fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Resubmissions

14-01-2025 01:19

250114-bp1w8asngy 5

14-01-2025 01:15

250114-bmeafavmhj 4

14-01-2025 01:10

250114-bjndyavmcn 5

14-01-2025 01:06

250114-bf5h2ssmaz 4

Analysis

max time kernel
210s
max time network
207s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14-01-2025 01:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk (1).exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

5^/10

discovery

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe
Key value queried	\REGISTRY\USER\S-1-5-21-564748828-2201999071-3764224244-1000\Control Panel\International\Geo\Nation	AnyDesk (1).exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\998fe69a-1f41-4070-96dc-d2dfa9c6177b.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250114011243.pma	setup.exe

Loads dropped DLL 2 IoCs

pid	Process
1236	AnyDesk (1).exe
3592	AnyDesk (1).exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk (1).exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk (1).exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk (1).exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1280	msedge.exe
1280	msedge.exe
2580	msedge.exe
2580	msedge.exe
1920	identity_helper.exe
1920	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
2580	msedge.exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	900	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	900	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
2580	msedge.exe
2580	msedge.exe

Suspicious use of SendNotifyMessage 5 IoCs

pid	Process
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe
1236	AnyDesk (1).exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1352 wrote to memory of 3592	1352	AnyDesk (1).exe	80
PID 1352 wrote to memory of 3592	1352	AnyDesk (1).exe	80
PID 1352 wrote to memory of 3592	1352	AnyDesk (1).exe	80
PID 1352 wrote to memory of 1236	1352	AnyDesk (1).exe	81
PID 1352 wrote to memory of 1236	1352	AnyDesk (1).exe	81
PID 1352 wrote to memory of 1236	1352	AnyDesk (1).exe	81
PID 1352 wrote to memory of 2580	1352	AnyDesk (1).exe	84
PID 1352 wrote to memory of 2580	1352	AnyDesk (1).exe	84
PID 2580 wrote to memory of 4444	2580	msedge.exe	86
PID 2580 wrote to memory of 4444	2580	msedge.exe	86
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 4036	2580	msedge.exe	87
PID 2580 wrote to memory of 1280	2580	msedge.exe	88
PID 2580 wrote to memory of 1280	2580	msedge.exe	88
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89
PID 2580 wrote to memory of 2372	2580	msedge.exe	89

C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1352
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3592
- C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk (1).exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1236
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://support.anydesk.com/knowledge/anydesk-id-and-alias?utm_medium=app&utm_source=adwin
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2580
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x11c,0x120,0x14c,0x7ffbd60f46f8,0x7ffbd60f4708,0x7ffbd60f4718
    3⤵
    PID:4444
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2188 /prefetch:2
    3⤵
    PID:4036
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2288 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1280
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2932 /prefetch:8
    3⤵
    PID:2372
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3696 /prefetch:1
    3⤵
    PID:4832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3704 /prefetch:1
    3⤵
    PID:4856
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
    3⤵
    PID:3928
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4284 /prefetch:8
    3⤵
    PID:3096
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
    3⤵
    PID:2304
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
    3⤵
    - Drops file in Program Files directory
    PID:3556
  - - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x264,0x268,0x26c,0x158,0x270,0x7ff65f9f5460,0x7ff65f9f5470,0x7ff65f9f5480
      4⤵
      PID:4676
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1636,5336133011885322227,7963015903165823363,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6020 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1920

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2576

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2836

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3f0 0x3f4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\023139e1-1175-49cb-aac5-fe7a0c9b0618.tmp

Filesize
8KB

MD5
1b065be4438c0764491e36920e4a0768

SHA1
81c3d4d1e38a26be2ac77802c0f989431d815f14

SHA256
e79583bda28800e081a0f9837857c1671eaedf01d28e38590bd59f6a6035beda

SHA512
6cb0d9b6823f56104a32f4d2b737f87a42974a2487fd3f346c38786b3599455ecf004c2dd15cc7d54bee3751b96ebc51cb017aaf09d304405e2a23e1a809364e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5e66a3d46ce02326d71914c69bb1ff5e

SHA1
91ccf10b11a8c2d127fe825840b0f5a3c5a51513

SHA256
8408d688778cfc5151fd454f1182175674719a8a5709dd36aaac95512c7b1054

SHA512
3fc4c3299a000fd48b25ec9fa88d87892fe60b3e82005195d0afc80e028ff270e1429bb2a4fc07cfcfd5d8c23a44283c92a11f9ff11d28ec951331e3df05326c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9d9e89a46ea1c979d600d8ecff95392f

SHA1
a03b20076c4a9bd34d03af90e43d5815943d187b

SHA256
7d5e0d521951eff280f780f5134b8f1b4c614bb4e96ce15577201272a1e4478c

SHA512
7bd673c3e908e62928b35bb2ca183a79e575775a1b76b1bd3e584c9da331d4a4c213b3de25fe209090504ce0af3f3823a27767196ed81cceb7f881106e068429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
e6135062b3e00bad5c57b854eb185ef3

SHA1
493662ee71eb6fad9e2bddedec51edd60eeb7c19

SHA256
462ffb86b9df2c0780f524b6b6362c6f9bdf3e5f29a671866615e4fecf8a5859

SHA512
86adadacc50b000ae2f4dce30718da664e12ed94bb4f1324f0cab20e5370b594d02f5f6562df90af331a8064184ebc5f389f0f856f6ac2ec191581dd7db1dd43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
576B

MD5
0e2869d81f396fed0a08cb2bd61e0323

SHA1
8245ce5584eca694dee37b446624eb953378aea1

SHA256
e71fa1a3507c1a955bcb4efc2c3657d418bbbe5a2d563e711f2774a605b6d109

SHA512
9ad6ddb4be7b3bae9f18a80f52cd7299db36fe37e5cb50b16a3694e4eade1de7d1239deb043ed925f5a2540a958a83a4b013939bffc9dbfead746ac2270d1d5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
d2af1c7dba9f1fe494d1a0d980449258

SHA1
c522f4618ddce667aafc696101a0afd8d71995dd

SHA256
19d894380207776242d00764d2f22927c0fb2287e6b4aa70b5772a92c50de0b2

SHA512
7200536dcfd72fc20e4116b65aeaf06242c254f4181814e7d531d1b1be2c36b056b66b677f59265b9ec9616e3a0493f7365c3dbffe345cfb6932ebee890a346c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
4KB

MD5
85b4a2e2d1f98a72a26236bda0053603

SHA1
0a650f505a62073fa36f67a79f9f9981650b07e8

SHA256
72d497672e4ea840e3f8ac4f7eb14a3c4dfbd7eea73c7083c0d3257a9f4cc9d8

SHA512
b8153f058d6bc3dd18bdb40e874aacbce22a4d714f530243f212746bce26b7b485c92b1239971c417435e2dc507aa681c93a175c691795751ec62f2a8de3189e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
9bb53e68146f6151529f40b2f893d77a

SHA1
f5c97998e9e08552477aa92cb72b197b835765a4

SHA256
4de7e00582a55a23edbfa1ed48c6456764cd1d937dceee2f8736152b2a600a4a

SHA512
7df828898827255abe4fa7e754738c274a45341058bba8797623f9ad36de2c17fd573d55ce1565d1d2602c95ce6d7ea3afa1ab6886951874214260fdbdda8a23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ff5dd20177add5f2fb07a017c096ccce

SHA1
7afe60457ca44419c3421847c4202a50fd4b80a8

SHA256
0e18c1f1f59aefdb789413aefaeaa005421e9369195f7c35929008ec30b50cb0

SHA512
3bbbb7e4af49e8a92b5dba457567a249db23b50a1b4a79c33bc38a14e5dc4ae9dbf480b6f42abfd3da28af57c06aeaf4b0b7f3da39b712ca49981c8c7973c77a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
fed028b04d20c185974cbf26aec71dd1

SHA1
2ba76ba7145babffb33e4530fee1399414625c71

SHA256
70b868b1927fe3fc6541495036100b707f75829535ee7472f4de7590fca1e39e

SHA512
b25fb1646b84e0b5aa73fa32573a2653694e56f984670e3ede624942b4ca0ad67f0a68a131c3c1a49de4a82eeb76201697e9685c88735a48e3259a38ae1290de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
8KB

MD5
a05965c4bbc33b571848171f9e9faca9

SHA1
adec63cc842f46116eb1a6f7419c2183758f95f7

SHA256
ec57897f554e9a7b05735b750b4ac4d3b9bda30be2a114a390e7aeb94c6e6de8

SHA512
962df185d37f44f178338810a69d4a65421c3dee28953a8778efa9e78e849df3863bf0447b8d59cdc92a64683285af3503e9572aea57a143063744bc0d71f076

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
501b7dc43b9c6f73a6ecb7bf84ccd583

SHA1
19d0e470a984261cb458e5ba5f59793aaec084dc

SHA256
7e2c3d9453f24916209eddcc61dd7694a6475f85d783561cd5b9b4a81d7954d2

SHA512
3742c376ec94e6d04e7c8da425f8022c128442e4e8b3002ce309b40a755ef8ea16e720375c0b9da3a52fb6e58420872571c65f9ea71fb687f23215c30656fff0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4f91dd3a1c02a1e80516d7b0a02cd5ca

SHA1
732593627f55cf5840467935db2ef9c07cbf289f

SHA256
111b645ab3e08d14cecbe95d6c03e944c45e360a25464027e704498269a1d6b1

SHA512
c3e8e388311412db7091539ca9d8a8574cb8466b37541622d03292145e29bbaf39e8419a03e58518e02449b8ddf370dee47b63c4c51404a0346f96ff6180ea93

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
972c601795b527f837ec1fb8fa2b04d9

SHA1
c444369cd23907d40efa27839c092321f834fd95

SHA256
4557ecb64822e0677a4a5b2b785dbe27ce68b8808cc2409ee3c5ecdfd1e89ef2

SHA512
03868d20360ecb9933d2f4caf4b38b19e2ae81215468916c65a433543ba4b702d7157a1d7c324299388767831693ebe28e9bd8c89bd68eaeeb2724c257b658f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
8d1398d348cfdc5bab2d9d377a417784

SHA1
863faf6b9f683301e03cd219cb8d44c3fd21e640

SHA256
36f4bf7ffafc0b51f19acf9d15dbe9eea15d032e2ab75dcc230b5bf6a7957f45

SHA512
e437d805f89b36147ea3b4a7b443c932005c0b468180988b9538657a6a7040402250b88a0aafa729295fa0c9bc446392938bb09b6651910b0a216bacf4fe870f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
bb08a329d16d25c505730e5120e09439

SHA1
8c71c2f45ac3870283cf424d16ec6194cb49c69b

SHA256
4c189a789a5917b7cd1cce5b19016346e00a4fe1b02d022aad11cf0f47747255

SHA512
754dc9c7f943ca7bdd39931acdf9b41d88d5f50c0bd2cbd6041b42dee2303ca28f395e652f932a827a066819affe69ad07477da1d318fbf8229d03f53eb5e5cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
d626e798cdc814e016bb8e44cf20d01a

SHA1
d17f4fee4e3cac6a22f5894d34674c14e5123ef4

SHA256
293a21c80f784eccb86bb8719550360eb3181127a63701aeaa9c33183ae29100

SHA512
2081e474b9aa7b642091fea90bc703e6f6ff0e4dcb3a4ad9f636374fd754797c0a579b14dc4608964223770fd0a201b958f80f047d3c4da67d4665dbdc107e63

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
005db19f3f6b5c23eab325f313f0a61e

SHA1
82d148bd3079712a3b04492265b9cc1a99603112

SHA256
bc9ce633bfd64576ddcffdd273a36994e0e8a3fc85599bd1b5871b751a98f217

SHA512
bf6663b42a8c928ea48c57b3a8598584331e33b1c335e0e31ba38bea751112338a7df6a8e8275f77c9361fbf52fd7761518d4969dcc044174bf86801a47cf2a0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
c609562797e58299dbd2dd3c243b9d2e

SHA1
2273e9659dc7cb00f0d8b1397c74a49a37d92dfc

SHA256
6f052c481c6411d2ba485d7415c844f017e224d142132d45a07c868e6b6e5743

SHA512
1aa2ab6a9c19208282a96414f211dd5425b7fd75ab3a9e861f7c6f25a67eaff72d45ee68e79d6cdfa6405f1532eb46f9599c6dabf40e610cb9507663fd32e391

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
447bf64be94d792effabd4327593027a

SHA1
ffb62791c866ea71eca2d151df0290030651b196

SHA256
1f1badbb5140c05e0d0750666710a54056fd5e2f15eb119f4eb6e2ada8b7a1c3

SHA512
e75d0b4fc14c370a7867079923c3d958e3209ffb8ca00a4ee12a386626c8834f267e3d9f40821f8fc31577630348cbd5b705455fefdc99cbe6f2477e16417925

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
d6361b43af21f097a66291f4efd366d3

SHA1
464b9baf4491fd8e748de2edf4f4c09806e175a5

SHA256
9bdbbefe929c40a0d21c571ec7626e91f3c27124469761370d15a1b63e21e1b2

SHA512
af75d224d7f92057774e92450ec3a0a3ae6ed2c034b4b5887ee2f73041e9e3d7982477e9260852ae83c45d6675161d9586504286b79f834205311daa76e67e02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
001030857b77199c8f059266fe69413d

SHA1
684c2bd62e050d5bde5424599b496f69d591cbb6

SHA256
b30f11e54e1088cfb62a2d9c9da9fa16ef69d4c3cd2341a1e91d3ce58f677432

SHA512
b9678f5856bf2491302e5a786e0b6080c586a8cf610df302b2b7cd58a0f88981a4da1c612253ebc9822052f7dd1c020da2f4448825d75e946682e6f977dc1062

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
23708b1653584e7e30cdefeeae40cf56

SHA1
3a7e02e348fd83a20749c21aeb74881300ce1eec

SHA256
9526e53e639a9daac03b5d01ab4a4e5c65e89d49c6c6defcba42c925ecf64b64

SHA512
581c37a55cd311d18a208684cb88263ee403c6bd4f45dbf3471148e1331278ae922ea06b23fbb0f2bfbe36b46223173b27ade1164964bb9038ae452a80fb9570

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
df375de63e860677a869cb8d535386f7

SHA1
9bcbe321839394ab370274bf8f5316234c6c9a67

SHA256
659b5772a8989d8e5bbb2573a982db75bcdcb63e55e73a25b30630bcb294c18a

SHA512
0b692da915282714d1f4c6d9ac308c5df7afba313ec9205462c4835b940511a7a96265ca4a04c8edb4cd1fb933ffac5d2a9374a30991c776153ab7d5894f832b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
b54925e95e8909607a7af70a8b1906a4

SHA1
34aa32d7e900b30a841235562e385ba495ecd71e

SHA256
53bb39ea1c0df351cd7fa2ebd4321098c5b7c96de157ddbd58b2e33a26ff19a5

SHA512
932ef788d01d42bb4b033382938f129a35663149ed0db2c2eed1950e67632ac6b4931ac14b203486826c9124d498689ec5df84ff9b5c5e5406d0da815713b2d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
ccaa95c67427d81439c3c3f664608fda

SHA1
16c74beb4777507501311747902a803b15914bed

SHA256
aa3ca78ee42ce374620e50b11ccfbd4e2c683bd75f3705291b8b0c0a6d5683ea

SHA512
9416bb86c3554a914f1c90a4c4bb46a3e6ddd2cb5831cb7a0ae5ecb6b4cf1466e705e96eb08c3e9cf4c3ba60fdcc605e933bdaa7ed42cca4fbe9721b272b98f7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
df4ae3e6a4d315ad9c2cefc9326db9df

SHA1
3131f585665a3ff928ec7f811dc1ac9781042df7

SHA256
21790f386dbff90dbbf1bce79555f897d8ebf12b2bc4aa3dea69a97d7962cd29

SHA512
46cc3f9d664d1655b9e52f5378250fafcc5ba84d9a3dc1292e05e4a0fa284fdf692a44b7f2e6a473b29c853f58531a324f29c198d2d1b25620ca630995ccae0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
5426d6a575142b8874766dcb700ffae5

SHA1
2fc42e9fad85684758984090819d3996c762990d

SHA256
788654d00d6012a42c5167cbb528b29e204db74a72d699cae063ead6009a64ab

SHA512
533ef664ad625d02da8acb4316ba3b157331639ae94702cde25043de54462a4c5cb9a54a94a4b5e945158f42717e5002de9c132859c3e8d6b141ee538ac62f82

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9c50351cb60af92411917f985c114167

SHA1
f2fe41c5135d4011578563da958e3facb5eb331c

SHA256
317d349d6c0a45b233fc624e905491547923e04286d702cca65f6657eee5593d

SHA512
6d635c1348616bbecbdee9ed96122c0a864e1520bbb7a51eaa9357c926e21a817dd133daaa6f7b30bc5218058f359f0ca19686a0dd7bac3ee2ec3745baab83bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
b2193da89e6a77687d95e3a688f7d67c

SHA1
dac5af577bf3a2cc62b355e2216476d89ee23768

SHA256
503bfcf54d4e4273c1e0fb17edd96e7a6858d5d813759fbef84a310ab0486714

SHA512
4990b8f9650932e4d31196dc7272f5379f5e44d04bd8c5e92c208514dc99bf57615307c9ebda0651d157d95f8b16ed73a0eddc0c7f2751f28aeae1877847ebb3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
658f7807b4d52c75a35bf7bd44653ee3

SHA1
89fac79936d9de0ca1219e5ef14a00bcee46fd10

SHA256
dcf49d0bc3acded0ae21e9abade2f9ff140a2a441aafe362d5f381159a3a7367

SHA512
e0b1e25d8e2dd2cb06899b6a6c61d1d2f30e040d971d7d601fcd7608efb3430b54d64144b0225dd8d049fd41ea4e316365f2575ef516f5d5bf1e465ef8f7fa73

Download Submit
memory/1236-220-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1236-12-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1352-0-0x0000000000664000-0x0000000001766000-memory.dmp

Filesize
17.0MB

Download
memory/1352-401-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1352-217-0x0000000000664000-0x0000000001766000-memory.dmp

Filesize
17.0MB

Download
memory/1352-218-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1352-5-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1352-2-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/1352-599-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/3592-34-0x0000000005D30000-0x0000000005D4B000-memory.dmp

Filesize
108KB

Download
memory/3592-38-0x0000000005D30000-0x0000000005D4B000-memory.dmp

Filesize
108KB

Download
memory/3592-221-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/3592-37-0x0000000005D30000-0x0000000005D4B000-memory.dmp

Filesize
108KB

Download
memory/3592-14-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download
memory/3592-10-0x0000000000660000-0x0000000001CA2000-memory.dmp

Filesize
22.3MB

Download