed95a885404c18647981a1b7f35106b1ae066ccf25771422e276e3

SHA512
dae39f974a5556410d46522c8173f4cb86e2e02b2467dd21d0e37265903fd7147a342ef9221abb90f7b58c8799637a1f3ae37a88ab30cec9d4fa248f23bc2692

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
4bc8f110f24a2b2bb4196473e77551e5

SHA1
54264077c412ed2fb23bf6162d6f937096ebef19

SHA256
6a7616e1612a0546c230f898ef4d1e561c079651a40eb5c0823a535da864326b

SHA512
e9c4584d411feef172c435ffa0ebb1848b76bb967898d1f2df5a24c91343620491e4ad25285aaed8d9c148b274ac5b0aa9dc786b478155d641c64d7a00a20c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6e2594f31c74d815abb457c4803acdf7

SHA1
092803dacdeb85bb65a00273529a68e448aef954

SHA256
b8d5a68bd5831947d46b1673b931311c4c21415e09426d973db19ed611f97499

SHA512
7f6104790e0da3040de1b1f91af1737aeeec0424141ae5a9b8114bc42366902fe84e60d14ba9754b1d5bea2ed9ddabf268e65cf7b855faa484d1672b9a5e8ae4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
12KB

MD5
b70807474080d2f088d15f4a8d4a896a

SHA1
a3d147d694ee8de803ffcdf71989a83c186a5e71

SHA256
2b621c4e02382f8f30107504c59d1c759da575d46907eefa12a7e1bebe097e8b

SHA512
a20f3168a74f19373455fe44942d7f06b3fb3e71c546537b98cf0798e9788a3a8924de12f2544557810145ce68f05e80f4029a03294e7697f8075225ce74eab8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
105B

MD5
a886661e0877ab23502159186992468c

SHA1
b1eb69e10268a4758eaf9aba6915dc527eef8ada

SHA256
df2094d476b102091fd115f9c4e3d65aa9a5dffe5cd0c1637f24e142f8941565

SHA512
efa7db64a29d916511ef9ccaf58ac13d0224be5bacae8b9e0f6a7772622297d184869f202a433e176b1524d263da730ee305ba2a485ef39dca9807a5abee0238

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt~RFe591ae1.TMP

Filesize
112B

MD5
691b42c962289410450af9577d3ef5ca

SHA1
6c9e2657bfe1c8c6dfa24879535632ef743395ff

SHA256
bd6565dc66226fc1539fa70423d0a7ca624acc034b4ae9aca46cd53db932aa94

SHA512
49009e4e16840a3bbc7997bd92b78a241f38d7d52c54f5d71beaf8dc28eb176a526e7405175625adf48745a4dac68875d8033e6252f074d51a00929e2b7620f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
303KB

MD5
261ffee95883e9f09dc735bd79b4ec32

SHA1
9fd1c3e56120632e0572fa2d1d52cd1cc273ac30

SHA256
1175a2a50e1c0252a869efca0cd89919fa75773dec1023d4becded5d4b63edf6

SHA512
4982929aa563169e3bb3e77743ee64736e99e7d7b8895ff4121c4896490c21e0b32ba2e1d6b361d05054c581a393dd9477bac8b957a43c548f38870aa5cf6644

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
23a656cda9ac29ec138f9910f438b5bb

SHA1
22d7cae21e99770b10406ee24886c907a512de95

SHA256
87fe1b8fb10d1e24d7fbf82674cde2f9f6a30b41691ddcc9508fb2b6b877e207

SHA512
b9da7757f733b35965116e8e54718827efb7fd86f8091242317d04e10c2e3e750c793ea3c8bac09f6b2ed68d04b702a2ff12305b90f9289bf90cfefa9fe2b240

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
2ddbe0e11f1a866df0d9e33d9de91194

SHA1
3275635b19acf2c8ce5c5970ab79a2c8d7570558

SHA256
1afd0f4e93afc290fb568ae62ab5ee4c79c5c8722ec798d896cb0ae4271cfce6

SHA512
bf2698da2234dd02227949c95825568600252d91b94bc1d5f96a8d6d1e9cb295e459400f57acc2f1063c633f9a094c038fe12400407b52dbd4d38caa4ba8bd84

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58e73e.TMP

Filesize
92KB

MD5
04e58240924db337e0e790bb71595ac7

SHA1
1cd1a9ee42a34b5b21d7012a98780abcb46fc205

SHA256
4b038be3e19c093e7e90615eb043eea821b42f109d924f3a335c422f347aeb2f

SHA512
f9f0ee03b02126bc7558548f9b9899d9639ee21e1c69e71acd25068baf3dafde0d55143caa1331e222cf12f91443c3d3921e63a1ddcff2aeb1f4b7a5720b5867

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
d1aafa22be03c36b308305ffc0e19a4f

SHA1
a1f047ea90cc081f8f3cda7ab4dbf13666a6b752

SHA256
7b17ba50be274bc46ea03ba3fcced841166cb6c6bfa454df266dfda45f3e162d

SHA512
aef15df1161d2ada5de685a415987b2fa47f2e155c4aa1f0d2fef52d1cf38940f1c1710fa4baee37ac4960333e35a1d593e2483ed3020c7fbdc6a0de1ebc544f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
ce365e553d533b1a6972fa6f9ed0cf03

SHA1
78fe775366761e80ecdc1de8baec3de5fa3f95ad

SHA256
f7a29406986219cb7bad3db8d4e3ed12ae372a8ee6f300236899910640579464

SHA512
4c8c822d52197b68d2b25e478eb954e02a404b9ea47f6abc31b161d0d47ea0a906ea2bf16950db012ae7627d153f076324a823431b4c21089a627be3059744a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4f4b845457e9046dc0597906c111058f

SHA1
e328cf44f4d83b2651df818b444c1c63f9e73c82

SHA256
dc53b5d736d9bd75f944a52c03f515a0351f9a71965073385ff59e31bccfd9b4

SHA512
5f8864346649f14983466599bfa374212b962f2bc8dc2218d96923edd9cf75fbdce31c1d6f5c8d6cdce5e4957b6060e80e4d2a8e290859419201823fa5fc9898

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
8a161d0d418edb884c602c7ec9b89dfe

SHA1
a56e6cc8176a566e12512727ad91dffe985ec24c

SHA256
b2f1082730114d37d9e3c32a7eeaee4ea13073dae11c8eb8a09a1263c99039b2

SHA512
3cfde4f1d1a52c318782034d194628a4739e0599510b8c73f76636a8de358a353656129bd179928c924a8b451d9291f723ddfba11136f081d3302a92e0af25e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
86a29f56e7a85d3c2ce185a92a110cf3

SHA1
329779f44248058a7edcfc9102c7fef9ea14b985

SHA256
d571db30dc40b844fc71c6c1576e8532a154ea9287b545fcef345f3eb6950f81

SHA512
a9aff43e48aff8be9b8d55afe147b9e982f68329c13ea7efbea5947b362660a5a4322e74767f76139bf83a44d5725db6ea93504305df08ace4a1a1ea78a8909f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
744B

MD5
091e1cabd0c3362b29a1578c4b0720f0

SHA1
c7bf04792e3bc4ff01332abfae741fecf1eda635

SHA256
de1537ea679fb69b11fbf30bcc5f4f3e4557b41df455e777b2d469287d096d2f

SHA512
2aee9b03d3a409db4e9b13a0c8b5f7cc26a049fc509b8f3be7dd5eb884fcd2cb51c441e75b2066571cda516df9d3b46d8890158bd5635eb964d70c8c7eaa96d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
765B

MD5
0b3719b6ca5fb54a95bbf74df1c4c01a

SHA1
ab12afa54425c7986998d0a2332f2a1669a5068c

SHA256
43c998bce6bdbfb850b79434d1662b9f6dfae2c121fdefc4659808d85cf154f4

SHA512
b45a1f389b644a0f6691327c5856d06190e933d7db1085bb7afa90290f08d22b549496f1007c2afbd877743c1823777368853e0451a345b5568b5fd20ddf8d3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
c5c34245c0b224c374b62b39976abca0

SHA1
b734932fcf1a3f511439d5dc8f93eb96cb0e8e5a

SHA256
4fab59b81c7c6948c89260f94e643b7c5608fd6902ef11ed7bb3356e049d3318

SHA512
8a8871fa2293a8e6e5d47322879b5f1421792ef2c83b3faa3c08fe4a7c555f1d478dcfb0d02c12a20b1469aa65e59aa6b6049a05c51f89d12b69a5f9a1c910f3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
8a403dd8e50d54aedb6e86adf5134b08

SHA1
b4fe2ff5afc88eb8bda852003d30b6c88c0f1681

SHA256
7202aeeb032f5e7af8f21ba9241429996585179b7a86f80510496e3493c994d1

SHA512
faeb5050a312efb2c43361794da71fc8fa7ef0db3f8127588532ed8a7f2c3c89d46c400d19237a5e441ce721ef943c82715a8539305513c89d677bb1eb532975

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
89333aa8783a76289ad7b0a30d92c4d2

SHA1
4beafda4eda1889d7d82d2ed7ee3db2ae0463ef6

SHA256
488af260b02d32b5c168f741422702ce5db27998049084c6de8dd115067341f0

SHA512
8ae3a3ebb60048d9bd530a44d0e89b1c96875c2bba8d347ca5136bf3fb86071177552fab4023653d387577e46057adcb617b7e2a04304380e8ae570242084718

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3604d9ce4c31f609e44cebe7c16f6d2e

SHA1
74e5ace809669b22842f4d50d2f55332ecab48ad

SHA256
416474cef90d0cff74198d05fd9fdc250b7efaa50d0444eb31c7380aad743572

SHA512
9e5ae3d8fb2f4e5e475d67869cfbc6d79a9192e6aa4869f0de09a8566f1420cd44d728104c7310847922f22dda11d79f71d73af66d8178a1432bb6acc4560b94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
edf18cd1cdf1aaf11eb9123596691aaa

SHA1
abc85901135645eb3c2f00a8372c84ef480575b9

SHA256
69edcaeadb7bf8774206a191400d5372d73948b134cda4fd9544b2f0ec791bf2

SHA512
036cbc0be42ce9c80ff8a9afe7511f072d901aa25ae84a030ecc83268bbe70637d38417b420befef86e72cc8e6c62f9165078082cbd6d038ce4f0fe032083b15

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
764e98d0c0bf953b036291a69c273391

SHA1
c031e3632807637d3b646bef86074049cd375c18

SHA256
0207056328ac47f45f5c07902118fcd8aac83b07ca2d0c9feb5b58ba7303c336

SHA512
849cd6c99cf7331a2d5cc1ded735734c0bb411051be0d924a764c57f8f661cf9e939226669c0ae6f131e865027811bf78f8cab67ff8c3b7d8f579ebc87ce7778

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
62a520b064e5abbc7ae104fd189002f0

SHA1
bd035708ebd84ce1746ee70f885da402b5b479bc

SHA256
1e7e8d85df1842de0337d7fac8469c5ed6732f9bd186566e21bedafe36b4e61b

SHA512
eba2bad01d10fe0c4a298f2ad66edc32a5d9c4a0ff4414a034303b25adc582bcb459831ac381325140d37eba72052d16071a8680e5b9cfea0f4d8a6557fd226b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
fb87d59e1ddff64795e3be24bbb08c65

SHA1
a112ca93fb06cc11a0d7b993733a8ace5daf4d0b

SHA256
c9eacec074aaabc8b2dea2a55e3894d2098f6c09730a9562b2f243723709ff40

SHA512
535d156007f65d00ed8b4bbf4ec06b37c1395fa1862ce1c07eac91328da4d4c7107148307b224fee47b179f07149512e85e762364bda175bc54295d65f3f88cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
b233ccb49555b70db8c591f8746e458a

SHA1
1048f380ab85ff6e192495e66b18a50f5af84f51

SHA256
dd1de1ae742612374853f60209d4fbec4fdd10813f837744241bdbf34c93ca00

SHA512
0417c949548403f39db25a6e63a1dfebb39b2035eab5317b7bee603dd17472bb0f50a96c4eb7c06f9720866d56c4662dbcb39a0757c4230ef3fdc22fc5f2e668

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
c6a7cc7df830d7d088db1118a5551b98

SHA1
21fd04bd2775447e4eb575f6e9fb50b58cc2db56

SHA256
aa5333e50591541a2b49a03c2eadde23b0e7eb78f36554a9db1451d6221c12ba

SHA512
bdc42a642b72a9fd44cc912796ec30779b95215cdab37f9ef5bc0e1fc7144f79462cf9426af7c03114f5ce9a3cd73a1af132fd5f9f44a2e8fa98cc41002fb7e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
fd2ad8a086a789c56b33c481a3d6100c

SHA1
5894b95da530ba96c1e8ffcce8afc9aabd46df5c

SHA256
c116381bca845d05a21eeac510b22e6515e34ed1f058ee721edde27be48c289e

SHA512
8788c9073b7607305718a32a21ea9810aa9269606945eeb8c8bb38a2e00c9cc78e1427630d5edbe825ef55680e5f16ed71a8d1af3d6792f547db454677e0c99b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
aa591260aa3c9f54555fc1c00789b8ed

SHA1
5604610ac1b7a18df2c23e29a54c043c61c1f74a

SHA256
8f34b4cb167de2b8e7b705d60e12d196cb88d0b14e7551c1a496d67d79c68019

SHA512
bfb67e03db11e13612b323c5835ac3afaf8748fa30b322ae422ab0270fe83ebaba731889cd62cd2a7bd0d8ee1dad6f9b32169883d7d302c4176826ce0a933367

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f5ff8f7d16d3f0cb34c3ccb68b32d3e1

SHA1
2de7dcfd59ccfbc6e997e366d70efc969e30f5e1

SHA256
168f076525bb599de8783c0c8f8b0e65f167e31969341baddd8de91deaa986cd

SHA512
87448c6d0112c6e05a70707996034fc5f5f11404ce5f555b9a4fb70d494b37a3935cd117339ed95e0ca665f8ea286b845a9ed62129ddbed64a79eac53bc66c1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
4516b06ef806b6a923a124285ac45e39

SHA1
3615fe17d2da495a3c085c39a30eeca82c5be7e1

SHA256
f8310e3bd758ada0b8abd21770a13f80578da865203317ccc84f0e8eed42de19

SHA512
76aa6498626bec8fbeab2bb93a6f8b60b43774f2b90926025716fe9aa961f6c5ae3d594292e01105e9fa5853aa095e2e050398dec60b8946db721f4a37189a58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
2f6d51f1feab7a37958385edc4a92940

SHA1
354c850d8fe9978005e637c4eaf139a5f7749511

SHA256
7c166e8634b0e79f606baeb9f7faa6878e4a174f38fad86025aaf8a804f6c26e

SHA512
208518d5209d7d390d878afa03d368a81cf40327243506ad7d5bfd4aa3be687420b8e8db4ae16dd2c8e0b6478a2e938a6812deab3410ace24e264a4424207ae3

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 796942.crdownload

Filesize
5.1MB

MD5
e6f473bd5340405656209e620f43068f

SHA1
c144446dc23c86c7c9b26ce87c3176866372f6d1

SHA256
bed33c3732307e19e9a702e7ff179180a7891b92cb879a5b758021eefc68a99b

SHA512
2e9065caeadcef0edd1e8e8fe3139e0fc5a9dd46011dbc0a4666745ed817cfaf6f859c9f1b5c1e5e957476cb16b42dcf14508594e44f2a059706865c19866a4c

Download Submit
memory/2556-483-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/2556-516-0x0000000005DD0000-0x0000000005DEB000-memory.dmp

Filesize
108KB

Download
memory/2556-515-0x0000000005DD0000-0x0000000005DEB000-memory.dmp

Filesize
108KB

Download
memory/2556-763-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/2556-512-0x0000000005DD0000-0x0000000005DEB000-memory.dmp

Filesize
108KB

Download
memory/2556-772-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3300-491-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3300-764-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3300-773-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3344-472-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3344-762-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download
memory/3344-771-0x0000000000CD0000-0x0000000002444000-memory.dmp

Filesize
23.5MB

Download