fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
709s
max time network
1050s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
27/01/2025, 11:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

10^/10

defense_evasion discovery execution persistence privilege_escalation ransomware

Malware Config

Signatures

Modifies visibility of file extensions in Explorer 2 TTPs 1 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\HideFileExt = "1"	Explorer.EXE

Creates new service(s) 2 TTPs
persistence execution

Windows Service
T1543.003

Service Execution
T1569.002
Modifies service settings 1 TTPs
Alters the configuration of existing services.
defense_evasion

Windows Service
T1543.003
Stops running service(s) 4 TTPs
defense_evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Drops startup file 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	regsvr32.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
264	icacls.exe
4512	icacls.exe

System Binary Proxy Execution: Rundll32 1 TTPs 1 IoCs

Abuse Rundll32 to proxy execution of malicious code.

defense_evasion

Rundll32

T1218.011

pid	Process
308	rundll32.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 20 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Version = "11,0,9600,0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Version = "1,1,1,9"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Locale = "*"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Version = "6,1,7601,17514"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}\Locale = "EN"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Username = "DELL"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Locale = "EN"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4383}\Locale = "*"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{44BBA840-CC51-11CF-AAFA-00AA00B6015C}\Version = "6,1,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{6BF52A52-394A-11d3-B153-00C04F79FAA6}\Version = "12,0,7601,17514"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89820200-ECBD-11cf-8B85-00AA005B4340}\Locale = "en"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{89B4C1CD-B018-4511-B0A1-5476DBF70820}	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{8A69D345-D564-463c-AFF1-A69D9E530F96}\Version = "43,0,0,0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Active Setup\Installed Components\{2C7339CF-2B09-4501-B3F3-F3508C9228ED}	Explorer.EXE

Downloads MZ/PE file 1 IoCs

flow	pid	Process
299	3884	chrome.exe

Drops desktop.ini file(s) 54 IoCs

description	ioc	Process
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1001\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Saved Games\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Favorites\Links for United States\desktop.ini	mctadmin.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	regsvr32.exe
File opened for modification	C:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1001\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Favorites\Links\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	Explorer.EXE
File opened for modification	C:\Users\DELL\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Downloads\desktop.ini	regsvr32.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	ie4uinit.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Contacts\desktop.ini	WinMail.exe
File opened for modification	C:\Users\DELL\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Favorites\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Videos\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Documents\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\Public\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	Explorer.EXE
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	unregmp2.exe
File opened for modification	C:\Users\DELL\Contacts\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Searches\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Saved Games\desktop.ini	regsvr32.exe
File created	C:\Users\DELL\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	WinMail.exe
File opened for modification	C:\Users\DELL\Desktop\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Links\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Music\desktop.ini	regsvr32.exe
File opened for modification	C:\Users\DELL\Pictures\desktop.ini	regsvr32.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\E:	unregmp2.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe

Modifies Windows Firewall 2 TTPs 3 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
2928	netsh.exe
4808	netsh.exe
4732	netsh.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\compmgmt.msc	mmc.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\DELL\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Control Panel\Desktop\Wallpaper = "C:\\Users\\DELL\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\TranscodedWallpaper.jpg"	regsvr32.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\flex_color_picker\assets\opacity.png	xcopy.exe
File opened for modification	C:\Program Files\RustDesk\uni_links_desktop_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-github.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\call_end.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\kb_layout_iso.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\screen.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\trash.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-gitlab.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\home.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\window_manager\images\ic_chrome_maximize.png	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\folder_new.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\icon.svg	xcopy.exe
File created	C:\Program Files\RustDesk\flutter_windows.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\window_manager\images\ic_chrome_unmaximize.png	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-okta.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\tabbar.ttf	xcopy.exe
File opened for modification	C:\Program Files\RustDesk\desktop_drop_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\mac.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\secure_relay.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\voice_call.svg	xcopy.exe
File created	C:\Program Files\RustDesk\flutter_gpu_texture_renderer_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\screen_retriever_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\desktop_drop_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\texture_rgba_renderer_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\address_book.ttf	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-auth0.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\wakelock_plus\assets\no_sleep.js	xcopy.exe
File created	C:\Program Files\RustDesk\librustdesk.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\call_wait.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\fullscreen.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\record_screen.svg	xcopy.exe
File created	C:\Program Files\RustDesk\usbmmidd_v2\usbmmidd.cat	xcopy.exe
File opened for modification	C:\Program Files\RustDesk\Uninstall RustDesk.lnk	cmd.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\display.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\keyboard.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\message_24dp_5F6368.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\app.so	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\AssetManifest.json	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\actions.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-default.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\peer_searchbar.ttf	xcopy.exe
File created	C:\Program Files\RustDesk\file_selector_windows_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-azure.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\dash_chat_2\assets\placeholder.png	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\dash_chat_2\assets\profile_placeholder.png	xcopy.exe
File opened for modification	C:\Program Files\Uninstall Information\IE.HKCUZoneInfo\IE.HKCUZoneInfo.DAT	ie4uinit.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\android.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\chevron_up_chevron_down.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\search.svg	xcopy.exe
File created	C:\Program Files\RustDesk\meta.toml	xcopy.exe
File opened for modification	C:\Program Files\RustDesk\window_size_plugin.dll	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\auth-apple.svg	xcopy.exe
File created	C:\Program Files\RustDesk\usbmmidd_v2\x64\usbmmIdd.dll	xcopy.exe
File created	C:\Program Files\RustDesk\Uninstall RustDesk.lnk	cmd.exe
File created	C:\Program Files\RustDesk\rustdesk.exe	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\arrow.svg	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\chat.svg	xcopy.exe
File created	C:\Program Files\RustDesk\usbmmidd_v2\idd_instructions.txt	xcopy.exe
File opened for modification	C:\Program Files\Uninstall Information\IE UserData NT\IE UserData NT.DAT	ie4uinit.exe
File opened for modification	C:\Program Files\RustDesk\data\app.so	xcopy.exe
File created	C:\Program Files\RustDesk\data\icudtl.dat	xcopy.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\packages\window_manager\images\ic_chrome_close.png	xcopy.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File created	C:\Program Files\RustDesk\data\flutter_assets\assets\chat2.svg	xcopy.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\installer\{ac76ba86-7ad7-1033-7b44-a90000000001}\sc_reader.exe	Explorer.EXE
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk.4656_ThreadId(2)_1737977966950600000	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk2.4656_ThreadId(2)_1737977966951600000	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\check-hwcodec-config\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\config\RustDesk_hwcodec.4788_ThreadId(11)_1737977967907600000	RustDesk.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	rundll32.exe
File opened for modification	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\SC_Reader.exe	Explorer.EXE
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\service\RustDesk_rCURRENT.log	RustDesk.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\server\RustDesk_rCURRENT.log	RustDesk.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	ie4uinit.exe
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\import-config\RustDesk_rCURRENT.log	RustDesk.exe

Executes dropped EXE 21 IoCs

pid	Process
2336	AnyDesk.exe
3516	AnyDesk.exe
1624	AnyDesk.exe
3912	AnyDesk.exe
2608	AnyDesk.exe
696	AnyDesk.exe
4980	rustdesk-1.3.7-x86_64.exe
4820	rustdesk.exe
3888	rustdesk.exe
4984	rustdesk.exe
4496	rustdesk.exe
5052	rustdesk.exe
4832	rustdesk.exe
4800	rustdesk.exe
4656	RustDesk.exe
4312	RustDesk.exe
4788	RustDesk.exe
1288	RustDesk.exe
1784	RustDesk.exe
4524	rustdesk.exe
5056	RustDesk.exe

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
1784	sc.exe
4848	sc.exe
3816	sc.exe
5044	sc.exe
4968	sc.exe
1444	sc.exe
4308	sc.exe
4120	sc.exe
1000	sc.exe
4000	sc.exe

Loads dropped DLL 64 IoCs

pid	Process
2376	AnyDesk.exe
2192	AnyDesk.exe
3788	AnyDesk.exe
3788	AnyDesk.exe
3788	AnyDesk.exe
3788	AnyDesk.exe
3912	AnyDesk.exe
2336	AnyDesk.exe
4524	chrome.exe
4504	chrome.exe
296	chrome.exe
296	chrome.exe
1184	Process not Found
4980	rustdesk-1.3.7-x86_64.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
4820	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
3888	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
4984	rustdesk.exe
3888	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe
4496	rustdesk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 24 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WinMail.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BCSSync.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	runonce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\Nls\Language	csrss.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 16 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	runonce.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	Explorer.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Explorer.EXE
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	runonce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Delays execution with timeout.exe 1 IoCs

defense_evasion

pid	Process
4800	timeout.exe

Enumerates system info in registry 2 TTPs 64 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Component Information	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Component Information	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\1\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Configuration Data	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2\Identifier	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Component Information	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0	csrss.exe
Key enumerated	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\SYSTEM\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController\0\KeyboardPeripheral\0\Configuration Data	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\KeyboardController	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\0\Identifier	csrss.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter	csrss.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\1\Identifier	csrss.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\MultifunctionAdapter\2	csrss.exe

Kills process with taskkill 7 IoCs

defense_evasion

pid	Process
4808	taskkill.exe
4400	taskkill.exe
4852	taskkill.exe
4688	taskkill.exe
4832	taskkill.exe
5452	taskkill.exe
4844	taskkill.exe

Modifies Internet Explorer Protected Mode 1 TTPs 1 IoCs

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1\2500 = "3"	ie4uinit.exe

Modifies Internet Explorer settings 1 TTPs 64 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\5	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\13\IEPropFontName = "Shruti"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\34\IEPropFontName = "Iskoola Pota"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Show_FullURL = "no"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Settings\Text Color = "0,0,0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wm	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\GPU	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Display Inline Images = "yes"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\New Windows\PlaySound = "1"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Document Windows\width = 00000080	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\UseClearType = "no"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\LinksBar\LinksFolderMigrate = 801d401baf70db01	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Desktop\General\WallpaperSource = "C:\\Windows\\web\\wallpaper\\Windows\\img0.jpg"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\38\IEPropFontName = "MV Boli"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEPropFontName = "Times New Roman"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\5\IEFixedFontName = "Courier New"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\7\IEFixedFontName = "Sylfaen"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\11\IEPropFontName = "Shonar Bangla"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\29\IEPropFontName = "Plantagenet Cherokee"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Show_URLinStatusBar = "yes"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Search Page = "http://go.microsoft.com/fwlink/?LinkId=54896"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\4	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Document Windows\height = 00000000	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\SOFTWARE\Microsoft\Internet Explorer\Document Windows	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\21	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\SOFTWARE\Microsoft\Internet Explorer\Services	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Security\Safety Warning Level = "Query"	rundll32.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmd	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\3\IEPropFontName = "Times New Roman"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\34\IEFixedFontName = "Iskoola Pota"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\35\IEFixedFontName = "Estrangelo Edessa"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Use_DlgBox_Colors = "yes"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Disable Script Debugger = "yes"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Settings\Background Color = "192,192,192"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wax	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\23\IEPropFontName = "Gulim"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\33	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\36\IEPropFontName = "Myanmar Text"	ie4uinit.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Do404Search = 01000000	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EmbedExtnToClsidMappings\.wmx	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\IETld\LowMic	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\10\IEFixedFontName = "Mangal"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\31	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Services\	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Play_Animations = "yes"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\11	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\28	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\28\IEFixedFontName = "Euphemia"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\29	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\38	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\39\IEPropFontName = "Mongolian Baiti"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\SOFTWARE\Microsoft\Internet Explorer\URLSearchHooks	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\7	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\WindowsSearch	mctadmin.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\International\Scripts\30	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Settings\Anchor Color = "0,0,255"	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Settings\Use Anchor Hover Color = "No"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\SOFTWARE\Microsoft\Internet Explorer\TypedURLs	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Zoom	ie4uinit.exe

Modifies Internet Explorer start page 1 TTPs 1 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001\Software\Microsoft\Internet Explorer\Main\Start Page = "http://go.microsoft.com/fwlink/p/?LinkId=255141"	ie4uinit.exe

Modifies data under HKEY_USERS 54 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "RustDesk.exe"	RustDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{99FD978C-D287-4F50-827F-B2C658EDA8E7} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000b0f702a9ae70db01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	RustDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{D9144DCD-E998-4ECA-AB6A-DCD83CCBA16D} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000808202a9ae70db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{AB5C5600-7E6E-4B06-9197-9ECEF74D31CC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000303004a9ae70db01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	RustDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "RustDesk.exe"	RustDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	rustdesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{920E6DB1-9907-4370-B3A0-BAFC03D81399} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000303004a9ae70db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{2916C86E-86A6-43FE-8112-43ABE6BF8DCC} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000303004a9ae70db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "RustDesk.exe"	RustDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	RustDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{08244EE6-92F0-47F2-9FC9-929BAA2E7235} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 010000000000000060a504a9ae70db01	AnyDesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Direct3D\MostRecentApplication	RustDesk.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\ThemeManager	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "RustDesk.exe"	RustDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ThemeActive = "1"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\DllName = "%SystemRoot%\\resources\\themes\\Aero\\Aero.msstyles"	winlogon.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Control Panel\Desktop\MuiCached\MachinePreferredUILanguages = 65006e002d00550053000000	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastLoadedDPI = "96"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LastUserLangID = "1033"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\ColorName = "NormalColor"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Direct3D\MostRecentApplication\Name = "rustdesk.exe"	rustdesk.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{16F3DD56-1AF5-4347-846D-7C10C4192619} {0C6C4200-C589-11D0-999A-00C04FD655E1} 0xFFFF = 0100000000000000303004a9ae70db01	AnyDesk.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\SizeName = "NormalSize"	winlogon.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager\LoadedBefore = "1"	winlogon.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm\ = "WMP11.AssocFile.ASF"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-mplayer2\CLSID = "{cd3afa8f-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mp3	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.M2TS\OpenWithProgIds\WMP11.AssocFile.M2TS = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.TS\OpenWithProgIds\WMP11.AssocFile.TTS = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\WMPShopMusic\ = "{8A734961-C4AA-4741-AC1E-791ACEBF5B39}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{A45AEC2B-549E-405F-AF3E-C6B03C4FDFBF}	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AU	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-aiff\CLSID = "{cd3afa72-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpv2	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.WAV\PreferExecuteOnMismatch = "1"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.asf\MP2.Last = "Custom"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmi\MP2.Last = "Custom"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmz\OpenWithProgIds\WMP11.AssocFile.WMZ = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wvx\OpenWithProgIds\WMP11.AssocFile.WVX = "0"	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wpl\OpenWithProgIds\WMP11.AssocFile.WPL = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\ = "&Play with Windows Media Player"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpeg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpv2\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\ = "&Add to Windows Media Player list"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/3gpp\Extension = ".3gp"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg\CLSID = "{cd3afa89-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m4a	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wax\OpenWithProgIds\WMP11.AssocFile.WAX = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\video\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.aifc	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpa\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpeg	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp4v\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mpg	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmx\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl\CLSID = "{cd3afa95-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-wmv\CLSID = "{cd3afa94-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\DVD\shell	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpeg\CLSID = "{cd3afa89-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wmx	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Video\shell\Play\NeverDefault	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.au	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.wmv	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mpa	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MMS\Source Filter = "{6B6D0800-9ADA-11d0-A520-00A0D10129C0}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wm\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1001_CLASSES\Local Settings\Software\Microsoft\Windows\CurrentVersion\SyncMgr	Explorer.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.aif	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.m4a	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wma	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\CLSID = "{cd3afa7b-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/quicktime	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg\CLSID = "{cd3afa89-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.3gp	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.snd\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp2v	unregmp2.exe

Suspicious behavior: AddClipboardFormatListener 6 IoCs

pid	Process
2376	AnyDesk.exe
2376	AnyDesk.exe
3912	AnyDesk.exe
3912	AnyDesk.exe
5056	RustDesk.exe
4788	RustDesk.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2192	AnyDesk.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
2192	AnyDesk.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
2784	AnyDesk.exe
340	Explorer.EXE
1864	taskmgr.exe
1148	mmc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: 33	2408	AnyDesk.exe
Token: SeIncBasePriorityPrivilege	2408	AnyDesk.exe
Token: SeDebugPrivilege	2192	AnyDesk.exe
Token: SeDebugPrivilege	1360	firefox.exe
Token: SeDebugPrivilege	1360	firefox.exe
Token: SeShutdownPrivilege	3504	LogonUI.exe
Token: SeSecurityPrivilege	3452	winlogon.exe
Token: SeBackupPrivilege	3452	winlogon.exe
Token: SeSecurityPrivilege	3452	winlogon.exe
Token: SeTcbPrivilege	3452	winlogon.exe
Token: SeSecurityPrivilege	3452	winlogon.exe
Token: SeBackupPrivilege	3452	winlogon.exe
Token: SeSecurityPrivilege	3452	winlogon.exe
Token: SeManageVolumePrivilege	2936	WinMail.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	3724	ie4uinit.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeRestorePrivilege	308	rundll32.exe
Token: SeManageVolumePrivilege	572	WinMail.exe
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeDebugPrivilege	1864	taskmgr.exe
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeDebugPrivilege	2192	AnyDesk.exe
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: 33	1148	mmc.exe
Token: SeIncBasePriorityPrivilege	1148	mmc.exe
Token: 33	1148	mmc.exe
Token: SeIncBasePriorityPrivilege	1148	mmc.exe
Token: SeSecurityPrivilege	1148	mmc.exe
Token: SeShutdownPrivilege	340	Explorer.EXE
Token: 33	1148	mmc.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
1864	taskmgr.exe
340	Explorer.EXE
340	Explorer.EXE
1864	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
2376	AnyDesk.exe
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE
340	Explorer.EXE

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2408	AnyDesk.exe
2784	AnyDesk.exe
2784	AnyDesk.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
1360	firefox.exe
2936	WinMail.exe
572	WinMail.exe
1148	mmc.exe
1148	mmc.exe
340	Explorer.EXE
3612	AnyDesk.exe
3612	AnyDesk.exe
340	Explorer.EXE
1624	AnyDesk.exe
696	AnyDesk.exe
696	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2192	2408	AnyDesk.exe	30
PID 2408 wrote to memory of 2192	2408	AnyDesk.exe	30
PID 2408 wrote to memory of 2192	2408	AnyDesk.exe	30
PID 2408 wrote to memory of 2192	2408	AnyDesk.exe	30
PID 2408 wrote to memory of 2376	2408	AnyDesk.exe	31
PID 2408 wrote to memory of 2376	2408	AnyDesk.exe	31
PID 2408 wrote to memory of 2376	2408	AnyDesk.exe	31
PID 2408 wrote to memory of 2376	2408	AnyDesk.exe	31
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 620 wrote to memory of 1360	620	firefox.exe	36
PID 1360 wrote to memory of 772	1360	firefox.exe	37
PID 1360 wrote to memory of 772	1360	firefox.exe	37
PID 1360 wrote to memory of 772	1360	firefox.exe	37
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38
PID 1360 wrote to memory of 1932	1360	firefox.exe	38

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2192
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies data under HKEY_USERS
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2784
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:3612
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:2376
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --frontend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:4008
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --frontend
  2⤵
  - System Location Discovery: System Language Discovery
  PID:596
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:3788

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1360
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.0.1190935221\1434121214" -parentBuildID 20221007134813 -prefsHandle 1224 -prefMapHandle 1216 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {032d03da-ecf9-4d34-8143-40088728fab7} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1288 124d5858 gpu
    3⤵
    PID:772
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.1.1327208436\1078509738" -parentBuildID 20221007134813 -prefsHandle 1480 -prefMapHandle 1476 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f1ef8a88-1735-44c1-a598-e795d75de4ba} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1492 e6f258 socket
    3⤵
    PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.2.1897488927\1448644499" -childID 1 -isForBrowser -prefsHandle 2072 -prefMapHandle 2068 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9351c671-e077-48da-8183-1ec2931d1ffe} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 2084 1a58c258 tab
    3⤵
    PID:2712
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.3.438273967\2143461167" -childID 2 -isForBrowser -prefsHandle 2372 -prefMapHandle 2324 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0cb2f51d-7ea5-4db1-a03a-4f315e3a4bba} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 2448 1bc13b58 tab
    3⤵
    PID:2888
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.4.60898295\1381085420" -childID 3 -isForBrowser -prefsHandle 2968 -prefMapHandle 2964 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {e93ffbbc-0293-4f15-9bcc-4ab0f41181f6} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 2980 e62b58 tab
    3⤵
    PID:1832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.5.1409338022\1862602144" -childID 4 -isForBrowser -prefsHandle 3788 -prefMapHandle 3756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1ed21435-b6f6-4bd4-b315-f6709c2e5ef6} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 3800 e2db58 tab
    3⤵
    PID:1744
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.6.1517627057\699046283" -childID 5 -isForBrowser -prefsHandle 3912 -prefMapHandle 3916 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {56c216e2-f1c7-4380-aee5-45cdd698858f} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 3896 1bfd7958 tab
    3⤵
    PID:592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.7.622947766\217946946" -childID 6 -isForBrowser -prefsHandle 3952 -prefMapHandle 3956 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {791c3f0d-e656-49b1-8669-ee931bda103b} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 3936 1bfd7c58 tab
    3⤵
    PID:336
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.8.30334448\1736830294" -childID 7 -isForBrowser -prefsHandle 4448 -prefMapHandle 4444 -prefsLen 26356 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1ba9b08-4ec2-4791-8bc8-dba261c91519} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 4460 23979258 tab
    3⤵
    PID:3292
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.9.1533903916\1131524315" -childID 8 -isForBrowser -prefsHandle 3332 -prefMapHandle 3340 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {74a1a49b-79cd-42fa-b3b2-7de131abab0a} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 3248 22fc3e58 tab
    3⤵
    PID:4056
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.10.1506561101\2002594966" -childID 9 -isForBrowser -prefsHandle 1056 -prefMapHandle 1928 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {80b97765-32d7-4cbb-b7dc-0b8a64dce34e} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 1128 225e2258 tab
    3⤵
    PID:4068
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1360.11.1359746395\1079535652" -parentBuildID 20221007134813 -prefsHandle 3916 -prefMapHandle 4184 -prefsLen 26796 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7788cb5-d478-4e43-a4a0-ded429bfb1c4} 1360 "\\.\pipe\gecko-crash-server-pipe.1360" 4180 190b9858 rdd
    3⤵
    PID:3512

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3684

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:4004

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:4044

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3504
- C:\Windows\system32\userinit.exe
  C:\Windows\system32\userinit.exe
  2⤵
  PID:3608
- - C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    3⤵
    - Modifies visibility of file extensions in Explorer
    - Boot or Logon Autostart Execution: Active Setup
    - Drops desktop.ini file(s)
    - Drops file in Windows directory
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:340
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Drops desktop.ini file(s)
      Sets desktop wallpaper using registry
      PID:1396
  - - C:\Program Files (x86)\Windows Mail\WinMail.exe
      "C:\Program Files (x86)\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Drops desktop.ini file(s)
      System Location Discovery: System Language Discovery
      PID:3816
    - - C:\Program Files\Windows Mail\WinMail.exe
        
        "C:\Program Files\Windows Mail\WinMail" OCInstallUserConfigOE
        5⤵
        Drops desktop.ini file(s)
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2936
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Drops desktop.ini file(s)
      Enumerates connected drives
      Modifies Internet Explorer settings
      Modifies registry class
      PID:2672
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:3692
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\SysWOW64\rundll32.exe" C:\Windows\SysWOW64\mscories.dll,Install
      4⤵
      System Location Discovery: System Language Discovery
      PID:3860
  - - C:\Windows\System32\ie4uinit.exe
      "C:\Windows\System32\ie4uinit.exe" -UserConfig
      4⤵
      Drops desktop.ini file(s)
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies Internet Explorer Protected Mode
      Modifies Internet Explorer settings
      Modifies Internet Explorer start page
      Suspicious use of AdjustPrivilegeToken
      PID:3724
    - - C:\Windows\System32\ie4uinit.exe
        
        C:\Windows\System32\ie4uinit.exe -ClearIconCache
        5⤵
        
        PID:3360
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 advpack.dll,LaunchINFSectionEx C:\Windows\system32\ieuinit.inf,Install,,36
        5⤵
        System Binary Proxy Execution: Rundll32
        Drops file in Windows directory
        Modifies Internet Explorer settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
    - - C:\Windows\System32\rundll32.exe
        
        C:\Windows\System32\rundll32 C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m
        5⤵
        
        PID:3116
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
        6⤵
        
        PID:3720
      - C:\Windows\system32\RunDll32.exe
        
        C:\Windows\system32\RunDll32.exe C:\Windows\system32\migration\WininetPlugin.dll,MigrateCacheForUser /m /0
        6⤵
        
        PID:2356
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:/UserInstall C:\Windows\system32\themeui.dll
      4⤵
      Sets desktop wallpaper using registry
      Modifies Internet Explorer settings
      PID:2416
  - - C:\Program Files\Windows Mail\WinMail.exe
      "C:\Program Files\Windows Mail\WinMail.exe" OCInstallUserConfigOE
      4⤵
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:572
  - - C:\Windows\System32\unregmp2.exe
      "C:\Windows\System32\unregmp2.exe" /FirstLogon /Shortcuts /RegBrowsers /ResetMUI
      4⤵
      Drops desktop.ini file(s)
      Enumerates connected drives
      Modifies Internet Explorer settings
      Modifies registry class
      PID:3692
  - - C:\Windows\System32\regsvr32.exe
      "C:\Windows\System32\regsvr32.exe" /s /n /i:U shell32.dll
      4⤵
      Drops startup file
      Drops desktop.ini file(s)
      PID:1912
  - - C:\Windows\System32\rundll32.exe
      "C:\Windows\System32\rundll32.exe" C:\Windows\system32\mscories.dll,Install
      4⤵
      PID:3932
  - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level
      4⤵
      PID:3712
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
        5⤵
        
        PID:3924
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        5⤵
        
        PID:844
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
        6⤵
        
        PID:1552
  - - C:\Windows\System32\qmeprf.exe
      "C:\Windows\System32\qmeprf.exe"
      4⤵
      PID:3916
  - - C:\Program Files\Windows Sidebar\sidebar.exe
      "C:\Program Files\Windows Sidebar\sidebar.exe" /autoRun
      4⤵
      PID:3784
  - - C:\Windows\SysWOW64\runonce.exe
      C:\Windows\SysWOW64\runonce.exe /Run6432
      4⤵
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      PID:596
    - - C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe
        
        "C:\Program Files (x86)\Microsoft Office\Office14\BCSSync.exe" /DelayServices
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
  - - C:\Windows\System32\mctadmin.exe
      "C:\Windows\System32\mctadmin.exe"
      4⤵
      Drops desktop.ini file(s)
      Modifies Internet Explorer settings
      PID:1092
  - - C:\Windows\system32\taskmgr.exe
      "C:\Windows\system32\taskmgr.exe" /4
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of FindShellTrayWindow
      PID:1864
  - - C:\Windows\system32\mmc.exe
      "C:\Windows\system32\mmc.exe" "C:\Windows\system32\compmgmt.msc" /s
      4⤵
      Drops file in System32 directory
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe"
      4⤵
      PID:5596
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\DELL\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\DELL\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xbc,0xc0,0xc4,0x90,0xc8,0x7fef3009758,0x7fef3009768,0x7fef3009778
        5⤵
        
        PID:5336
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1152 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:2
        5⤵
        
        PID:5736
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1496 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:5664
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:5684
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2304 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:888
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2416 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6012
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=1332 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:5616
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2796 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:2
        5⤵
        
        PID:5620
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=2164 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6112
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2188 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:2
        5⤵
        
        PID:6136
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2236 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:4944
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4468 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:4344
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2392 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:6716
    - - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --force-configure-user-settings
        5⤵
        
        PID:6772
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
        6⤵
        
        PID:6800
      - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --system-level --verbose-logging --installerdata="C:\Program Files\Google\Chrome\Application\master_preferences" --create-shortcuts=1 --install-level=0
        6⤵
        
        PID:6840
        
        C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe
        
        "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f977688,0x13f977698,0x13f9776a8
        7⤵
        
        PID:6852
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2412 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:7124
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2432 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:7132
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=4348 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:7140
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2480 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:5840
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2476 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6560
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4212 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:4584
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=1392 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6548
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=4056 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:2104
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4064 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6168
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=4160 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6556
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --mojo-platform-channel-handle=4112 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6656
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --mojo-platform-channel-handle=4356 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:6824
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --mojo-platform-channel-handle=4336 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:1
        5⤵
        
        PID:3996
    - - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2460 --field-trial-handle=1248,i,9032696675674508746,2383229403685985703,131072 /prefetch:8
        5⤵
        
        PID:6192

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:3156

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:2036

C:\Windows\system32\rundll32.exe
rundll32.exe uxtheme.dll,#64 C:\Windows\resources\Themes\Aero\Aero.msstyles?NormalColor?NormalSize
1⤵
PID:1092

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:1672

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:1532
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:1940

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:3820

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:2580

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:1748
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:2564

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
PID:3480

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
- Modifies data under HKEY_USERS
PID:596
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:3668

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Drops file in Program Files directory
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2336
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2608
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:696
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  PID:5432
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --backend
  2⤵
  PID:5912
- - C:\Program Files (x86)\AnyDesk\AnyDesk.exe
    "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
    3⤵
    PID:4884

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Checks processor information in registry
PID:3516

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:1624
- C:\Program Files (x86)\AnyDesk\AnyDesk.exe
  "C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  PID:3912

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
PID:296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef3009758,0x7fef3009768,0x7fef3009778
  2⤵
  PID:848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1248 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:2
  2⤵
  PID:2552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1584 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  - Downloads MZ/PE file
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1668 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:2300
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2280 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:3732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2288 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1452 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:2
  2⤵
  PID:4188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=3308 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:4316
- C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
  "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level
  2⤵
  PID:4404
- - C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13fd77688,0x13fd77698,0x13fd776a8
    3⤵
    PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3688 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3952 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2800 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2648 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=660 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3420 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2288 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3860 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:1
  2⤵
  PID:2600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4144 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4168 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4276 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4172 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:4504
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4156 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:4524
- C:\Users\Admin\Downloads\rustdesk-1.3.7-x86_64.exe
  "C:\Users\Admin\Downloads\rustdesk-1.3.7-x86_64.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:4980
- - C:\Windows\system32\taskkill.exe
    "taskkill" /F /IM RuntimeBroker_rustdesk.exe
    3⤵
    - Kills process with taskkill
    PID:4808
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:4820
  - - C:\Windows\system32\icacls.exe
      "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
      4⤵
      Modifies file permissions
      PID:4512
  - - C:\Windows\system32\icacls.exe
      "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
      4⤵
      Modifies file permissions
      PID:264
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:3888
    - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
        
        "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
        5⤵
        Drops file in Windows directory
        Executes dropped EXE
        Loads dropped DLL
        Modifies data under HKEY_USERS
        
        PID:4496
  - - C:\Windows\system32\cmd.exe
      "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
      4⤵
      PID:4988
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM RuntimeBroker_rustdesk.exe
        5⤵
        Kills process with taskkill
        
        PID:4400
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      PID:4984
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --install
      4⤵
      Executes dropped EXE
      PID:5052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C C:\Users\Admin\AppData\Local\Temp\RustDesk_install.bat
        5⤵
        Drops file in Program Files directory
        
        PID:4512
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4324
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:4120
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:1784
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM RuntimeBroker_rustdesk.exe
        6⤵
        Kills process with taskkill
        
        PID:4852
      - C:\Windows\system32\taskkill.exe
        
        taskkill /F /IM RustDesk.exe /FI "PID ne 5052"
        6⤵
        Kills process with taskkill
        
        PID:4688
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_CLASSES_ROOT\.rustdesk /f
        6⤵
        
        PID:2716
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_CLASSES_ROOT\rustdesk /f
        6⤵
        
        PID:4736
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall delete rule name="RustDesk Service"
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2928
      - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
        
        "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --uninstall-cert
        6⤵
        Executes dropped EXE
        
        PID:4832
      - C:\Windows\system32\reg.exe
        
        reg delete HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
        6⤵
        
        PID:4964
      - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
        
        "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --uninstall-amyuni-idd
        6⤵
        Executes dropped EXE
        
        PID:4800
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3444
      - C:\Windows\system32\xcopy.exe
        
        XCOPY "C:\Users\Admin\AppData\Local\rustdesk" "C:\Program Files\RustDesk" /Y /E /H /C /I /K /R /Z
        6⤵
        Drops file in Program Files directory
        
        PID:4744
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f
        6⤵
        
        PID:4788
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayIcon /t REG_SZ /d "C:\Program Files\RustDesk\RustDesk.exe"
        6⤵
        
        PID:5016
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayName /t REG_SZ /d "RustDesk"
        6⤵
        
        PID:1288
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v DisplayVersion /t REG_SZ /d "1.3.7"
        6⤵
        
        PID:4604
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Version /t REG_SZ /d "1.3.7"
        6⤵
        
        PID:3328
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v BuildDate /t REG_SZ /d "2025-01-21 09:41"
        6⤵
        
        PID:4496
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v InstallLocation /t REG_SZ /d "C:\Program Files\RustDesk"
        6⤵
        
        PID:4756
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v Publisher /t REG_SZ /d "RustDesk"
        6⤵
        
        PID:3980
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMajor /t REG_DWORD /d 1
        6⤵
        
        PID:4908
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionMinor /t REG_DWORD /d 3
        6⤵
        
        PID:4884
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v VersionBuild /t REG_DWORD /d 7
        6⤵
        
        PID:4644
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v UninstallString /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --uninstall"
        6⤵
        
        PID:4324
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v EstimatedSize /t REG_DWORD /d 261
        6⤵
        
        PID:4452
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\RustDesk /f /v WindowsInstaller /t REG_DWORD /d 0
        6⤵
        
        PID:4344
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_mk_shortcut.vbs"
        6⤵
        
        PID:1784
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_uninstall_shortcut.vbs"
        6⤵
        
        PID:2424
      - C:\Windows\system32\cscript.exe
        
        cscript "C:\Users\Admin\AppData\Local\Temp\RustDesk_tray_shortcut.vbs"
        6⤵
        
        PID:4536
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:4848
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:3816
      - C:\Windows\system32\sc.exe
        
        sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --import-config \"C:\Users\Admin\AppData\Roaming\RustDesk\config\RustDesk.toml\"" start= auto DisplayName= "RustDesk Service"
        6⤵
        Launches sc.exe
        
        PID:4000
      - C:\Windows\system32\sc.exe
        
        sc start RustDesk
        6⤵
        Launches sc.exe
        
        PID:5044
      - C:\Windows\system32\sc.exe
        
        sc stop RustDesk
        6⤵
        Launches sc.exe
        
        PID:1000
      - C:\Windows\system32\sc.exe
        
        sc delete RustDesk
        6⤵
        Launches sc.exe
        
        PID:4968
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:4768
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f
        6⤵
        
        PID:4776
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f /v DESKTOPSHORTCUTS /t REG_SZ /d "1"
        6⤵
        
        PID:4064
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk /f /v STARTMENUSHORTCUTS /t REG_SZ /d "1"
        6⤵
        
        PID:4492
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f
        6⤵
        
        PID:4924
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\DefaultIcon /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\",0"
        6⤵
        
        PID:4844
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell /f
        6⤵
        
        PID:4896
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open /f
        6⤵
        
        PID:5040
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f
        6⤵
        
        PID:4824
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\.rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" --play \"%1\""
        6⤵
        
        PID:4152
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk /f
        6⤵
        
        PID:1936
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk /f /v "URL Protocol" /t REG_SZ /d ""
        6⤵
        
        PID:4980
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell /f
        6⤵
        
        PID:4816
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open /f
        6⤵
        
        PID:4544
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f
        6⤵
        
        PID:4784
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_CLASSES_ROOT\rustdesk\shell\open\command /f /ve /t REG_SZ /d "\"C:\Program Files\RustDesk\RustDesk.exe\" \"%1\""
        6⤵
        
        PID:4140
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="RustDesk Service" dir=out action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4808
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall firewall add rule name="RustDesk Service" dir=in action=allow program="C:\Program Files\RustDesk\RustDesk.exe" enable=yes
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4732
      - C:\Windows\system32\sc.exe
        
        sc create RustDesk binpath= "\"C:\Program Files\RustDesk\RustDesk.exe\" --service" start= auto DisplayName= "RustDesk Service"
        6⤵
        Launches sc.exe
        
        PID:1444
      - C:\Windows\system32\sc.exe
        
        sc start RustDesk
        6⤵
        Launches sc.exe
        
        PID:4308
      - C:\Windows\system32\reg.exe
        
        reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /f /v SoftwareSASGeneration /t REG_DWORD /d 1
        6⤵
        
        PID:4744
    - - C:\Windows\system32\cmd.exe
        
        "cmd" /c timeout /t 2 & "C:\Program Files\RustDesk\RustDesk.exe"
        5⤵
        
        PID:5016
      - C:\Windows\system32\timeout.exe
        
        timeout /t 2
        6⤵
        Delays execution with timeout.exe
        
        PID:4800
      - C:\Program Files\RustDesk\rustdesk.exe
        
        "C:\Program Files\RustDesk\RustDesk.exe"
        6⤵
        Executes dropped EXE
        
        PID:4524
    - - C:\Program Files\RustDesk\RustDesk.exe
        
        "C:\Program Files\RustDesk\RustDesk.exe" --tray
        5⤵
        Executes dropped EXE
        
        PID:1288
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1340 --field-trial-handle=1440,i,4906862319079854368,11264448271838696287,131072 /prefetch:8
  2⤵
  PID:4908

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:3360

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1942361847-1656259457-974691715-1328932242-20977772851974483794-1806753244673989076"
1⤵
PID:4504

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --import-config "C:\Users\Admin\AppData\Roaming\RustDesk\config\RustDesk.toml"
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4656

C:\Program Files\RustDesk\RustDesk.exe
"C:\Program Files\RustDesk\RustDesk.exe" --service
1⤵
- Drops file in Windows directory
- Executes dropped EXE
- Modifies data under HKEY_USERS
PID:4312
- C:\Program Files\RustDesk\RustDesk.exe
  "C:\Program Files\RustDesk\RustDesk.exe" --server
  2⤵
  - Drops file in Windows directory
  - Executes dropped EXE
  - Modifies data under HKEY_USERS
  - Suspicious behavior: AddClipboardFormatListener
  PID:4788
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    PID:4120
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:4832
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-config
    3⤵
    - Drops file in Windows directory
    - Executes dropped EXE
    - Modifies data under HKEY_USERS
    PID:1784
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --cm
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: AddClipboardFormatListener
    PID:5056
- C:\Program Files\RustDesk\RustDesk.exe
  "C:\Program Files\RustDesk\RustDesk.exe" --server
  2⤵
  PID:5216
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    PID:5328
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:5452
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-config
    3⤵
    PID:5392
- C:\Program Files\RustDesk\RustDesk.exe
  "C:\Program Files\RustDesk\RustDesk.exe" --server
  2⤵
  PID:5920
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    PID:6008
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      PID:4844
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --check-hwcodec-config
    3⤵
    PID:6128
- - C:\Program Files\RustDesk\RustDesk.exe
    "C:\Program Files\RustDesk\RustDesk.exe" --cm
    3⤵
    PID:4600

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-60023162139961100-1436093298-11700267781583964974633086892-17476288461116955"
1⤵
PID:4604

C:\Windows\system32\csrss.exe
%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=16
1⤵
PID:4744

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:5144
- C:\Windows\system32\LogonUI.exe
  "LogonUI.exe" /flags:0x0
  2⤵
  PID:5224

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5644

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

T1569

Service Execution

T1569.002

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

System Binary Proxy Execution

T1218

Rundll32

T1218.011

Credential Access

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\AnyDesk\AnyDesk.exe

Filesize
5.3MB

MD5
0a269c555e15783351e02629502bf141

SHA1
8fefa361e9b5bce4af0090093f51bcd02892b25d

SHA256
fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

SHA512
b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a

Download Submit
C:\Program Files\Google\Chrome\Application\SetupMetrics\144520cb-4197-4ef7-b490-17619c450cfb.tmp

Filesize
488B

MD5
6d971ce11af4a6a93a4311841da1a178

SHA1
cbfdbc9b184f340cbad764abc4d8a31b9c250176

SHA256
338ddefb963d5042cae01de7b87ac40f4d78d1bfa2014ff774036f4bc7486783

SHA512
c58b59b9677f70a5bb5efd0ecbf59d2ac21cbc52e661980241d3be33663825e2a7a77adafbcec195e1d9d89d05b9ccb5e5be1a201f92cb1c1f54c258af16e29f

Download Submit
C:\Program Files\RustDesk\Uninstall RustDesk.lnk

Filesize
984B

MD5
86829cb10c0b45c0457224d6909ff639

SHA1
adda48b41f75f762ec5a66ba3a14c7e2c6922d46

SHA256
5d75aafd8faeb9bcf28f434427bd69e11e8fcf219f5005497211ee9e6ca0ba44

SHA512
5681d0c0aa0a18b2fc3c50d14e6cab76a9093f8ae69e9a9c573c1358a3dbce7ac5a3b4ae3b8b9215c141c0ecbeda10fab7788a9264755d051d01bfda0147c473

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
951B

MD5
11b754bb3e650fc6551c328af6f74c62

SHA1
88abfef769203753d3657769ff720e196a3890e0

SHA256
ef2161b51be5d651535cc048f83e08917da2d177fa129a55af68c2dfd0dab67d

SHA512
8c86b48172930f7fc6408553d5bc7d94f852b7b5d73325f83279be0d0314930a50dd42b76a1dddc17682bae34d465d8553ff771aeedf8e1132b783df92a9acce

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
951B

MD5
9a41ea38d6f572c5b91d2a7f6fd3ad0f

SHA1
bc60bf724a998fd14f56e12bea10f768b2d06d93

SHA256
ad2bd622a385e41d851c25d7d7a56a6fe74afdcca38f9ffb500fc6d016638ed7

SHA512
02927b0e8f85f7cbdffdbb8a43a5ca47e27954f04da7652d685c796bf3fd1e1a412bf3c5292af9eaafd54f4032e4a0091c84aec7c5886e6feba7841ec391d224

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\RustDesk\RustDesk.lnk

Filesize
936B

MD5
d336069c55daaf98b90629b31f638c89

SHA1
87ccbe205c3403634c2ccd9a7be6c862eb3dddd9

SHA256
2d8ac28127caf9a01394fe3e33828905d1940f0948d586803bc793a0edecfc3f

SHA512
6afde88ce3e915152b21626718967c1c73f8f11e07e1323ce6dde22b417438207458b98d7909e9613539cda9616c775a2b2636623bbbf34aec00f474b39ef20a

Download Submit
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini

Filesize
964B

MD5
46a4eca2a791d84afecfd9f129a567df

SHA1
004f2926d9377cc23c5b68ce26907435b8539643

SHA256
06b6d34db7e9ebecc07e0b53fedb2a9bc2d4563b1d2037b7630fbc002942baf7

SHA512
dbeecf882210add0dd4ac57f75ccdf6a9604c3308e92f70747313f89a7f9c590f4e1cdd507e53ee37e0a1b7e437320dc6ec1299d406ef34ddd67dfd900fddd98

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a930de62238bd969b543052ce7ec5e3

SHA1
92d8f6db55106d125a47738287b461d67cd5b20d

SHA256
8addd4b63547330eaa607cb335562dbaed0a5d6a3d34bbfdef4f8800a4a86c8e

SHA512
6b6852eca5ab2b87b3bb08058de0c585bc4dacdc56de40cc3514b32dd9541f06366fc461713034429e796ca21a692e06bd4c1af5cc4478980c13d493cd8aa433

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d34f2d5d38c952f235581102689eac2

SHA1
1c3eb5514bdf9890f357e35565acd9af26ec6ee8

SHA256
f235b9470c33b6ead6e88cca444db5a9678a5709795ac72cb394632ca9b408d9

SHA512
a8e12884a1bcd60791fd14c648c20e706f420057500aa5495037fcb751ae5680b9f611d8fbb6e82d52195c4596dd5f860e0d5fa78022d3955de1069a105e67c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eedac3293b17fe7bbab39aeec8c9e77b

SHA1
874afd153b608bf5be055a098852c66b8b097669

SHA256
f49203e568f2ecc327dadcecee73e149a6c0966dbd0f0b12b1c857c7291d3d30

SHA512
d1f9321a37980bf6718ba5b46b8fb84d4bd0569d9c57762a3ab69e07cc428c4181b320c8896c78133367d57d8bef732085f74456b7a457eb219eec2cf6ba6d8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5097efb5ccab307da52784697469dd3

SHA1
55a5f3138b1e8a4845cdf0b1bebac6787378b588

SHA256
5eb6331bc075d584ba4e70141a54d0729fe2c4f67c0a9454decc5d5735217bb8

SHA512
0d7b73b92b35eec4f9298db2576244e1890ff7514b52d926620094a012ad0425365347f5022a31b65d6460477dc740170e9e8770c392a3c6ce473ea1732a2d46

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\0ed3a3ca-f89b-4583-b83d-1287a1af8a5e.tmp

Filesize
7KB

MD5
7837d3436158005f81d55fce1b081fe3

SHA1
2a83b18d689fb20edbfa0bdd711d05b54561f0df

SHA256
1ceb5b4a07027f2c8f387049be567e2bbd711d939c14f3aaa64a5e422ce92e28

SHA512
e0d25f4d82269c5580f93a88ef8c64540a108cac9d89dac14ab1001a459da9715ca24c0f42d418a8a681a9fee532e9fd557ecb7a65930b202d979324a8474d73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
215KB

MD5
7b49e7ed72d5c3ab75ea4aa12182314a

SHA1
1338fc8f099438e5465615ace45c245450f98c84

SHA256
747c584047f6a46912d5c5354b6186e04ea24cf61246a89c57077faf96679db6

SHA512
6edf4594e2b850f3ede5a68738e6482dd6e9a5312bffa61b053312aa383df787641f6747ac91fa71bb80c51ed52a0c23cc911f063cd6e322d9a1210aea64e985

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
4a686349993965721f090d158a10a6c4

SHA1
fb0f61ba49cfd7e213111690b7753baf3fcce583

SHA256
65451d12c37acf751e9f4732e9f9f217149b41eebad5b9028eac8bd8d2d46d8f

SHA512
0dc571487fd798b62678378c2dd514fb439f6c131637d244c8c3dd48d5e84267d21fe633c5b20578e621d5e8fe2958c5e58bc18ebe2d4731b18669fec4031489

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
120B

MD5
566de5ab305fc8e415454f773740ec43

SHA1
c6b5710f980078b28e539b6e5e9e54e32e213f4f

SHA256
d602c37e0041b9e3e682233af361dd5ddee004e38ac79bff194e2c5e6d06f24d

SHA512
2a5892dd85b7f78e95af8814a663a405142424a7e4d7c5a68bf60c1a9f9f2f1f06fa76de0700fbc7736404a49735679ac25c8ad5cb8bf5c63da903beec6b816d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
da79727dae0dceefa3a8b5b6cbc6473f

SHA1
8967f0a1cd0cb991ee2c0a253f8d735a9383cc59

SHA256
76ab73a35c8b41c5f60dacefde2a10daed97b53eee882e6770198da61fd67800

SHA512
a0be3df0ade45025be9c8034808a1c3678231a4b06840a258c7dd57c7780547df9818787f578b54a0bbc4669f036b87e577c1c5e14227d57b2ae60b31d48da8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
2289670d56ead0bb2a4c39dba34d065a

SHA1
0dedde4c4a0f83774aa61c0e1fc6d33709c79f22

SHA256
8475aeac07741fa4c3cf5069f51a221a83f1168b9c5c42fd9ed1c3bdfaafcb72

SHA512
50c93670a1d90e48503c52efc4a4a10d22da0443db4ce1462305b817cf128d99f2e756cb013cec921a8d13059eee3cbfa3ec6088d73239520739362231b9905e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
e15dc0a2f3e9d4b04f3ab7e6afea21ca

SHA1
3d7e2a4465eb3e4effd643d79f7b1c0455db2620

SHA256
e192d6406916f2da0ca6b75da16ecde9298af021cda0ad1cec5d662b46276d22

SHA512
56823fb1769dcd82ac12d397746f4b3d11511f5378e4a30a27d1b972dcfe93fcb2f2540a3166a470c9be8d1134f3b82c1aa105b835305695c8baa3c719be2c03

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
510148d74097ac3842e2f41b778390df

SHA1
f684afdcead74a9e233204e03541dd50ec07844a

SHA256
3b2532d3fb5d46416e91f780648ee58db1fb984bbb437e38e28d1eadb26bc36a

SHA512
44b5ccba90ea50c46e308a2b247e4ffbb88fd2a8ca6ab761565e016d3a30aa17f72d851ae9ce8785436d5386339f8628374160b08c3ae4dd7e5d380b23baa521

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
f32c9d7985eaa92255ee2ea690da8790

SHA1
bc84cc7f961971580dfb33e98f2e3314280bf3d2

SHA256
ffed30ca4b873b7e5945c76942fdccb00948d1533116d24c301957b9fbf894f8

SHA512
1c51aa1f33bf43e54b50594415dd1cf9ed57070fba463397f55fae6c9b1b1080dd45fbd5392aff89481a3e7225a8e8483eee5539e5bf7c7b92cc78c8e28c15a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
a9e3d5a2734138e5770fbbcb4b40b8de

SHA1
b8abccb2bf8708bf7859cddbd81bcd4f674cfc84

SHA256
6da7279252e392ff3b0e3042574e7769d19ecc2281ca8f0158250672ebb83b5f

SHA512
c31042d11cd99fb52b9e867a33659d97593b48940a9f7dd92cf287b7b87fb2b97e4e54dda70a97a58e80f2d48e27a205f9eb66f69ab450d46be4f1f1165928dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
335KB

MD5
a7002aa85ec81dcd0598717860a4055e

SHA1
bd62c15dd5bfd79adea4a19b75296f7cea5d721d

SHA256
76e037bcf72b670565f8b48bfea9dce379d0bd8b16b288c4e7db1f074db0a4a3

SHA512
2324acce1dc4dc3dee096dc3a175324f972d4649d524b6596bb97b396a76bb84104f672aff12c8e841c054d7ad3cbbf708420d5d1759ff19a3966d931fb74385

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
349KB

MD5
7eb221c15feaa3e7fba65594bd752543

SHA1
840d0001c7886ba808e16fd1c5f450054f8516df

SHA256
08dc078c0bff08214a0d72624b0b4e26006c5b2d19b90f22174ae1a37908df8d

SHA512
265161245d26836587b2062d3c0a350c564c52ca5494c2392940407bc0902883c943f8f9159fa8bc248476128ae8dd9010f1d873e0fba16536ae9aa4d3bf69df

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
348KB

MD5
03a35eb5790c8cd08c8057c3d6715d2c

SHA1
fc91821ebefa1439248009ebb653fc19986724d0

SHA256
ecf65e9ad471119fafb8f710b867c739fd49f73f09f5503abc3d73549682261d

SHA512
2ceb8694655ea99ec353c96a61e753910ac6e54a1315b36aed65aba33a82e551c2b62bb85873f239f797d85fb53b4c70611ac3dbf3ec378527a517b411061cff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
400KB

MD5
1752e0c7a2658b9dd5f229cd1c1c61c5

SHA1
82e8e288d2ab46ca0499e69521e0961cceb0c22e

SHA256
8b96539718bed9527741f0e3f5921ab25d17e8ebd4692517499e3db96ab30de1

SHA512
5f2952893cf1b33f857c03a3be52a6a6605731885139a729c758acea6867c6ebf16ba4ec2b95511a0bb36d587587238c2b6e05f07162aa126b1461a85c996473

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
348KB

MD5
8a48d3f841a290d09bd777524f7020fa

SHA1
64b661c05f6a99cfb8917adedcc2f69f032847fd

SHA256
0a1d199e7c845b4fbd039ac82fa5f0430e767be8d01a4f89f27158505bcb12c4

SHA512
9d4601501432d6eb0bb751361e56177db9caebc0f3bd464038ecba84714076de3f71c73bbe8b128ac504b7400122a49c441c643ac5bf2fb088e57a1562164743

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\activity-stream.discovery_stream.json.tmp

Filesize
26KB

MD5
12deec8dd81aeb5b30c2f1c4e4502714

SHA1
ac6ddbc131a31ed9c47daba1d1b115bc1d4cab1d

SHA256
7f2748a435ae39f94ecc85262e9ad5e82c80ab2a93ce9d966f4e7b69a3d0c4fd

SHA512
f5289bd9dce2b4158948662663754ea0a6866cd8fe49594307e369306a10152af5b35785cefaeffded549cc02808df06dfbcac93678832f47c5d077c95274a73

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\cache2\entries\37373F56CBD822F5FCF64BA01E1320A0924D8460

Filesize
24KB

MD5
82b01dff841088738f859329b99ec3ed

SHA1
a8af89909e19814e341837af471ae4f81db8c6c9

SHA256
9ad1bf2a010c72d129f9b657d6d3f057069bc9ab8190b77ca66974c977b72546

SHA512
dfcad787dc2c17f2a101fec3bf20ed3775eedfdd013d6aa6d6f29813504fd9298dee42ad2d795809ef3b1fb5da9ab63e0ba92a7f1f202365a517719f1957e990

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\jumpListCache\9EBCBdDfq9fI7YefN3tvXg==.ico

Filesize
691B

MD5
42ed60b3ba4df36716ca7633794b1735

SHA1
c33aa40eed3608369e964e22c935d640e38aa768

SHA256
6574e6e55f56eca704a090bf08d0d4175a93a5353ea08f8722f7c985a39a52c8

SHA512
4247460a97a43ce20d536fdd11d534b450b075c3c28cd69fc00c48bdf7de1507edb99bef811d4c61bed10f64e4c788ee4bdc58c7c72d3bd160b9b4bd696e3013

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB53E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB57F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
05b8ca8aa87510df86da394037fc5809

SHA1
e3d4faec5671a3b7f890328c17c39475e25773f2

SHA256
f842655b95bffe7b12bbcd6de7dc37ae488736bdafa8978be1e381ad58430b71

SHA512
d06bf626dcbf16a17318d63acf133dcbecce63d63c34e6866d44c9476956b13ee80044b8718f5d5cad362f8326e1b31e8223774452ea23564e6e1116e4281f6d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
70669691b353a5fe0adfe9594b78ca7a

SHA1
0f3c60b4c632e94ee2bd732ef7c7360473ae7a2b

SHA256
a8cc81a3c14d930496fd70c3965bdb7c60d9899e49b3700f87db5addbfea7f35

SHA512
5d3afe88948b183c2dac74200fdfcc37455b19c7798eaab21677d8cfda054a5d986da4f6c3c0d2b290c13443a314a95087430fdf14e662ce89d1e392f5c531f2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
342KB

MD5
0c45d445af50c5c53ed99a2d46fc1126

SHA1
a50fb81c29b8121c37d02fbc37687bd695d82beb

SHA256
f30af20e91f96dbd0be821c5e271e918ab641ca63a49806fd51d88a13d295423

SHA512
73a9b770c718657280c3443267b042f32ac755529acd38b7a67efd41a1d49a023af4c9f282dcef15834d5ef07af148189a618d066376a7a02dde2693beeb547f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
62KB

MD5
91da218df5d6fa5295a4a6be712a470a

SHA1
0f885a28bd5f0efb0e22811dae571757145c9112

SHA256
c91cd7be5e0cd8e97a7be0f0c92bb005b3379596fa9f477aeb4f5d9811d59831

SHA512
6ace0c541bd899daf6bed0f6ee6137791ff677615a0f8792f0012a003bc9981f7ff657b06f4b62ce1696f9b07fed1f2cea742d50957732217546a83d53412f81

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
98KB

MD5
e23f90287f2e0749f8805f7a287a9ac3

SHA1
c650cba897fa031c42ec9f69110c9e07c777474e

SHA256
6b7d73a6e59bddc9270cce4dc5c5e50b66ddbf77acf45ad2f63d6cc96f23ca94

SHA512
d802bd19528f92d97e88e92957a82caaa0bd60f21a04e88a3058699f383f1290a5d078eed360a175ef731ded2505bb3d9746559bb4b307cdbc58d1b60738e6b3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7f5af8065dd1f4f82c6af0de885665b2

SHA1
fa8a9b85c26c0ae569fb7be2283a2c11a5a21a6b

SHA256
00af46bffe50415770502cc428f67dc66c13ad482ffe85a8c8fc5029eb5ff190

SHA512
2550b59a4a76eab7597a4b75875488c119f65a7aaf258bb2a32d8c23ff7bd78eea44ae4cf4f8a56594398348ab5f2d89fb74e1c7f598264c2f86a9a99b050096

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
4bbaa609a5d3fbdcaaffba4047b2b89d

SHA1
24971a637d756e55d4ffc96961af250b9e9d668d

SHA256
4e034c1faa3a07efc0da24c93d335a7b5631492e80b346bc529f29fa603e1023

SHA512
80ee7e814685e06136b6c8ce749285836273b08b111aff012eacd86e6baef24d87a73532fd5225614c52ee55f7029c8396c82474b6bcaaea483f443721be47c3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
72e352e311c0cc2f35a10dd0b1713ab9

SHA1
9d3e0453259b0e54862310ec550b87d11078e7d2

SHA256
e4a6e60958c92410219abd59a93d959c8137e7053d54d9fa422efe40c1b35ac9

SHA512
7cb5b0b2fd02af96e5c73d722e4103419f6f7437675c676bfede90e48c8c89597bde22a1e8f46ab92f9147929f93e0197ab2698b98552f66ad049106f413b255

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
7b778085f7bbb5c45087d70357191ccc

SHA1
5a65aefe21207fec36ab8873dc1647197bcea550

SHA256
a3af99a2cfd2b9821b5f90019982b0651a4fde3bfe255a07b3d1c75daf7ccadd

SHA512
2006f0b398be93d72987b6131ee1ad6b1f0f2f77bbf9ee2d497a5f3b278e49ba53f204fd47f170f429ac887320af1658eb68e62a232ef2c1050797c9bf9d0e30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
f28bd675a76bf040ef03a2ca88785936

SHA1
b5c594cb40031d74484fd9877be14bd102b4660b

SHA256
b5adafa420a1883bc5c8a31fb7ed878780afecb125b967ba4d6f1489a04a9895

SHA512
d6709eb8d66aed886f721946020538fbab4b6064a6ea004831899dae0fa25284127b9693b20c140ebe3af8f934fc073aab8ae74ea6b1ae9a23b5ac5d8fbf9dba

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
e014fabd605e0cbfa9d6cc423c97e1a6

SHA1
470753a4c16c694272983d6a391e54ce962792b9

SHA256
c7c3416d7ed478a526815d5bb44aa3329eca5413111ab8f4cbea5901d3350f2e

SHA512
53cb4bdbca23840cd8d92cc55a84133646c28a8053a097a7eb26cf573fe1cf331bed96a44947adbbc71468eab06f90f7c5e6647f864049caca0c62ca33835b30

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
afb460a8017e386115a76504e1412397

SHA1
0283d549e913970b19de1168f415035c41c9f843

SHA256
5043c0297cb98502dabe16f947cdf4ec308c8201b861fdd1014d23e681dfffa4

SHA512
38c9dee017de87defaca9dd91ce9eddfb685bbdfe7b2333b56f5669b2229e512762d50f9ec28cf5694c7e05425ee39b097743a8cf22ad4f53f704b951d2e838b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
8d0a234ccb1d4ec94e41b64c3e7e6ca3

SHA1
f79e2064428ee17a39c2102e9278c71aad667728

SHA256
42779ac6802edb2b9f722eb3661b7f3a0c876c9b3c372d377aa77e29da3b4453

SHA512
cdf3d07f106dc923047d478cec0e24541ac811da9f1417f648fe386b3b0d6a835d330d1e0b050f82fdb3e6c53f447d1d3c93cecda09ea7359d7ff8b6d5a83948

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ee4794013c1393ac7588fec2e0c824a7

SHA1
18d2783c379b2c65c4107e83b3835cbfff2236c1

SHA256
6cdb57bc5ae5d5209f976847e7371ce96d07371c8e6e0c57583f99b7956b1f63

SHA512
19a4a86be2d550fcc0a6334ba7040037fdaac23d431bdcfc9b1597827af1471261350e99f83e1540428f87e76167476104490dee1ac5f8669d80bb3c9d0f3179

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
a095a131233fc647520ba6ec09a176a8

SHA1
817b00d54e81ddce62da5af09559b691d308f4c6

SHA256
1930db1475b04c5d1bdf6c53b4dc7ba3355e3fde31d1eacbfddbc94c48809e1d

SHA512
ae2b73bd4f8d989a10f8eb03ec08be1c45f7f81a483a7a307423c5892aefb9c0ece8ca8a632a4ebe9d948a1e95f84aadaea05f6424afb98793fffdf83ce9f0a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3b09bb30974c275423a54f75a6945a21

SHA1
f986780f3513e7c787b461417ae86e15c317d319

SHA256
065b2a1d8ab3db8943d8ce71a118fe4deada701cc1f977f125c94d1ce01dc696

SHA512
9f311af4da53e1f058325896ebb369d358c39606b338a4509beddbc65bc765051874d5beabc084a14167f3862f1ef78da067331426b1f14af5fb188e0e0fb3e9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
652cf612095fb7caf2448cefae548144

SHA1
e7ace1ec1d07aab9a93b5532095056d910bdf11a

SHA256
8da5ffc27d546111df04f63c9bec84991d7538ab09fb667b3b47f923f1cf5203

SHA512
997d7f5cacbe8d8c4368b470db521c57d2a43c966d40adb9174e48a8ebe47e35fb1ed820993d53887ccbe9e091e9b793d9cd0e169678f23b7f76789a6ad17160

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
94c12c73a9d8344a486b9288a2bba9b3

SHA1
beccdc6b9137dcc2d62d411411d2f6b0f0653545

SHA256
8f571c3b457de01c87b970348a73834a2f769c914b4b805979c989d1238dcb41

SHA512
9e0ef580434ab850e0c76c9729bdf1d2b6e8c94f736934159f944a00ec6b36caa93ee4215ee97756c4ac9051c28b47f917a0d85629718c446c5336a9b343232e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
dac06b350f57fd6c4ceae99eb3b67c18

SHA1
5a40f1d7e83d1fe263f434e1cde492d2afe070c1

SHA256
345dc0a86b23ab93abbb85d4bc49302514876792de97ba4984d379f6017b95df

SHA512
5aecef3651a764e51b8b123ffbb97702a09354cbc80ac2be17967dd9364be3e0e406709529c08dec0461a38092aa2408b6fb68eb6e727231cbb244430285dd4f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
254e4c483798d2261ccd46bf26fe411b

SHA1
4de3ac76919574d345e4892ecef07ebe453f735d

SHA256
9abed8275e177a28feddf31e90d92289d65628ebeab2e4356b21e4428d49e4dd

SHA512
8d9f5d664f5e239292578bacadabdb5386b0501843b8a6954e71fcf41198899bf9200c21364b43b58f76d45e9868c055e04508a23ab1ab2c029ed75cc944f2e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
58b766f029b7215870ba326107929fc4

SHA1
0c22be55a161fc54cdca38ede30c340cfd0ae5c0

SHA256
f16f0ea3aeec6f7d6dcb0218496be40e0f6fd0fd46bed7517c3d96009ee5614a

SHA512
b39097a17453cd8e5e2eb36d77c1f94707c7cab015087e73f09b276089662a30eeb94df5aa625562abcdfd07c5733a4fef724318834b94db3c207ac66492d218

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
84524210821f04fcc0866ed2ec5faa85

SHA1
824bb726b5b38fdc334eb10bf6dddb8aa85a9aeb

SHA256
fec93df7ce76b8839235a7a2ebd1f6ed2f175951dc66c409f54a6e19c2573f7f

SHA512
a5a10e19efbfac726911e6bc7c88dcc53bb0988cdb882c8a72e7278e409d9225947bac09c60f1e00ed61b3b878fa55831ed7fc6fe8ed41bb157fd2e3ce42a204

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
4299aacf66517968428650af8ef79f8c

SHA1
26e82d85af73896641b66fe243f4a59bf6b9e19b

SHA256
cef709e37a9c429a92d216ae83aada5855a15ad66b6ba7e5e31fbb98304918df

SHA512
76a73b2a89658efcf51b1eeb5f204fef2918a94c934ebe1174f0b5d6df78a9720aedc64e589bd7d6fe62d5455c7ae008ae4219e24e89e333e94dfdb38c25b628

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
920123a8eec74018be88d9f2f5228f6b

SHA1
d7dd6e6c6e1726980a365b22a8eb9bc395990245

SHA256
5e0a222b9c9a9ec26c6dc31dcd38d3b2b425c3a6c63abaf0ba40bf706dc70e9a

SHA512
8902efbd6b3647a5d59594563ed103b909bd1268e1bfd09945967ddfad7a0f136444bac60adbea51da3164c486037191aa9e12d09c727865c4355c3e73260980

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
35a8bf31c52a1ba5c5ad14033cc85ed8

SHA1
fb1d3fb855fd760d1ab6013a331aef21292aa61e

SHA256
a2a4a82fcbfeabb1791f469cad36b12e8493bbfb60ee229a56825de0677102fd

SHA512
e0772c83d0740cd756414b9eaa5f8dd40472792247e8bbec155375f62fe04d49605ac1cea088d2ea42c6335de7db9673ddba134fe68a529f4c0134b7bbf56a92

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
5fd246a4a86ba537376ff21653338d86

SHA1
4a1d3331a04ca68fc55b0ab8e78055627b3f2f52

SHA256
c64bb0349e3ca36fb25f727ef66db754010c232a49626754084630a2da7fe31a

SHA512
f182471f7434cebd17b434cf62c2828bd82ad1f74b70994518e9a1c847032baa34d63f855ef572119b4556d7d0142cfbadeeaa3fb4f2c34d12a3d2fd2ed7fe6c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
58c835baecf5170d666c95313ea72581

SHA1
70d6906dcdb2c6333c4bd8b6d4f5a8e1c2f0f49a

SHA256
d313e9777f1e1a87f0402fe56b01c365319434b717ecd0846e58c32288935e2e

SHA512
60ddc48669e10c440525963faa2c78a8c6bd612339add31b6d2d882a94886ce277f970d153ff14cc8b6af630bf9ec256b4bc8815732a433f652af373989d09fb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
255facd7004d6ac5690981f77c986b60

SHA1
ed3ba4d3ec2e1fd6b35d3d0b189198881af8c2c8

SHA256
c57ebf807c76918ed0915dd74899ac9bfe2072d4675189fbb8dcbd67ca3401cd

SHA512
c6c985a85632f0adf2d8661e881363603e257c80c42b23ae6283260f995285f17a65967cc9065d950622a03e3a404c8f52384f72e68bba449496b11b4b4dd39e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
791c2e46553a677d802c84252911b8a4

SHA1
e23e5ddeab02e4b4b0b898e98a5f540ad4829d55

SHA256
6547c9ed60fbc3d2aff175a24a9eac8d0c3b0d5c366f585289399e2e84662b57

SHA512
2bdd9d4948003af6ca2dd2c3cd6d2bd4e649abc8c777190a983aef8444b600021b263aabf659b2ae60f8821486efcaced8f80768d6e2a4beb7fc4f9d4b28c30e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
473d3a4a5f71ad53b7ed9223abc2bbd0

SHA1
6b4bc23a3ebb7b07bf5311f651822bba0c5e863b

SHA256
b61407ca0d0222437be41348a22f61ac06c9fd59575aa5675cd14abda20e002f

SHA512
5dd491f63326af380f5f3e286dfcc8024bda562b8b4d650b2c3a7171a49dd5b273e6566caa3ad334b14623d396b1fa1183c1a3283d1a298b593e8ec0e0d6fb42

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
6798a3b9f2379cac842d39ed828118db

SHA1
e32dd6893c26e85b5a947d3d77db4358c7451841

SHA256
52f7fc208f413c975c204157cb38fc9a3c5e6adff110c794eada9466d7af3a44

SHA512
9280f0a1668894a70d23fac6ab87ce80ba3c98382c35d0a15f09d52e470db33b533e05d0b43c77852025d21b654cd878c08dbb5fb684a21eaa751bc1c175c2e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
eed9e4c1ebe8558683b3c64d20da923c

SHA1
dc488427d91a20d8f40449f47a0ba9a8f17e2594

SHA256
844d03291a5f8067f2687134784d0eceefdfaf20767b8c7b04553d0cce67bd47

SHA512
160e02c945b080c97d0a62cf980fb94499b6b60d48fb237e18376445ee57f873e450dfa4e252b7432a30c6a96cb6e79d7b115eae6a3c34aea23d7500decf44d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9a94f275d695626f82c916fed2f0424

SHA1
60b1f9003d6b80a04954dcfab9621834ec9a507a

SHA256
0819d0b4a1a45ae6774f29c3b979e7d55bfb57072c9273303f6a9fee97928dc2

SHA512
6943f9571dd875c3c244500a671f6bcd66421756f08b63f4a46f22f72020c0967e7523695ed86fc3db368d57c0148528d166d8ee86a43c6aaafccd49c3de8fc4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
4a93b8dcb01aa12e6baa07619b7959f9

SHA1
0bfd0bee3a2e88916e4df5944ca2669d08085dca

SHA256
0cbea3b667c3efc96a5f30ef9091024f88b7a68a07d16c0829eec7447f0744d1

SHA512
4ffe6ec85d589db9e1e2ab602dc1f15e11fc78bd13c2b30904712dd7db04f2cfd661b3f3788cd3659f702057b35e1353a6349299579336f1823ddc0a77df1cc7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
149c45a78b940b97885057e672863662

SHA1
e2a452433232efe1dd502b66da9f474fad80369d

SHA256
a3748b5884e3f1cdebecadbb6d54889af15ac8c80b3e023de6fd059fbf0f74f5

SHA512
430a8ceeee94c604dc7bd2ddc778c60d0e65b2db956336a503ba1b3efcd9691ae7ad8d75b38ee704fd8de7962352e08d2f4b36b7d57d60d95078433a7521d0f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
06c0384339d09393a3f3995d257a41c7

SHA1
ba6b701c2fa65e94e015f08207e205952cd3e05e

SHA256
f83e963d7809cd9833a4032c6a3ae881fb7e8b982a3ce39282370e0bf19ab088

SHA512
d6b0d86670a958d0171cae10c1aee657a3817c9be6ad7f93df31b1a2d30620073fe66bb3db443659333b8fa5f125ee2d1d708b9ac2ac736e4a3ac8d7814b8e6b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
33d50c212d7d5f4f5d26e1e6615fcfb1

SHA1
8438bf03961730b51e235115d2117e4cc45427df

SHA256
36fa5f1427f10fff03a43dbfca789393be716b16fddb1f3963926eed9b90dab1

SHA512
de3675ab4e128fc19bd4ab4bb6ba9a167a463a55e73229de3637bada24a5695034b77dbbd20b536b6de91dc4ce6e957d9162aac9d8f60e0c74136ba4a292e249

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
23KB

MD5
a74ae448e91541d3410f4dc1712652c2

SHA1
b55c94987be5915175c27ff885bd134f9a4860e5

SHA256
c8fcd5bb012cd2225b39edb446f2a7c62f75a6f6497bc4391a0f688491c01145

SHA512
803c4f8f8b3673bc16898b657e866e543fd16994af6e3401457fc22c117360737f8db8d5e7e26ff169acd93fd85922c14ca17b2b0c3ac2bd76cc3518f716e3bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
22KB

MD5
60268f6797ff13c6366b56aae4b3d1d7

SHA1
c08919b430f8103c066d6931dce3b59a475b0cf2

SHA256
82feab493efe96c23ac9e4762f392e60ff150aa9867fc3d22d4fb0ec2cc07030

SHA512
e83d851a3faa23aa681fdf571694c78a2b5cbef288166da0679a40c26726a27f858c7986e292e5ad703fc1acdbb699bd40eaae6545ba38bed7f4efe6b8b5bc2a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
69431613042c6d49ab7bd2db96f99508

SHA1
6abfccebea896eb27ad652b9979f0b0e2c665ee3

SHA256
e10609daf6e280e41e28287d769d4ad792aa4bce42a5384658b38c18bf128b87

SHA512
ebea3d82e414b6e23f18c4cd2d631b06bd7bea2eaef75677031a2ab841997108109a2b7bcc3000574a52c481f182dce62db7bcb8a0ee192ae8b3299cf95ac54e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
5KB

MD5
da4273df816b4815a02195d1bf6662c2

SHA1
d8ad4009acdeda4bced26123c13d7c01a115a603

SHA256
f8c469446d05141562f72dbb370e96e52c44a59fa1ea0c98b2b06b7cad0a0806

SHA512
2d129bc26f8426e6798a558b312f5129aef039f163bdf05e5fe97eec4a987bd250a4b130cc5679ac750d1f4edb9ebb9f620f5394d1e96c20cfa29f0d1f7a5726

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms~RFf77424e.TMP

Filesize
3KB

MD5
c783033defd8b1f18715184f811ead0e

SHA1
695fab75f6e80f56cb3150e254e9ad724e4b371d

SHA256
b207bd0298ea975269525ffb4feddc083c67cf2433164c1c3306df49a0b82a40

SHA512
000d5cc2acab49db90c9d1dced272d1ac4527a9d2e9e33c7a9ce48b9f4bd8943657a119507629e0fa5b93337bacf16a4f7a8d4fade03df5be33c0b724c45821d

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\AlternateServices.txt

Filesize
2KB

MD5
db7464bb5e8f1823f33a098ca89180ba

SHA1
8bfcaaced17900a46f71a38e8b0b991489723a78

SHA256
7759f2dc2696d1cbe0642d40b52271803dda46893b5e33a522902cd9e4a3739b

SHA512
a8ecc9a6547154dcfeceddca7c98dc7056f532a32efdf2d51921e84f0911e04947a76788447fe55655f57f34a83f28a2053f29828db0b7d135fc3b50fb4715c1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\SiteSecurityServiceState.txt

Filesize
483B

MD5
e8a8cc4a3a222d7de95ab2d0b0cbde6b

SHA1
c34af3f773607270a109a3c0392cba4fcb60e7aa

SHA256
0b9f0b79ffcbee76a7ddedaf252eeec5b5389305de57d3bfb6780c1dfbfc6af1

SHA512
b1ff339abe9e1193af97a550b00dd20ca80f2624faae7efcbfe735f1bf6bd63ce42021a1ec718d5aed849bd260717cf9ee4a5b52b57435edaf07f0e08288ce8e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
baec528bf24be917d676c165963c4bbc

SHA1
a075681b1b499d3aad97fca81fc63db7971fedfa

SHA256
c7f9ad4112b9ec8b34f872ebba5ec2aad5a727ca4e448c3fa1e9b90a7f724e95

SHA512
c76a2eddee5d468a4941bd7f1ebca276cd5c1cf13a0efe52e058cd86feac08342753df777cc5bc270a0e78a823f2adba2e3791cb6b7c8491f9e24e62f98d7763

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\07c6cf2c-703d-4261-b798-97ae0307beb8

Filesize
1KB

MD5
9b71f96336195dca7ec0787717851245

SHA1
b799b20d7f79aad3dc76440aa2695190340b962d

SHA256
9a86d8a6eb3771c4a79f7039ae013beee342a644c719c7b1140be77e2f8823df

SHA512
6b3d6e0de05646c95f758dd646bc272d32b1ffadcf659734336757a23586cb2b5af6d5689404289f1a02701fa8e4bf5fb7cbe7ba7c9132d3fe7025e26f60e4c5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\6747f75b-aeee-4bc9-9c87-2926be3245bd

Filesize
854B

MD5
72d14b37a8eda1edd9dbfd3d78d6ec63

SHA1
d44a1f49f34a77f60c70bc143e1e2b5d1b597215

SHA256
5aa464cf24caf89e42b5e3d0f3922c870b672f2faa22b7822ce5284883c64df4

SHA512
6cb157e3ade94a6d5eb3f69befe4da0fbc7d4819aafc926a04b386fb1bc1ec8fa72dfb256e9f4e0641764e441aa7349a53393e57e01493da6be16cb1a6542784

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\8a1f56b1-f429-4b99-8d6d-ba4978046359

Filesize
745B

MD5
645320e7a46ed793b1b4984eca714ecb

SHA1
632f1e64eb555165b6a5b65887fe524a6e21b169

SHA256
7b334b93b84df4083a0089068ad046faab3a8b2b5e7acd300c5cf377e2652808

SHA512
c7908c13bd793d79484ce42c1702828ddc27f825a00357d4acf4f8a73f395044f12b3cd4657edb5381d1018a6fab9a0881c3b1a6ae2a9e214353763a2efb95f1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\datareporting\glean\pending_pings\99204e2d-2282-404c-9d4e-2b4d6a37c8b8

Filesize
12KB

MD5
ec8bba0223f12a509da47a5cc443f024

SHA1
45386a287e6cca421d799f89f854b39436a95b88

SHA256
7017b468aa93b910045955e85ac3d996d7abf8acbb4ac423ce5a5d34b98762d9

SHA512
6b1b69ff8233623c784e4761290413145b30150c5a7647b0015072d9e0a03d09f4eb46377af982f7cd6aafdf9908c5f570873bdc576b909568e1e3ac7509a9c7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\extensions.json

Filesize
41KB

MD5
16b5ff8f17c99ae25cf1498207dd2158

SHA1
358704d67c2cb6d17ec6de04554df640f49ab9a5

SHA256
792c8cd0bf65c40215a49ec320bc065378e7cdfecd7f09b551d83d3dfb9d8422

SHA512
7fc9a48f98079c1fc778f86d0109282d183ab10af02f13ee5a1d7956c174affde808a63421c4dce133e38e694c2e9db37bf3a9422519a75dcef029bec89613f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\logins.json

Filesize
647B

MD5
6059295390f907dddb4a1048336135e8

SHA1
6408b42bb734f91a0c2cb23ac349b01907809bca

SHA256
25a6fcdad01e6bcacd3126f1258a61c6d86b70a784fcc98dbb1d92dd9e63976c

SHA512
60a5ed1b7d5f716d7d0a1dddc110238c4b6f54394d9e3d826e5fa700dc95da980dd6e1002b4e34038f1a525001575c7dae06352be39d8f5624e82da5e8a89104

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
6KB

MD5
37202761de8be423b9cc7ec0d3808f69

SHA1
df55992072e5f6798747fec5a457e5474c257575

SHA256
0de129c13467af9fa3e17e7f5a410b464f0496795f60ab1a85e6155be39fdf52

SHA512
f99759213660a06ed84b2e81ba0f12b779f919251e57dd7fef324a7769cfba4ab4ac488d2de3834bc8d3b522c8295e92ccc14805ac849807ae1117f1fcc11b5f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
7KB

MD5
cb92600cddec247cf32eacb9c1536be2

SHA1
bdd44de702d62bb7d33095816b56aa6d88215c46

SHA256
3ae87f59b9f3e1559a20aa927c166af12a8825f5df51c3c4806b0e8a0b98e0e6

SHA512
c7e7ab2d4e4e2b3f90a4aaef5c31f13bdd1d1602728c68ce1d38d68679c943d30a62f54bd91d6684c29a76017d23df426b10562235529e587fca69647ee21e1a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
6KB

MD5
c56ba76a2a8ccbb847a9d1dcd90fdadf

SHA1
045b5c44ce964b5f551719fd0be94a976683a7c9

SHA256
dcdb2ca85d3abacde5ef40f83c45144897de052988910e35e2e467ce2de77491

SHA512
e32c3a6e2dfee8d0770d13ccb73d71de93179d2976d39d0201ba4ea61d2c1f013ba32fc4c9a3b97270c042bc50fea3c5c2097ac84eafcb6eb73ec7de2e4e0d7b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs-1.js

Filesize
6KB

MD5
fcb2f697f5752e8c4b1944e55983f5f7

SHA1
2633dce07c0e089fc8a7fae790b0bce2af68aae2

SHA256
aa7adf7811836cb181ec41dad9c11a345c4cb718dc83a4136597eb5ec27859cb

SHA512
5e615b7f57e26cd9f21d5e2e9af66d6a741b622f4c7c78985a4591d90ed48a21526e9a14befea31706c831af027a2d84adfe3f157d0e3a82d1b1f13d34f2f5cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\prefs.js

Filesize
7KB

MD5
346600ea1510f8748e24611a5850b730

SHA1
404b28eded026f0a3d0887ebd1e16a94e098271e

SHA256
6ed0aab95201d1dde5b64a62288666d8224b240f3447b780b25de20d03d8222e

SHA512
6a770b45d4a5caf91fd5bd2b5cd912f337460e76521b03111e1e7e5b88acce1ac897c998da69343257fa507cbb9b48543f8d1c13444075521be9b85ff0a84bb9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
9ab7f66b8f94887c5cbe3a7c6d86971f

SHA1
9f2bb438a9db91b9f78f9175666586ca7a03719e

SHA256
36b5978154cb7791d4dd5dcf31fd4cc4598ec6ba1b60cc99be52b03ab40a0003

SHA512
b24b964efb5e23452cffa0016fc499c2d4b3f5fa7fd3674356329c2504cfd462252efafa0bcf2c3c24653b9448084afb06f271c2ae5d4b0fd0d0fcb1650b10f4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
0f1d14cc2475f7c77af8398f7060cd14

SHA1
aba1d6baeccf412a8626a1dcc124aa2cf5dfecec

SHA256
ec4597d0f5851605afdd7352ef494dbb1e90de41c325391066b13a5caa7b80bc

SHA512
09ef9c31b6cf06052001f7ab1817ea772d31853323542184b05432f81fec768fbc011140f0a3e1161452f45976a10dae1651c90b0bcf7e4074e4e43f8caa3fba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
81dc5e6b88cd77e0d10806c48f7f7ee6

SHA1
11e74f950989aa787d7b39c70e63b7aba4cd0dd0

SHA256
f029e7177267b03eefeb0fad22f46dfda4f3fef1fd975e1f6b3ceda4feaba206

SHA512
fcc57d2858e07a92fd4b6eebdc64351e53c5e668f0ee943c88c9540bba67719470459d9500b5b506d3426a3111744ae09d724b491a0a4ec0ab7f4ec923d9ac95

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
3KB

MD5
34278a27dc82e0f7c10727b86c56b774

SHA1
a5fdc0b7eb1e58bd069abc9ae79f9f9fb97d3ad6

SHA256
ea22a6af2ed63e04205e3fbb243ae338aeb9f2186ffda10ca7c05fcab46cc4de

SHA512
7872f30fd9f3fa8c911152570ba3cdfa5a04d386465dc2f0f9820a584498ccf9c126e686f146c4bdad4adb51e6af07340c732be2966d9e7d30599b19fd4aa8e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
496b12a4a931a951cd90d42a4d30aad0

SHA1
0744f0a5acb96c3b02b1109e40a63bf3387b9514

SHA256
07503bf4e37ddb8f129ffee7e67eacc57721fe8af13e8c3e4422a75d2fdc63d7

SHA512
30bb53dc9431c08c3b1624eb536e247fa5fad2ffbc0a42c667154bb75a9f52359d4d73490a6fdb472b6f83ee3c01cd9212f9fc28fa5afd81f50ea96da10d1a91

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
bdb8cc20cf4a811dee26ea0136bcc658

SHA1
373e580e6b5bd0633f3d888136fca7565dafd2a4

SHA256
8d966e32b63cd84160e7dbb095f7969bc49723bb0bf2b8a36862342fdb73c7cd

SHA512
b7faf3975514df79883e6cb0e2a75a6d90b626cbd492c5ec3d830e707328c0288dcdf40065d9f6c2e1b0e159e1be3e6f84bb3ee9dde22c7e3ed89f8fac7837aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
20ffe03d607e2e7483dee018223544a6

SHA1
95bd80cbd8069db528c70c5409603af14ccbbb29

SHA256
cb1b6db81bf5f668ad47f0e52cb13689fa868fe55692531242163a89ab082299

SHA512
036516c8b5327d18a0d519a20fb08c74b01034df062d710720c5f6a4eab8474bc42c1a6fe8f327167b6b03f66f70d3bbf25b9d651238e8bddf004175d2892639

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
10KB

MD5
cb4a7e518ce4119577b0d405eb2d20bb

SHA1
050c286e2ae7398e4b64181f536cd002fd7750a4

SHA256
03e3a2e0c424a69acd28895ff28dc678d7eacdafe81183cc0d372ebf04d58762

SHA512
b0acf7da62264f85fdf9ac685c5045636154b62c6332e5675fa9b28040fbd43d39cecf941e73182d6ed616446c5e42a98c09a7d39031d2507e3e6b81b5728a48

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
14KB

MD5
a77d606a709788c17b88a6d350b9f536

SHA1
1fd1dd3132a520d9a59a1a66386b1177b4a389f7

SHA256
ab69e88c27c1ac1cf8081f0551c59f961da8010eabcf6b550400a336e63ec431

SHA512
cf1dd31e49852b75a9f69402b7d5f5ef6148d97eae5ed5eb7cc5c8b8055987b1505db69e48d87b632f33ed1c5c45d43e085f47b75ee0bb655d4c5e3b393598c3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
184KB

MD5
367c65d71698ee08e330271bc49fafe0

SHA1
01411794334d677eef674f2803db8689cb9c65e4

SHA256
740d5eac8e9ca704a4627fe8eb86e5dd8be68a2a5f6fd8fa5ec3bf79306fb03e

SHA512
53bc19f4cc4a2944234c71634b8544f133363802478e5dad4b74cafa45a478ab45f8956f9f0df792aae627ee619355cdefed7685568da617d19fb676e48044b7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite

Filesize
192KB

MD5
943e35dc166875be5220d062ba5723ba

SHA1
4d79f1bc2db1cf96ccf56ffcdcf4a4cfa187bae3

SHA256
470a12306b3f17adb5f9a156b873f44d5bc0cf9b6cfc2a0087c91b2d7cde6ce6

SHA512
7714e75d85cc9ad72fd477b5e2a51d1ee4eae03224453fe5006eaba02f5ea917cbe11c4eacbdcab38160f3ad923ad2a9feb5a49a5b55a70f94217ccfcccf6334

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\targeting.snapshot.json

Filesize
4KB

MD5
64b7ffc00362cf2f800c39fddd8340a6

SHA1
3823de0cb63342a4e85bc4fbcdb2023f5fe39ebe

SHA256
11c630f0542bbace49482663a8a9b61f37877e80e9517a5ffcc781ba01cbfd6c

SHA512
42bcc88172892747673dc43901d249d6859ba3cf316756a872c0a4d1b074f911585cabdc99f061ff6ddf7abec4586b4da83bf9e31226d81b8cb86e6ef4fa25cd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5nwvfgbl.default-release\xulstore.json.tmp

Filesize
140B

MD5
3bf51021b2b3bfb568c29a9be95dc434

SHA1
227cdbae2aa6945a3be6ad10862a7b601a6fa875

SHA256
f8de6d894a698477219f6e798bed7f5d8d301500b218efb54b30844f910d32c9

SHA512
556cd2a4d061ac4eea3a100354031526a4663b30158fd2902390fb436cb835ea1342b9a67d478c5ee48a7d009c26f6fb73f815d0091d0c002d57ab69b7fcbd1b

Download Submit
C:\Users\Admin\AppData\Roaming\RustDesk\config\RustDesk_hwcodec.4524_ThreadId(20)_1737977970205600000

Filesize
365B

MD5
85124f3020fb3dcc36959b7bc6c2804d

SHA1
64cce4bac1d486ec421b699f54cda126870192f8

SHA256
99db1f1f9001e85f4515dbc0598b7958d6a9a70adec4626ca9e83688c2961498

SHA512
29082a9e3f0189d55588a17a0b960fd8badc10bfdfe830bfd36ce21ba52d78e0d80c9b8921e855ed7cf9413e78ddfbddf1350f9367d44d8232f036e952ece06a

Download Submit
C:\Users\Admin\Downloads\rustdesk-1.3.7-x86_64.exe

Filesize
21.2MB

MD5
61fc3180c35ccb5a8c965d141798a5d4

SHA1
e1975b359ee618d4334eabc743aa238943402754

SHA256
8ed553e0d84717feef9513159ac1b0bd07a88245b7e1285538459dded0921575

SHA512
ee3ef9315413bfbd92fef91f3951e5dac10831365b9e87421e1519ef4b7a95e49b68c7dc4a090e80dc4445c5486bc0954ea0a9c7c1e67a41e829e0fe84477278

Download Submit
C:\Users\DELL\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
1KB

MD5
a266bb7dcc38a562631361bbf61dd11b

SHA1
3b1efd3a66ea28b16697394703a72ca340a05bd5

SHA256
df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e

SHA512
0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

Download Submit
C:\Users\DELL\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

Filesize
242B

MD5
e08d0b2014de86aa77c5a54bec783eef

SHA1
4623f4e1590490f0a1fde9208225555b3909a60d

SHA256
9c180667ece51cc1f85e6ffee575d62eb97e3b466d51c57e584bfafd6b0f960c

SHA512
72dc5254f8b460e1e7297e07e1e7227a4dff19ccfab25e5bdb8c9ce3510530fa6a44de895ec5802fcff42abaf229e52989184826942ca9767ecaaeabfbadaee6

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\0e3bd68c-e71f-4a93-9efe-b409b2fc99d2.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\402177fb-bb8e-490a-8dfd-5bd74e47d567.tmp

Filesize
193KB

MD5
ef36a84ad2bc23f79d171c604b56de29

SHA1
38d6569cd30d096140e752db5d98d53cf304a8fc

SHA256
e9eecf02f444877e789d64c2290d6922bd42e2f2fe9c91a1381959acd3292831

SHA512
dbb28281f8fa86d9084a0c3b3cdb6007c68aa038d8c28fe9b69ac0c1be6dc2141ca1b2d6a444821e25ace8e92fb35c37c89f8bce5fee33d6937e48b2759fa8be

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Extension Scripts\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\_locales\en_CA\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.62.0_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
5a72a8bb1d601c1ad370f4bd16e18b2e

SHA1
d339c93dd9138be091e63374640cba1737ef5861

SHA256
18fb4a0799d7de29efce21fbbd01ed2f6fc604be14ac62bdf2c7245d4590f93f

SHA512
b5d7690dce960a8e0b62cfeecb01dc56c1546936bd9861afca7502e45d1ce979e31e0174f5a8156f51a3778c66de25bd4a2bcd10205c217ddf513f9749c70c68

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
54aaa4454f90fe122371072dcc82b83e

SHA1
a70654472de685fcef9e6e58be961ea282b1fec8

SHA256
1d2656234e85b17363f84c0d2befe83d75f61b60d9f6cf918802a8fb06526ed8

SHA512
4eef7a289f9a4fad4c9b277e60ced83f4899c54f9af517cdc2ed2e9cbf04c293484e9a881a63c696e8391d3d26731b66bb54f23a9dd9b29d17a81140634f1598

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
d6d130d1f271d1c9513d3527deac9377

SHA1
839c5b977c2cb944109cc72001c4c03c77b5670b

SHA256
4559834156a3d958b56064d1b2b4668d8d926f60eba2f90948b3561b35c2fb55

SHA512
ff332c75bde9bf0917a9e0dc63c8c0000ef542282d509462b9106ff0c9fa8ad0e9e0acd9c0a795400775424547b94b808d0c63f5eea738c91707e930d93b7de2

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
041044ba083cdb04820d4b998bbfe946

SHA1
c1dffc0180cb8bc3295846493d91a3894cdb4942

SHA256
48025c10fe90b5c27f10699b536cf096d023f8be8f63d969720563efe0f13413

SHA512
f14cd56523edde4b0123a99d13b6bc2f7efa2316e6a706445ff2cfcc465703a3e5a4a61232f9f7a7596a6464d9791875b4fec01a29e27dd0305c2f5e6665b845

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\CURRENT~RFf81c42a.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Default\b7792692-0422-4001-b239-a9742a28f117.tmp

Filesize
7KB

MD5
b606118d6a6dab43f9651a9509483952

SHA1
94eb7d4380f691b4ba1a56d24051fbbe263994c7

SHA256
1ceab7649740ee2ebf296785298dc286c768f8ca494ebc4d564cee8cf809b4bb

SHA512
b7ea7cbf4a056270bafb1eb441b3c7c9831c61e7fb3553292a430c50a3c2dc97fab7171aaf53a11e12b9c2e4b71db3e8cee486d37d118034b306e774db63fbc7

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\Local State

Filesize
181KB

MD5
8b88e9748b4f7b42bc235b3ed2247aa4

SHA1
08aa164b0f7993f73835737451d10413d4f9aef3

SHA256
7153951f062c0fe04c5643924de89d696d8b4e498f7a387568a2bb259dc82c82

SHA512
afa7e00fd16772a4ce769d4ff9871e8f9d97eb62fc5973571e3f88c1558927beb651034e88db4054e31912712c9218eeb9280c7d675a90d21e6ae14189ce1fc9

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\ShaderCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\ShaderCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\DELL\AppData\Local\Google\Chrome\User Data\ShaderCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\DELL\AppData\Local\Microsoft\Feeds\Feeds for United States~\USA~dgov Updates~c News and Features~.feed-ms

Filesize
28KB

MD5
f743799a37a764e796742daa6e800e8d

SHA1
c2b96531da60024b7f66089f3279aae79785737a

SHA256
8b63f05a130492e5bef5cc07cedf3f63883f5a9076301863cd022601c0a8bd35

SHA512
4be6ad5d547a4cc0a990a5465016d6e8cb65e113e5e17bc818915e1b5d5a916ca4b2b8a3c1ce78a40e6d899dae5cb6593fc83fa383aaa9e4c453163e0626f51d

Download Submit
C:\Users\DELL\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
bb826fd7ff1dafd29d2dc0f42d427fd2

SHA1
902c3388741f0cd12a80f4476094bc997aba9610

SHA256
8c7331ab311229a9e3fd2860442249a3a812669c0ace191511ea2a781523740b

SHA512
6c92fe2f621752528fac990737ac0cd775a5259b7b582975c0f844b62fa8dcf35f40cd6dadf9a166391a49f1fbb09ed23b64e4a130f617823d95aa07ede9af02

Download Submit
C:\Users\DELL\AppData\Local\Microsoft\Windows Mail\edb.log

Filesize
2.0MB

MD5
ded8403d4eafc510ba99763cf6a8d432

SHA1
e7ea5d7527b9e7b2dc19bf0bbeb2858d8f4b51ea

SHA256
5fc8d1748fcb4ebfd60d848ce0071d9f2c8d98c1089b0d769c2de0794bc4c76c

SHA512
0ddb898c72d17efa97aa9bf128e144db9249a147e8a7aadd656326add3ea0a55554eec4af3afde8f231a0ff8195c35083407119d3c629611fa43384bf863eb4b

Download Submit
C:\Users\DELL\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\DELL\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini

Filesize
174B

MD5
e0fd7e6b4853592ac9ac73df9d83783f

SHA1
2834e77dfa1269ddad948b87d88887e84179594a

SHA256
feea416e5e5c8aa81416b81fb25132d1c18b010b02663a253338dbdfb066e122

SHA512
289de77ffbe328388ad080129b7460712985d42076e78a3a545124881c30f564c5ef8fb4024d98903d88a6a187c60431a600f6ecbbe2888ee69e40a67ce77b55

Download Submit
C:\Users\DELL\AppData\Local\Temp\47eea53b-4de4-476d-9719-234d8adb92dc.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\DELL\AppData\Local\Temp\RGI8D43.tmp

Filesize
24KB

MD5
3006752a2bcfeda0f75d551ea656b2ef

SHA1
b7198fc772be6d6261ed4e76aca3998e8f7a7bdb

SHA256
dfd64231860c732dced3dc78627a7844a08d5d3e4cd253fd81186bae33cc368a

SHA512
3fcfa7c8f46220852dc7efef5b29caba86825d0461a35559f26dbb2540c487b92059713f42fe1082a00a711d83216db012835673e1c54120ffa079e154950854

Download Submit
C:\Users\DELL\AppData\Local\Temp\RGI8D95.tmp

Filesize
3KB

MD5
a828b8c496779bdb61fce06ba0d57c39

SHA1
2c0c1f9bc98e29bf7df8117be2acaf9fd6640eda

SHA256
c952f470a428d5d61ed52fb05c0143258687081e1ad13cfe6ff58037b375364d

SHA512
effc846e66548bd914ad530e9074afbd104fea885237e9b0f0f566bd535996041ec49fb97f4c326d12d9c896390b0e76c019b3ace5ffeb29d71d1b48e83cbaea

Download Submit
C:\Users\DELL\AppData\Local\Temp\scoped_dir5596_310455095\CRX_INSTALL\_locales\en_CA\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
C:\Users\DELL\AppData\Local\Temp\scoped_dir5596_310455095\d4b2b409-18a6-436c-81d6-df604630a83f.tmp

Filesize
88KB

MD5
2cc86b681f2cd1d9f095584fd3153a61

SHA1
2a0ac7262fb88908a453bc125c5c3fc72b8d490e

SHA256
d412fbbeb84e2a6882b2f0267b058f2ceb97f501e440fe3f9f70fac5c2277b9c

SHA512
14ba32c3cd5b1faf100d06f78981deebbbb673299a355b6eaec88e6cb5543725242c850235a541afa8abba4a609bb2ec26e4a0526c6b198016b08d8af868b986

Download Submit
C:\Users\DELL\AppData\Local\Temp\www8F1C.tmp

Filesize
206B

MD5
c2858b664c882dcce6042c40041f6108

SHA1
52eeaa0c7b9d17a8f56217f2ac912ba8fdc5041a

SHA256
b4a6fb97b5e3f87bcd9fae49a9174e3f5b230a37767d7a70bf33d151702eff91

SHA512
51522e67f426ba96495be5e7f8346e6bb32233a59810df2a3712ecd754a2b5d54d0049c8ea374bd4d20629500c3f68f40e4845f6bb236d6cca7d00da589b2260

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Internet Explorer.lnk

Filesize
1KB

MD5
82572c988fb62293a09b26fb8c1469e6

SHA1
670c26d3ad95b3af623b99edfdd9ac8cabc4d1d5

SHA256
dc1c6275ed043ce20261a22873371c49c1ea460ca1bc21735f6cf386ae08e5a8

SHA512
7c262ca4b474e8fe94d86ba078024bf4463069b33ea4c9151a2dc775792641d08b72b270663e627fdf6ab82f8a38c687cebc275ab90dbbb38584e496f28896d7

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Explorer.lnk

Filesize
1KB

MD5
47b2e1c4ddd5fa161f4e7314222d7a29

SHA1
f8e0a57ad324aa0ce6eafcbee54361cfc3fac7a4

SHA256
20b9ba1869ed5d109962522c7c9a09e2675c457edd780f3723d33f9b40475772

SHA512
07c8e9fcc6441c45540ced17802aea9fc84197733cc13af77516813c3beb346ae2748445ae99318309cbdc2da8e69e622dd91e658b7e9ba27d424eae6f5acf1b

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\Windows Media Player.lnk

Filesize
1KB

MD5
a187bf07b37b7672c63603d06fd6d2cc

SHA1
594d50cc43d7d882c1fcd60ae4b1f55d26bfb28e

SHA256
2577fead4a5e5ea58ff040b49611e63ca8215d5baee3e9f05a3e5abc47b2a241

SHA512
3faf9673233b6db85459df9309c75fb8e3106ee1c0550ad269c98c3533020f0f7ef28ac7a4809890b92f1eb6d5fc54bf2c2c2aca64f673627a85d289f3c045cf

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
82B

MD5
1c61dc21f9b83172d65be1e94b79026f

SHA1
7324473ddda64b87c299bf6e3b9e9aff53f7fd74

SHA256
8e920d7893b682a049f6a5097f880d915dc2d7bf8bc87ae558cd7f14466d5d1b

SHA512
9660cde4d7606826c2fb6623460a2a286339970256e677c8abf8189fd1d58e0284c024bbf5c0bf539189dafa3e8d5269c1e0f7e3717891f2ae4771634731bbd8

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
146B

MD5
9a1b13fd914dd7054b83bc1760c99ab8

SHA1
340c37602b11cd3cb9ae681d09bfc4c81f733742

SHA256
7f0a9cc0be951d60d6c8e60d1a612bfa65fa390020d7c0c80f212ba2a47a4aa3

SHA512
50d48a348c71fb9e89ab01e59fe599b692a1701f19d2c9de6ae09678e0a44ba95020b1989f9c776edcacacc5f2b2b348b0f31aa28c04850e69e47cda6dcaf88e

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini

Filesize
211B

MD5
e5a8eb64419f6d85a1b7aed2152616c2

SHA1
f5d94f8953bb235e35fccec0ea4f14ba69443081

SHA256
5266b08d0c1bf229ec5eafdb6dae2a4849b6b394694d34033453cf8a379725a7

SHA512
7c304bc842c81d3b5cff745d34b038a2a867063c65e502f4155439ba0642e8b0643f9b7254f74e85d5b150c134836b9e398a0dcb192550d97dfd431c3d93f1f6

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Filesize
3KB

MD5
e29515d72081183b7f6e605b5b58e81c

SHA1
3b46121dc44ba3c77d58c53c41f8fa79bcd86b52

SHA256
9b28cf46a7f43e33b8664fa96364c0e83d87cb0ab2e839542d44f834af8112ab

SHA512
cb28a09c7c8c9a22775f6e768a4de6c7cbc41b63608298d7956c824eecac37f3dde97a04f71ad9ec23aa6ded68cbe46655e54bb6c0ae55a1dad7fffeb2ca73ee

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Documents.library-ms

Filesize
3KB

MD5
50b9e0aae06cafbb82f51ec0dcaa4848

SHA1
746122e9869a1d4d0466c150256780c10c1f2b3c

SHA256
de6b1bcec166ff8bb4b44ee0499dbe809e6080a108adf38cf45e8ee2a38724aa

SHA512
544f37b116e4c589f93d6086ae5ca91e6c8c0c1c936926f96df42febedea924d226d220d32e9f73efe27f936d31aeff288ce7e285f509c22e6a7389c8b0002a1

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Filesize
3KB

MD5
2bca77ceb2b2930dc299d26656fe658d

SHA1
99352ecc05c1b78a5c32719b5facf222b8e4cbcb

SHA256
d45f93014b2f430dc9f15829ec8895177a35d8aef442b0d58985c07f03efc067

SHA512
187909fe5a5ef0fad0483f8ded7834574dfd2d33607ddcc3e99ee829b49bbe0c844a3fa7efa3bc4a7ba10b517bba82cdb0c9e1bbd33ec2bffc20c6cb1a420a1a

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Music.library-ms

Filesize
3KB

MD5
bb14d4d0df5770dcf6db7ccecfd44e60

SHA1
abfcca5dadff6e60278fef29a61f3f825f48ee9e

SHA256
1af1b0e7ba2d90c4e47172394208d9ee257d88d98761d2e52e6bea868e960834

SHA512
fb9775a41560e50f2ef535d7dc03fc73ef1f7f3061a96e2bca7f30feffc3f350a5b130f9ccb3e53797cce43e574a0dff9406ef39db0cd28f29e0bc657472535a

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Filesize
3KB

MD5
de7379971743ed7ca192076f9ddba04c

SHA1
065e4a6265e5b0ec4621f69b1fbbe9ce32f52ac8

SHA256
252d541b0f77e721ccebe6fed590ce092e8e0146889b3929bf71468b84bd697a

SHA512
56170cfc2ebbeae1dcea28e214e4ed86b3fa7ee8efc82146b9e375e1c52d0fb4755568c807284f9d5c404972cbe2db06ae7576509840dce56a080995920b3ba6

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Pictures.library-ms

Filesize
3KB

MD5
90de029bd4f11afb7b2c0021bab31259

SHA1
efba38180343f03d6343f078356973e66f8c6b3d

SHA256
c35e29421171335f3c67b6b4e2f915f58031a9a976db5df842540d925fda1104

SHA512
2a6a2561cbbd0649e047b5847de0ef1042fccb92d5afe884cf6b6102ae2b5bb8cd51d5c0993d86520f2c767341ac1574f821668dc09f96e4b0ad2a2bdd614097

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Filesize
3KB

MD5
74b278b909cddc369c98a9ec3d37c5a9

SHA1
4c2d58a66801bca4b1404bf94cb50b71f4f0c6ac

SHA256
9c3d7e1094dcafb3c323a3ff112e7fc864f1aeebfea012fa25f6f5060003579f

SHA512
97736f95e273f978a41136ea7e48e211bff166a22763aa360df1871cffe57bc2f19a2ce7a57207885b7072655f2102e57e99b3cb5dc8d00a8a5d17a54b0cd756

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\Videos.library-ms

Filesize
3KB

MD5
ff080ec4b347f6f4049e5829e237985d

SHA1
5ad9f695ab2cca48ecc547ae87a00439c4e88088

SHA256
0877fefadd8bac6c7e217369d090ff38547ff28970822568a603fc14f04c902c

SHA512
a75ee3937625ee532221c7a7d45fa25b60c4ddbcc11611e82b8c608302844002d66bca55494662cb50e5aeeefc3784b7590e8f8fb33f1ee7481e1c3a68678497

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

Filesize
151B

MD5
0ff56a4620c3221ff64ec61a3a0d3033

SHA1
3a45320be12b585dcdc5ab2af5ea1455b2c919a1

SHA256
0b0a65accca705494739d03b6c2ea769c78cd0eee996bc95b0c6ebc0941f4b1a

SHA512
962a340efeb6d18c85e5872997eebb83374e114be088689690ba438f0db8e2e4df6c24713a35cfaec518f58d5322cf9617638ea55ff279a9d161c4fdf9af74f6

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

Filesize
213B

MD5
5547a64ee3681b1fca07111e73dcc51a

SHA1
0b16a54ccb7c0284df649594e006ca96e07ac296

SHA256
c6a3db953cc63f23aa5ff66de5fc6b483f6a1106cf1f77cbd73617b2c4340e0e

SHA512
21a6b9b2c578ea8d0bfb22c1b37b0dde47395ec958fa5c73eafeb8b865080db132e565c7e8ce2ab1d2e934f414e23b820f3ff3571a7d737453f3ace76d11cc25

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini

Filesize
274B

MD5
453249f95d75eb5e450eb91fa755e1c8

SHA1
3e200e187e8cd21d3d1976ea0f7356626254de18

SHA256
01bef150c18e377a57843965d55f18f0b5cb3fa867c5ab30f1e67eacd6ece48a

SHA512
6125ffc1ab457bc1ba957c78c2a89ca54060c1969c4a981acf71025a1d79760159816d5fc36e351429de3bb5820e755b9bc22386f3d6892bfdf3da67d86f157c

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5afe4de1b92fc382.customDestinations-ms

Filesize
15KB

MD5
c42580052c133eab43078f8c53077dae

SHA1
941b077281e377a532524a1e673c4cc63a2b8609

SHA256
45175b3971a755572e181f0691171d0557c5c1f1cf4667229f12af2e2a643749

SHA512
623532720f5a1fa3e96fb33ab60fb41c43a6c4e37ea044540d4e05c3f7efc83f2b97a4b81f35610847e101b1c4d6e51935031e459f98ebb35a768f61b8999436

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini

Filesize
432B

MD5
f107d0270e21a2fe91099fdc15918d44

SHA1
dabc2f24f4a4e90053743166e5c4175dcf2b2d2d

SHA256
eb315c9d165b4916e3b00e4d148b53a6c03a2f0694a6a8821d98e76f935ca6a8

SHA512
b5d51c0d6abe99121d4f4f1d236def4260b7d5c26c501d7735eba4f58e2597db0e89b2b1df16545e49fc39649806e5305efb912328541bdd31c01ff3d2bda49c

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini

Filesize
174B

MD5
548b310fbc7a26d0b9da3a9f2d604a0c

SHA1
1e20c38b721dff06faa8aa69a69e616c228736c1

SHA256
be49aff1e82fddfc2ab9dfffcb7e7be100800e3653fd1d12b6f8fa6a0957fcac

SHA512
fa5bb7ba547a370160828fe720e6021e7e3a6f3a0ce783d81071292739cef6cac418c4bc57b377b987e69d5f633c2bd97a71b7957338472c67756a02434d89f1

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini

Filesize
174B

MD5
7f1698bab066b764a314a589d338daae

SHA1
524abe4db03afef220a2cc96bf0428fd1b704342

SHA256
cdb11958506a5ba5478e22ed472fa3ae422fe9916d674f290207e1fc29ae5a76

SHA512
4f94ad0fe3df00838b288a0ef4c12d37e175c37cbf306bdb1336ff44d0e4d126cd545c636642c0e88d8c6b8258dc138a495f4d025b662f40a9977d409d6b5719

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

Filesize
174B

MD5
17d5d0735deaa1fb4b41a7c406763c0a

SHA1
584e4be752bb0f1f01e1088000fdb80f88c6cae0

SHA256
768b6fde6149d9ebbed1e339a72e8cc8c535e5c61d7c82752f7dff50923b7aed

SHA512
a521e578903f33f9f4c3ebb51b6baa52c69435cb1f9cb2ce9db315a23d53345de4a75668096b14af83a867abc79e0afa1b12f719294ebba94da6ad1effc8b0a3

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini

Filesize
338B

MD5
e4e50dfa455b2cbe356dffdf7aa1fcaf

SHA1
c58be9d954b5e2dd0e5efa23a0a3d95ab8119205

SHA256
9284bd835c20f5da3f76bc1d8c591f970a74e62a7925422858e5b9fbec08b927

SHA512
bef1fad5d4b97a65fec8c350fe663a443bc3f7406c12184c79068f9a635f13f9127f89c893e7a807f1258b45c84c1a4fc98f6bd6902f7b72b02b6ffbc7e37169

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.ini

Filesize
174B

MD5
a2d31a04bc38eeac22fca3e30508ba47

SHA1
9b7c7a42c831fcd77e77ade6d3d6f033f76893d2

SHA256
8e00a24ae458effe00a55344f7f34189b4594613284745ff7d406856a196c531

SHA512
ed8233d515d44f79431bb61a4df7d09f44d33ac09279d4a0028d11319d1f82fc923ebbc6c2d76ca6f48c0a90b6080aa2ea91ff043690cc1e3a15576cf62a39a6

Download Submit
C:\Users\DELL\AppData\Roaming\Microsoft\Windows\Themes\TranscodedWallpaper.jpg

Filesize
627KB

MD5
da288dceaafd7c97f1b09c594eac7868

SHA1
b433a6157cc21fc3258495928cd0ef4b487f99d3

SHA256
6ea9f8468c76aa511a5b3cfc36fb212b86e7abd377f147042d2f25572bf206a2

SHA512
9af8cb65ed6a46d4b3d673cea40809719772a7aaf4a165598dc850cd65afb6b156af1948aab80487404bb502a34bc2cce15c502c6526df2427756e2338626062

Download Submit
C:\Users\DELL\AppData\Roaming\RustDesk\config\RustDesk.toml

Filesize
145B

MD5
7181211114f58abeec3e54d5387d4a2e

SHA1
ff89b5ec020d3e0b4c7f6ecc497b3291c1698f86

SHA256
8d285f7a85da548d79219598a57648f7d9a8cf706f2049d25270df231c76aebe

SHA512
b85a8e8b39ca22ac6f60a8fda43a2382090192026a5bd7d5da0241f7926a5bdc87b479e5cb6ed6f255e6afcc4a6a43f88f71a2bd88b18a0187e0f768681c3124

Download Submit
C:\Users\DELL\Contacts\desktop.ini

Filesize
412B

MD5
449f2e76e519890a212814d96ce67d64

SHA1
a316a38e1a8325bef6f68f18bc967b9aaa8b6ebd

SHA256
48a6703a09f1197ee85208d5821032b77d20b3368c6b4de890c44fb482149cf7

SHA512
c66521ed261dcbcc9062a81d4f19070216c6335d365bac96b64d3f6be73cd44cbfbd6f3441be606616d13017a8ab3c0e7a25d0caa211596e97a9f7f16681b738

Download Submit
C:\Users\DELL\Desktop\desktop.ini

Filesize
282B

MD5
9e36cc3537ee9ee1e3b10fa4e761045b

SHA1
7726f55012e1e26cc762c9982e7c6c54ca7bb303

SHA256
4b9d687ac625690fd026ed4b236dad1cac90ef69e7ad256cc42766a065b50026

SHA512
5f92493c533d3add10b4ce2a364624817ebd10e32daa45ee16593e913073602db5e339430a3f7d2c44abf250e96ca4e679f1f09f8ca807d58a47cf3d5c9c3790

Download Submit
C:\Users\DELL\Documents\desktop.ini

Filesize
402B

MD5
ecf88f261853fe08d58e2e903220da14

SHA1
f72807a9e081906654ae196605e681d5938a2e6c

SHA256
cafec240d998e4b6e92ad1329cd417e8e9cbd73157488889fd93a542de4a4844

SHA512
82c1c3dd163fbf7111c7ef5043b009dafc320c0c5e088dec16c835352c5ffb7d03c5829f65a9ff1dc357bae97e8d2f9c3fc1e531fe193e84811fb8c62888a36b

Download Submit
C:\Users\DELL\Downloads\desktop.ini

Filesize
282B

MD5
3a37312509712d4e12d27240137ff377

SHA1
30ced927e23b584725cf16351394175a6d2a9577

SHA256
b029393ea7b7cf644fb1c9f984f57c1980077562ee2e15d0ffd049c4c48098d3

SHA512
dbb9abe70f8a781d141a71651a62a3a743c71a75a8305e9d23af92f7307fb639dc4a85499115885e2a781b040cbb7613f582544c2d6de521e588531e9c294b05

Download Submit
C:\Users\DELL\Favorites\Links\Web Slice Gallery.url

Filesize
134B

MD5
873c8643cbbfb8ff63731bc25ac9b18c

SHA1
043cbc1b31b9988d8041c3d01f71ce3393911f69

SHA256
c4ad21379c11da7943c605eadb22f6fc6f54b49783466f8c1f3ad371eb167466

SHA512
356b13b22b7b1717ded0ae1272b07f1839184e839132f3ab891b5d84421e375d4fc45158c291b46a933254f463c52d92574ce6b15c1402dfb00ee5d0a74c9943

Download Submit
C:\Users\DELL\Favorites\desktop.ini

Filesize
402B

MD5
881dfac93652edb0a8228029ba92d0f5

SHA1
5b317253a63fecb167bf07befa05c5ed09c4ccea

SHA256
a45e345556901cd98b9bf8700b2a263f1da2b2e53dbdf69b9e6cfab6e0bd3464

SHA512
592b24deb837d6b82c692da781b8a69d9fa20bbaa3041d6c651839e72f45ac075a86cb967ea2df08fa0635ae28d6064a900f5d15180b9037bb8ba02f9e8e1810

Download Submit
C:\Users\DELL\Links\desktop.ini

Filesize
282B

MD5
98470d9bd7fba55a0c303065f9c4f9be

SHA1
5303b190e29ba48332f7c90a832ef08af5a1953d

SHA256
3830022d5d7ef2ae2ca0a2b6ad73f0d4716b49bf7eeeaa87b618988d531b7c72

SHA512
134e072c3600bbb3c724c2700da399a14ba5b907153969362b3dbff32c480d39e7f5ecceebc9122a5a27265410557a16eb6bf82c9b635b90ef1fa0ae9efb849c

Download Submit
C:\Users\DELL\Links\desktop.ini

Filesize
580B

MD5
de8858093993987d123060097a2bad66

SHA1
0a89e87ba46538cb73aff1a47e4dc0bcfb4760d5

SHA256
4c0d757717dec80eca8c6cbbfdda4706eb38fbbb7624933d5429dafc7bb9f0ec

SHA512
fa348ac4025b599f460cb831338ce010dde8fba87587a6d078d6d594a30fee87ed112e412078c10604553f326cc7bd7627ae93b0e3d8a60cfeda0720cad29f4c

Download Submit
C:\Users\DELL\Music\desktop.ini

Filesize
504B

MD5
06e8f7e6ddd666dbd323f7d9210f91ae

SHA1
883ae527ee83ed9346cd82c33dfc0eb97298dc14

SHA256
8301e344371b0753d547b429c5fe513908b1c9813144f08549563ac7f4d7da68

SHA512
f7646f8dcd37019623d5540ad8e41cb285bcc04666391258dbf4c42873c4de46977a4939b091404d8d86f367cc31e36338757a776a632c7b5bf1c6f28e59ad98

Download Submit
C:\Users\DELL\Pictures\desktop.ini

Filesize
504B

MD5
29eae335b77f438e05594d86a6ca22ff

SHA1
d62ccc830c249de6b6532381b4c16a5f17f95d89

SHA256
88856962cef670c087eda4e07d8f78465beeabb6143b96bd90f884a80af925b4

SHA512
5d2d05403b39675b9a751c8eed4f86be58cb12431afec56946581cb116b9ae1014ab9334082740be5b4de4a25e190fe76de071ef1b9074186781477919eb3c17

Download Submit
C:\Users\DELL\Saved Games\desktop.ini

Filesize
282B

MD5
b441cf59b5a64f74ac3bed45be9fadfc

SHA1
3da72a52e451a26ca9a35611fa8716044a7c0bbc

SHA256
e6fdf8ed07b19b2a3b8eff05de7bc71152c85b377b9226f126dc54b58b930311

SHA512
fdc26609a674d36f5307fa3f1c212da1f87a5c4cd463d861ce1bd2e614533f07d943510abed0c2edeb07a55f1dccff37db7e1f5456705372d5da8e12d83f0bb3

Download Submit
C:\Users\DELL\Searches\desktop.ini

Filesize
524B

MD5
089d48a11bff0df720f1079f5dc58a83

SHA1
88f1c647378b5b22ebadb465dc80fcfd9e7b97c9

SHA256
a9e8ad0792b546a4a8ce49eda82b327ad9581141312efec3ac6f2d3ad5a05f17

SHA512
f0284a3cc46e9c23af22fec44ac7bbde0b72f5338260c402564242c3dd244f8f8ca71dd6ceabf6a2b539cacc85a204d9495f43c74f6876317ee8e808d4a60ed8

Download Submit
C:\Users\DELL\Videos\desktop.ini

Filesize
504B

MD5
50a956778107a4272aae83c86ece77cb

SHA1
10bce7ea45077c0baab055e0602eef787dba735e

SHA256
b287b639f6edd612f414caf000c12ba0555adb3a2643230cbdd5af4053284978

SHA512
d1df6bdc871cacbc776ac8152a76e331d2f1d905a50d9d358c7bf9ed7c5cbb510c9d52d6958b071e5bcba7c5117fc8f9729fe51724e82cc45f6b7b5afe5ed51a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-1846800975-3917212583-2893086201-1001\desktop.ini

Filesize
129B

MD5
a526b9e7c716b3489d8cc062fbce4005

SHA1
2df502a944ff721241be20a9e449d2acd07e0312

SHA256
e1b9ce9b57957b1a0607a72a057d6b7a9b34ea60f3f8aa8f38a3af979bd23066

SHA512
d83d4c656c96c3d1809ad06ce78fa09a77781461c99109e4b81d1a186fc533a7e72d65a4cb7edf689eeccda8f687a13d3276f1111a1e72f7c3cd92a49bce0f88

Download Submit
memory/1148-2231-0x0000000002C40000-0x0000000002C5E000-memory.dmp

Filesize
120KB

Download
memory/1148-2232-0x000000001D9A0000-0x000000001DCE6000-memory.dmp

Filesize
3.3MB

Download
memory/1864-2086-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2085-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2091-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2090-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2099-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2089-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2106-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2074-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2087-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2075-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2098-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2108-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/1864-2088-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2192-244-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-625-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-10-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-593-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-266-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-432-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-417-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-659-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-197-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2192-424-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-594-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-267-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-425-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-16-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-198-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2376-418-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-263-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-196-0x0000000000C74000-0x0000000001D76000-memory.dmp

Filesize
17.0MB

Download
memory/2408-360-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-2-0x0000000000C74000-0x0000000001D76000-memory.dmp

Filesize
17.0MB

Download
memory/2408-4-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-0-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-2605-0x0000000000C74000-0x0000000001D76000-memory.dmp

Filesize
17.0MB

Download
memory/2408-243-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-202-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-2606-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-422-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2408-195-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2784-427-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2784-423-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2784-361-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2784-557-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download
memory/2784-431-0x0000000000C70000-0x00000000022B2000-memory.dmp

Filesize
22.3MB

Download