AnyDesk.exe

General
Target

AnyDesk.exe

Filesize

262KB

Completed

05-01-2021 05:10

Score
10 /10
MD5

53e7b9e873404afdd22cdeba41b4e1c9

SHA1

18b1a19f826e9d48d5776f6e3c279547f3ff517d

SHA256

c34d0660da24b48480de58aaa394bd27f5a5b1ed9249d897ca4dde70312a87ec

Malware Config

Extracted

Path C:\Users\Admin\AppData\Local\Temp\readme-warning.txt
Family makop
Ransom Note
::: Greetings ::: Little FAQ: .1. Q: Whats Happen? A: Your files have been encrypted and now have the "moloch" extension. The file structure was not damaged, we did everything possible so that this could not happen. .2. Q: How to recover files? A: If you wish to decrypt your files you will need to pay in bitcoins. .3. Q: What about guarantees? A: Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will cooperate with us. Its not in our interests. To check the ability of returning files, you can send to us any 2 files with SIMPLE extensions(jpg,xls,doc, etc... not databases!) and low sizes(max 1 mb), we will decrypt them and send back to you. That is our guarantee. .4. Q: How to contact with you? A: You can write us to our mailbox: moloch_helpdesk@tutanota.com or moloch_helpdesk@protonmail.ch .5. Q: How will the decryption process proceed after payment? A: After payment we will send to you our scanner-decoder program and detailed instructions for use. With this program you will be able to decrypt all your encrypted files. .6. Q: If I don�t want to pay bad people like you? A: If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause only we have the private key. In practice - time is much more valuable than money. :::BEWARE::: DON'T try to change encrypted files by yourself! If you will try to use any third party software for restoring your data or antivirus solutions - please make a backup for all encrypted files! Any changes in encrypted files may entail damage of the private key and, as result, the loss all data.
Emails

moloch_helpdesk@tutanota.com

moloch_helpdesk@protonmail.ch

Signatures 27

Filter: none

Collection
Credential Access
Defense Evasion
Discovery
Execution
Impact
Persistence
  • Makop

    Description

    Ransomware family discovered by @VK_Intel in early 2020.

  • Suspicious use of NtCreateUserProcessOtherParentProcess
    svchost.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 2220 created 9482220svchost.exeAnyDesk.exe
  • Deletes shadow copies

    Description

    Ransomware often targets backup files to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery
  • Deletes backup catalog
    wbadmin.exe

    Description

    Uses wbadmin.exe to inhibit system recovery.

    Tags

    TTPs

    Command-Line InterfaceFile DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    2148wbadmin.exe
  • Modifies Installed Components in the registry

    TTPs

    Registry Run Keys / Startup FolderModify Registry
  • Modifies extensions of user files
    AnyDesk.exe

    Description

    Ransomware generally changes the extension on encrypted files.

    Tags

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Users\Admin\Pictures\FindResize.tiffAnyDesk.exe
    File opened for modificationC:\Users\Admin\Pictures\PushDisable.tiffAnyDesk.exe
  • Loads dropped DLL
    AnyDesk.exeAnyDesk.exe

    Reported IOCs

    pidprocess
    648AnyDesk.exe
    1520AnyDesk.exe
  • Reads user/profile data of web browsers

    Description

    Infostealers often target stored browser data, which can include saved credentials etc.

    Tags

    TTPs

    Data from Local SystemCredentials in Files
  • Adds Run key to start application
    AnyDesk.exe

    TTPs

    Registry Run Keys / Startup FolderModify Registry

    Reported IOCs

    descriptioniocprocess
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows\CurrentVersion\Run\1 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\AnyDesk.exe\""AnyDesk.exe
  • Enumerates connected drives
    explorer.exe

    Description

    Attempts to read the root path of hard drives other than the default C: drive.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    File opened (read-only)\??\D:explorer.exe
  • Legitimate hosting services abused for malware hosting/C2

    TTPs

    Web Service
  • Suspicious use of SetThreadContext
    AnyDesk.exeAnyDesk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 648 set thread context of 948648AnyDesk.exeAnyDesk.exe
    PID 1520 set thread context of 25441520AnyDesk.exeAnyDesk.exe
  • Drops file in Program Files directory
    AnyDesk.exe

    Reported IOCs

    descriptioniocprocess
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_1d.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\13h.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\contrast-white\SmallTile.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-16_altform-unplated.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\manifestAssets\contrast-black\StoreLogo.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Fues\Background.htmlAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxA-Advanced-Light.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-black\HxAccountsSplashLogo.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Home\SmallTile.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\sk-sk\ui-strings.jsAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\selector.jsAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\VisioStdVL_KMS_Client-ppd.xrm-msAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\beer.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\add-comment.pngAnyDesk.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\ODBC Drivers\Salesforce\lib\LibCurl64.DllA\OpenSSL64.DllA\readme-warning.txtAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1611.10393.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\MapsAppList.targetsize-256_altform-unplated_contrast-white.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\selector.jsAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectStdCO365R_Subscription-pl.xrm-msAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\de-de\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.OneConnect_2.1701.277.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\contrast-black\OneConnectStoreLogo.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\small\brokenheart.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\exportpdfupsell-app\js\nls\zh-tw\ui-strings.jsAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\js\nls\ru-ru\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000018\cardview\lib\native-common\assets\cardview-warning@4x.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\82.pngAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\fi-fi\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Jumbo\mask\12c.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\OneNoteSectionGroupLargeTile.scale-400.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Assets\contrast-white\DashboardDefaultThumbnail.pngAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\root\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Send2.16.White.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\AppxManifest.xmlAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\small\tk_16x11.pngAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\fss\js\nls\zh-cn\ui-strings.jsAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\pl-pl\ui-strings.jsAnyDesk.exe
    File opened for modificationC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\css\main.cssAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jdk1.8.0_66\jre\lib\ext\jaccess.jarAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectStdR_Retail-ul-phn.xrm-msAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\BLUECALM\BLUECALM.INFAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.3DBuilder_13.0.10349.0_x64__8wekyb3d8bbwe\Common\ReadMe.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.16112.11601.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-24.pngAnyDesk.exe
    File opened for modificationC:\Program Files\Java\jre1.8.0_66\lib\security\US_export_policy.jarAnyDesk.exe
    File createdC:\Program Files\Microsoft Office\root\Office16\Library\Analysis\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\WeatherIcons\30x30\186.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsAlarms_10.1702.333.0_x64__8wekyb3d8bbwe\Assets\AlarmsAppList.targetsize-72.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxMailBadge.scale-100.pngAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Licenses16\ProjectStd2019VL_KMS_Client_AE-ul.xrm-msAnyDesk.exe
    File createdC:\Program Files\VideoLAN\VLC\locale\es\LC_MESSAGES\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Assets\highfive.scale-200.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_17.7906.42257.0_x64__8wekyb3d8bbwe\images\contrast-white\HxCalendarLargeTile.scale-200.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.WindowsStore_11701.1001.87.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\StoreBadgeLogo.scale-200.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.XboxApp_25.25.13009.0_x64__8wekyb3d8bbwe\Assets\AchievementUnlocked.mp3AnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\ThemePreview\Themes\beach.mobile.jpgAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.MicrosoftSolitaireCollection_3.14.1181.0_x64__8wekyb3d8bbwe\Assets\Themes\Autumn\autumn_1h.pngAnyDesk.exe
    File opened for modificationC:\Program Files\Microsoft Office\root\Office16\1033\MSO.ACLAnyDesk.exe
    File createdC:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\fr-fr\readme-warning.txtAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNotePageMedTile.scale-200.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Emoticons\large\ninja.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.SkypeApp_11.8.204.0_x64__kzf8qxf38zg5c\SkypeApp\Designs\Flags\large\me_60x42.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.BingWeather_4.18.56.0_x64__8wekyb3d8bbwe\Assets\AppTiles\contrast-white\Weather_LogoSmall.targetsize-32.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.10252.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppPackageBadgeLogo.scale-200_contrast-black.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.People_10.1.10531.0_x64__8wekyb3d8bbwe\Assets\PeopleAppList.targetsize-48.pngAnyDesk.exe
    File opened for modificationC:\Program Files\WindowsApps\Microsoft.Office.OneNote_17.7668.58071.0_x64__8wekyb3d8bbwe\en-us\mso.aclAnyDesk.exe
  • Program crash
    WerFault.exe

    Reported IOCs

    pidpid_targetprocesstarget process
    1842580WerFault.exe
  • Checks SCSI registry key(s)
    vds.exeexplorer.exe

    Description

    SCSI information is often read in order to detect sandboxing environments.

    TTPs

    Query RegistryPeripheral Device DiscoverySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_&PROD_HEARTDISK\4&37CE57BA&0&000000vds.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\FriendlyNamevds.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\HardwareIDexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\HardwareIDexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\ConfigFlagsexplorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\FriendlyNamevds.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\ConfigFlagsexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_SANU&PROD_SANU_DVD-ROM\4&37CE57BA&0&010000vds.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003explorer.exe
    Key value queried\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_&Prod_HeartDisk\4&37ce57ba&0&000000\Capabilitiesexplorer.exe
    Key opened\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Sanu&Prod_Sanu_DVD-ROM\4&37ce57ba&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064explorer.exe
  • Enumerates system info in registry
    SearchUI.exe

    TTPs

    Query RegistrySystem Information Discovery

    Reported IOCs

    descriptioniocprocess
    Key value queried\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKUSearchUI.exe
    Key opened\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOSSearchUI.exe
  • Interacts with shadow copies
    vssadmin.exe

    Description

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    Tags

    TTPs

    File DeletionInhibit System Recovery

    Reported IOCs

    pidprocess
    1188vssadmin.exe
  • Modifies Control Panel
    explorer.exeSearchUI.exeShellExperienceHost.exe

    Tags

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktopexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\TranscodedImageCount = "1"explorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\Desktop\LastUpdated = "4294967295"explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\ColorsSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\ColorsShellExperienceHost.exe
  • Modifies registry class
    explorer.exeSearchUI.exe

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instanceexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefixSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "56"SearchUI.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRUexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.cortanaSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settingsexplorer.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instanceexplorer.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"SearchUI.exe
    Set value (str)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DomStorageStateSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.cortanaSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "152"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shellexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffffexplorer.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.cortana\ = "23"SearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotifyexplorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\IconStreams = 14000000070000000100010005000000140000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b0072000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001c100000000000002000000e50701004100720067006a006200650078000a005600610067007200650061007200670020006e007000700072006600660000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000000000000074ae2078e323294282c1e41cb67d5b9c0000000000000000000000002c5536d429e3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000020000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000002000000e50701004600630072006e0078007200650066003a002000360037002500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000100000073ae2078e323294282c1e41cb67d5b9c000000000000000000000000f332d2d329e3d60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000007b00360051003800300039003300370037002d0036004e00530030002d003400340034004f002d0038003900350037002d004e00330037003700330053003000320032003000300052007d005c004a0076006100710062006a0066002000510072007300720061007100720065005c005a0046004e00460050006800760059002e0072006b007200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000640000000000000000000000e4070a004e0070006700760062006100660020006100720072007100720071002e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000fffffffff9a6406d323dcb4f8a86be992e03dc760000000000000000000000005aa40d5557add60100000000000000000000000000000d20feb05a007600700065006200660062007300670020004a0076006100710062006a006600000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff75ae2078e323294282c1e41cb67d5b9c000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000010000007b005300330038004f0053003400300034002d0031005100340033002d0034003200530032002d0039003300300035002d00360037005100520030004f003200380053005000320033007d005c0072006b006300790062006500720065002e0072006b00720000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000002000000e4070a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff81ae2078e323294282c1e41cb67d5b9c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000explorer.exe
    Set value (data)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02explorer.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\TotalSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "23"SearchUI.exe
    Key created\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B4BFCC3A-DB2C-424C-B029-7FE99A87C641}\Instanceexplorer.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorageSearchUI.exe
    Key created\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\TotalSearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "185"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.cortana_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.cortana\Total = "56"SearchUI.exe
    Set value (int)\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\TrayNotify\UserStartTime = "132483827320340134"explorer.exe
  • Modifies system certificate store
    AnyDesk.exe

    TTPs

    Install Root CertificateModify Registry

    Reported IOCs

    descriptioniocprocess
    Key created\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349AnyDesk.exe
    Set value (data)\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986eAnyDesk.exe
  • Suspicious behavior: EnumeratesProcesses
    AnyDesk.exeWerFault.exe

    Reported IOCs

    pidprocess
    948AnyDesk.exe
    948AnyDesk.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
    184WerFault.exe
  • Suspicious behavior: MapViewOfSection
    AnyDesk.exeAnyDesk.exe

    Reported IOCs

    pidprocess
    648AnyDesk.exe
    1520AnyDesk.exe
  • Suspicious use of AdjustPrivilegeToken
    svchost.exevssvc.exewbengine.exeWMIC.exeWerFault.exeexplorer.exe

    Reported IOCs

    descriptionpidprocess
    Token: SeTcbPrivilege2220svchost.exe
    Token: SeTcbPrivilege2220svchost.exe
    Token: SeBackupPrivilege2128vssvc.exe
    Token: SeRestorePrivilege2128vssvc.exe
    Token: SeAuditPrivilege2128vssvc.exe
    Token: SeBackupPrivilege2036wbengine.exe
    Token: SeRestorePrivilege2036wbengine.exe
    Token: SeSecurityPrivilege2036wbengine.exe
    Token: SeIncreaseQuotaPrivilege584WMIC.exe
    Token: SeSecurityPrivilege584WMIC.exe
    Token: SeTakeOwnershipPrivilege584WMIC.exe
    Token: SeLoadDriverPrivilege584WMIC.exe
    Token: SeSystemProfilePrivilege584WMIC.exe
    Token: SeSystemtimePrivilege584WMIC.exe
    Token: SeProfSingleProcessPrivilege584WMIC.exe
    Token: SeIncBasePriorityPrivilege584WMIC.exe
    Token: SeCreatePagefilePrivilege584WMIC.exe
    Token: SeBackupPrivilege584WMIC.exe
    Token: SeRestorePrivilege584WMIC.exe
    Token: SeShutdownPrivilege584WMIC.exe
    Token: SeDebugPrivilege584WMIC.exe
    Token: SeSystemEnvironmentPrivilege584WMIC.exe
    Token: SeRemoteShutdownPrivilege584WMIC.exe
    Token: SeUndockPrivilege584WMIC.exe
    Token: SeManageVolumePrivilege584WMIC.exe
    Token: 33584WMIC.exe
    Token: 34584WMIC.exe
    Token: 35584WMIC.exe
    Token: 36584WMIC.exe
    Token: SeIncreaseQuotaPrivilege584WMIC.exe
    Token: SeSecurityPrivilege584WMIC.exe
    Token: SeTakeOwnershipPrivilege584WMIC.exe
    Token: SeLoadDriverPrivilege584WMIC.exe
    Token: SeSystemProfilePrivilege584WMIC.exe
    Token: SeSystemtimePrivilege584WMIC.exe
    Token: SeProfSingleProcessPrivilege584WMIC.exe
    Token: SeIncBasePriorityPrivilege584WMIC.exe
    Token: SeCreatePagefilePrivilege584WMIC.exe
    Token: SeBackupPrivilege584WMIC.exe
    Token: SeRestorePrivilege584WMIC.exe
    Token: SeShutdownPrivilege584WMIC.exe
    Token: SeDebugPrivilege584WMIC.exe
    Token: SeSystemEnvironmentPrivilege584WMIC.exe
    Token: SeRemoteShutdownPrivilege584WMIC.exe
    Token: SeUndockPrivilege584WMIC.exe
    Token: SeManageVolumePrivilege584WMIC.exe
    Token: 33584WMIC.exe
    Token: 34584WMIC.exe
    Token: 35584WMIC.exe
    Token: 36584WMIC.exe
    Token: SeDebugPrivilege184WerFault.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
    Token: SeCreatePagefilePrivilege4076explorer.exe
    Token: SeShutdownPrivilege4076explorer.exe
  • Suspicious use of FindShellTrayWindow
    explorer.exe

    Reported IOCs

    pidprocess
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
  • Suspicious use of SendNotifyMessage
    explorer.exe

    Reported IOCs

    pidprocess
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
    4076explorer.exe
  • Suspicious use of SetWindowsHookEx
    ShellExperienceHost.exeSearchUI.exe

    Reported IOCs

    pidprocess
    2352ShellExperienceHost.exe
    204SearchUI.exe
    2352ShellExperienceHost.exe
  • Suspicious use of WriteProcessMemory
    AnyDesk.exesvchost.exeAnyDesk.execmd.exeAnyDesk.exe

    Reported IOCs

    descriptionpidprocesstarget process
    PID 648 wrote to memory of 948648AnyDesk.exeAnyDesk.exe
    PID 648 wrote to memory of 948648AnyDesk.exeAnyDesk.exe
    PID 648 wrote to memory of 948648AnyDesk.exeAnyDesk.exe
    PID 648 wrote to memory of 948648AnyDesk.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 2220 wrote to memory of 15202220svchost.exeAnyDesk.exe
    PID 948 wrote to memory of 4088948AnyDesk.execmd.exe
    PID 948 wrote to memory of 4088948AnyDesk.execmd.exe
    PID 4088 wrote to memory of 11884088cmd.exevssadmin.exe
    PID 4088 wrote to memory of 11884088cmd.exevssadmin.exe
    PID 4088 wrote to memory of 21484088cmd.exewbadmin.exe
    PID 4088 wrote to memory of 21484088cmd.exewbadmin.exe
    PID 4088 wrote to memory of 5844088cmd.exeWMIC.exe
    PID 4088 wrote to memory of 5844088cmd.exeWMIC.exe
    PID 1520 wrote to memory of 25441520AnyDesk.exeAnyDesk.exe
    PID 1520 wrote to memory of 25441520AnyDesk.exeAnyDesk.exe
    PID 1520 wrote to memory of 25441520AnyDesk.exeAnyDesk.exe
    PID 1520 wrote to memory of 25441520AnyDesk.exeAnyDesk.exe
Processes 17
  • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
    Loads dropped DLL
    Suspicious use of SetThreadContext
    Suspicious behavior: MapViewOfSection
    Suspicious use of WriteProcessMemory
    PID:648
    • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
      Modifies extensions of user files
      Adds Run key to start application
      Drops file in Program Files directory
      Modifies system certificate store
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of WriteProcessMemory
      PID:948
      • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n948
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: MapViewOfSection
        Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
          "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" n948
          PID:2544
      • C:\Windows\system32\cmd.exe
        "C:\Windows\system32\cmd.exe"
        Suspicious use of WriteProcessMemory
        PID:4088
        • C:\Windows\system32\vssadmin.exe
          vssadmin delete shadows /all /quiet
          Interacts with shadow copies
          PID:1188
        • C:\Windows\system32\wbadmin.exe
          wbadmin delete catalog -quiet
          Deletes backup catalog
          PID:2148
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic shadowcopy delete
          Suspicious use of AdjustPrivilegeToken
          PID:584
  • \??\c:\windows\system32\svchost.exe
    c:\windows\system32\svchost.exe -k netsvcs -s seclogon
    Suspicious use of NtCreateUserProcessOtherParentProcess
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of WriteProcessMemory
    PID:2220
  • C:\Windows\system32\vssvc.exe
    C:\Windows\system32\vssvc.exe
    Suspicious use of AdjustPrivilegeToken
    PID:2128
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    Suspicious use of AdjustPrivilegeToken
    PID:2036
  • C:\Windows\System32\vdsldr.exe
    C:\Windows\System32\vdsldr.exe -Embedding
    PID:1768
  • C:\Windows\System32\vds.exe
    C:\Windows\System32\vds.exe
    Checks SCSI registry key(s)
    PID:756
  • C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2580 -s 2560
    Program crash
    Suspicious behavior: EnumeratesProcesses
    Suspicious use of AdjustPrivilegeToken
    PID:184
  • C:\Windows\explorer.exe
    explorer.exe
    Enumerates connected drives
    Checks SCSI registry key(s)
    Modifies Control Panel
    Modifies registry class
    Suspicious use of AdjustPrivilegeToken
    Suspicious use of FindShellTrayWindow
    Suspicious use of SendNotifyMessage
    PID:4076
  • C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
    "C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
    Modifies Control Panel
    Suspicious use of SetWindowsHookEx
    PID:2352
  • C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
    Enumerates system info in registry
    Modifies Control Panel
    Modifies registry class
    Suspicious use of SetWindowsHookEx
    PID:204
Network
MITRE ATT&CK Matrix
Command and Control
    Credential Access
    Exfiltration
      Initial Access
        Lateral Movement
          Privilege Escalation
            Replay Monitor
            00:00 00:00
            Downloads
            • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\Report.wer

              MD5

              1b0183b94d6195675d29f6fb981ec199

              SHA1

              cdbc07c4e23daffe06c88c3ae8b8ec048174a9d5

              SHA256

              15b1683fb7bdf72bb552c8d8b70f5c9e516e7cd15b66c424acc7b8a950029963

              SHA512

              37c68670d70e6b49cf7cba1aed65b6ab32b599ea1fc54cd44eaffd76ae3439ba01a6437cb8dfe5955cdc1e9dfca505a2361e234171335798012b5e3adf0f95cd

            • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\memory.hdmp

              MD5

              456581b4a023d5e3d6dac00fd2b05d12

              SHA1

              4fbf9bb127749d0c855b8228a2e9bd037fc96178

              SHA256

              d049675d5bf0d18e3ea50d76bb0272a1d53014ad99d792b64906c4a9705b7be1

              SHA512

              7bf19987bfc36ed6311a46fd05869114c46ab5d748b889978ffd89ec708c916fa83244545b241c2a9e011378047ae1f633138d041ab303cb1a2f3189bef7ee1c

            • C:\ProgramData\Microsoft\Windows\WER\ReportQueue\AppCrash_Explorer.EXE_324a22d6b747ed978d3969eb719eea89c473c72_41822faa_cab_0fcdd283\minidump.mdmp

              MD5

              84820e1274aecb77d2bb6ba35b770a30

              SHA1

              8d0f874d57c46253bf52bd5c5f7b9f9987cefafd

              SHA256

              5d1b7cc2eff664a29c51c155eb1b2baf28f36dc967aedb30bb8fa51c16ea24f9

              SHA512

              00dfda5299d5a36136cb7440a4d9d29552bad6ca830d011f6033e00fa96483fb82dad8aa88aa87aeb1fe1a02360ad6716bb34ee576eec57c7deeb9734801c616

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\cversions.3.db

              MD5

              d866df59ea63885d8aaa6b1484afd465

              SHA1

              448fd8bc776d169ac532f5fd7b3ea4db3b441667

              SHA256

              f4a0db9e82c1205a10f1f2b9c4c4bb12fa50182b84704859bdd992ddad22917b

              SHA512

              bcbba072bddd276ce4ac28bdf9dda08b1503cb72bbd45135ff45f760725aa6673072c6e098c323c6054895717d73279015790150b24c244463e649098d6b1462

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001d.db

              MD5

              bf74bc31171404279d5fc6e5b442be80

              SHA1

              9245a523a0132988d5ed5ac791c9f3de57b3f810

              SHA256

              ed849f246e6b390eac2cd8a67d199aa60055db65b100bd2f4ea92797be58e284

              SHA512

              d1bf765cd06ea8e6c760ee23223b4822a84980b62fd5cb2ed96f4e535d5bfb8e64f6b497472ed6cea664f985557cdd44d0d31d2e6a3ec6b6c4aae273d26a186b

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches\{3DA71D5A-20CC-432F-A115-DFE92379E91F}.3.ver0x000000000000001e.db

              MD5

              44fb9bb86eeb0205272a6e5b0f4d1122

              SHA1

              afeb766d20c5d57cf6ffa0908cfb25f6365a7032

              SHA256

              11a515503f170f1fdab8eef78354c1868e8b93897ae7db77dd0b71d00c11765c

              SHA512

              6db267285815c5dcd783c5cb69f026541cc89e80b9feb341e91895f49a61f85c4fbbd23d9c36c3aa5de6bb44414ca28afb8d0ae117513b36a4c2c74f019874e7

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db

              MD5

              ec189e1aca87207542dd0bcbedc7d4b8

              SHA1

              6f742134f0d5ab2f56d8ea5930d1988e57fdd303

              SHA256

              a8d097b09b44aa510605845e9e158c3979d2c5163a4766798f249129ea07cd00

              SHA512

              00c55b83feb2db9d9ef3bf27fbe9866cc41b24d56535648e2b3541fe644f2547e420035bad2f07bffaa11431bc93b21c90bef8cc7ed89c7b2f2ad691df408ffc

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db

              MD5

              780b5f65ebc34a05c4172df9aabbe611

              SHA1

              ed1dad03d80493bc196887a57291e07a844a178c

              SHA256

              de0ffb27572af8963048ad5eaca4e9f49116174ee198cc510316e7d1de43f2c1

              SHA512

              d85f43aece33225dda07c64a128edaeda426e42aea1c941e56823cd4544c6b7717d73e7bc505ecd847563b32ad5ebba12d8501f5ab53f127ea1ec21b3b492d19

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db

              MD5

              0dee6f7f34cfa122decfeab8048b5330

              SHA1

              5ddd0c25a047b382338b05d525e3025a099ffc79

              SHA256

              ff79914bc22b3ec0c238ce67444d372fc019f97d221d0582def390c2a0c8b108

              SHA512

              f0f4ed97b8ca9be72eb6cec6361c87f172feb6cd64392f155577151ad4e96301410f89854d725c7805f507f2de0383ab117c32b24a989c7ed29189759bff7c5b

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db

              MD5

              919186437ad6397f4e553d8f4e9efc08

              SHA1

              c32c27992316c27fc2685a6ade4b260e037af80c

              SHA256

              2aad32bec48bf20931772ead0ade101f5a8a0840ff799ad309d35cc32a5e5ca6

              SHA512

              198187213530c561fa38e48844c6e6024363eedd04e94a30b88a8589a0bb6323c39e0b0475fd2a96887b3ac30efcc0b02a4afb259531a6b376f8534ae9826814

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db

              MD5

              32802467e38b751209fd7b8329ac7414

              SHA1

              e3413823d1d554a5281a05d0c7b095ac1f915435

              SHA256

              9227ddd17df8f1315b1d15aac0f503c9facf41252dd912e2c392f3ff6791711d

              SHA512

              658a49831683f0edebb5f78f1be8c383e81089f000e55322c79b94abd7eef8327d23b4b150911161762a294de8122a0182860ac9edaf040962566e3af1b745ff

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db

              MD5

              f1a1901e68d4a1e846aefe7032d2f026

              SHA1

              bbad1df2b708d7905b8aa732ed8e4c13eefd27cf

              SHA256

              1be12e11ca7c861aad4b0242de11ee50d465a2453f1e14bcf1736c1380f659b6

              SHA512

              a395c1bcff6e074edc088a5a2f1998ed9065af7509ecea439c3c2a4f526eb291e36efabec40c659ff9aa6c39faf68e672b70b79683677585a46597f2599ffa2f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db

              MD5

              4a888955350bceeefada3ab18d41cd1e

              SHA1

              5a5c73eb2ac0f1f4fa5682fa4f85e17780a4177f

              SHA256

              53cf9a4b42b87a5ac1fcac04788b2dcd3acdf60f5c725de36e2c58c53b87cdce

              SHA512

              cd8ea54af10aea78d1f1cd59e92ffa342b35c888e05b5f5620916d1773c0de4e5d6e130f6e96f6c5a912a8300c4ccdb03acffc758631243e8722579333418da5

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db

              MD5

              f13013721e539b0287b62b80297dbafc

              SHA1

              bb4365eb30c21ef74cbd7d25710752074ac4855d

              SHA256

              936da531c61f0af3a4603b08b7c299fec63cf70d6bcb55142d7aa93c9c6a7318

              SHA512

              0deeb120905a7bf1db0a84f6eefa667ec514cc54d8ee689127a84b041b2f644525f6aa9627737bd4d30967a510483f3745e5a527f2f3a1bff0d2c710dbb5c9ca

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db

              MD5

              0c4f90602242339a6dd6d555006d3c9e

              SHA1

              01ee7be425b18653520376a129f5fdc2b46f0700

              SHA256

              bfe080ca2b68ddfd543cb340a7fe821aebeebc315a313c824fcfbe0afd813091

              SHA512

              ec5e214dbda4dad8aaaedad29ce6ab0209ebdd74db154a872eaadd70906be9c8c4da8fb9692401bcc6569a311becce0e092aba0b9611fdf9d00f1a570c8261ab

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db

              MD5

              6296de68e3bce2bd433a57feee1197e1

              SHA1

              f6050ef83ffe3effd43a872e30d20aac368db989

              SHA256

              b39acaf2496f8c21e9b81da4c3636d1b0510975549a7abeedc252e010e3fb935

              SHA512

              485cdaf172c92489b0006dd759bf6876c0d7bbd23fad042fd00e049831f85facfb979c1fa9c61a468456574cd8e04b653493dab30c6fd9863f0fdb7be2d2a4d0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db

              MD5

              d4f6f6a7eab5f7fb159c85de4875a475

              SHA1

              d9178a64d13be270bae0e5f19f9bd2ed1edff961

              SHA256

              891a95db0666659ca614a8646329f1eb46062d5c1ccd65698149327310483163

              SHA512

              8180e4a17d6886be0a14b735e6f1b559550c36189cc305702861e022d65bb41792bd1309cceef3c0667646fd7fbe475426d271ab791d0eca2037b3d22081fa24

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1280.db

              MD5

              53b5ea9ea39c6b0793e2216374c6c2c9

              SHA1

              f52723a807c163cef0fe8ebc87f0a45424fcd1b7

              SHA256

              c1722770257e3f8d81259072f44b3a4561a6cf952645ed8715f6ad503765e930

              SHA512

              688a86b5d39a6a70c9b20b47115bc46a69a2e11ab98a52f84181d9b08fd86a52f3fc05db5f84da3f46d84d6b33bc69f790e7f28fc5c5e9f00ad3efcfacd69966

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_1920.db

              MD5

              dfa322b8646f086363d9ac9765aa6ceb

              SHA1

              f9141486db87be30695977051d9072abefe70ddb

              SHA256

              489d7006b0cadbf2a324eb02832862e3d1e58a7a7a76c3df865fb1b7b3eb389b

              SHA512

              96545c6223a65abc0e7e36b2330cacb12107366a0f752c2d97605299e5e5e948badcd70f3fb0f18e6cbf72f68d7d59e227a613b7ff3d8d9dbff8a5ad7ae11f91

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_2560.db

              MD5

              ca29ac31c558fc594b13ca464d8a1e45

              SHA1

              6f02e666992452a6521847ca3067767cc870366e

              SHA256

              03b06b01da7d98790893dcc968c1d3899143c3f56967d68a2860faf0ac315311

              SHA512

              e75c631a60871da1c2b46935ca2bd5998e7cca0b24fa09b0d7249107c3a56c7f477d0fdd62d715cb1a9c38f1a07aeb101f0d6d023463731f6a65e72103fb2185

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_32.db

              MD5

              a7757e9ef6396bda23a35a093ece92cc

              SHA1

              31560fc98cd30d9a4a7eceac35c33e4a1435ebc0

              SHA256

              1ea8bf5a3a95f3beab67ef42b716534930aea51134ffe5ddcda4c8bc22b1e39d

              SHA512

              fad1bb1b63576b240ce558082988eac6035ae063297cc73382dc6ab72ae64deb06e580e80e2bb825f3c5dd691fc73b4cf1d6578fa04a797e4861ebdb63f1ec85

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_768.db

              MD5

              07d9ed155acfe3217698debb8fb0a27c

              SHA1

              180e8f55347ad26a16710aeaae115fa272d2956b

              SHA256

              95dbb32b9549a437e77b5390c2573bf48492f0d8586f1ec03176e90699c32ad7

              SHA512

              78e15b651c708962f4c4dea853c072f9b9990b0d8633f2111c6da6e63c7b7cac353ac7e0dfe948404dedcfafc84593af13d5f2dadf4a627ce4e33605478e2a48

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_96.db

              MD5

              1d7c0989659664f2958eee46442a17a9

              SHA1

              b8b0ed744c443e471591463609ac83cda46c8ab6

              SHA256

              94f096a5ea99b3fbe31348d55ca9985c5d4f40a50089db5f10acf1990868d4ef

              SHA512

              938b9ddb9d8ff9e1d09503cbe6fa1dbd775f508bbd9e4f14935f086f118d249827be9ed61ad87673d90c7060bc68d8448143f20272dc8b8f8b68fe5870e668c6

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_custom_stream.db

              MD5

              a7ec9520ffcc8111414697367ea6e4ec

              SHA1

              4d29730c4465f058635c204e4ed1b2d6b23097ee

              SHA256

              2ec501a1741f285d42f23b131274f18fb4846b80e7eace651a8871722227a130

              SHA512

              b83d132026da3cea6e7310cc83b3f98654bcf18c5d17a23c448cd62bff16d4ccc8dc6f7d5d597a6f3c12f743d7ffc9a3145958af0002fa7398e99c9fb37ae29f

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_exif.db

              MD5

              593cc1b8f4044a8bdba11788ed3ed73d

              SHA1

              9f1f1ce04f45199df93f66fd0099338df832ed9e

              SHA256

              cb339c8a46d1f994c8fd79959be188634d4143cbd7055fab94c8aad680183776

              SHA512

              38444cb8012ac44a6020bfd9d6c35950a41b00269df3c499216384933735ef0d9b6d530542ce19cbafac33ca119c8675337d090205f3d78c3ef7efe9b4199d9b

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_sr.db

              MD5

              8f4fbd923f7f88e501bb30bb0dc1e6bb

              SHA1

              c6e0426d01ce5249b5b457b81646b3e42ffbc4b9

              SHA256

              a0ed2eaa493c8fb4691291d939da2fe3c9eb223ef786c491f86c78c3b9188658

              SHA512

              9e8b715879b5f01d41db864a2df1577372fa98dc49037ccc6fbf8fc5314af19e7e81214f01b34dfb9b5b2f374753fd9f5256af81d70b690c11940e1ed12b8b58

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide.db

              MD5

              c27765be33d0f5906f59905bd234abbe

              SHA1

              520f2fbb7d720fdf0e1d90ba6e533343a65ab878

              SHA256

              d5ed14137ec08a694dfcd267ecea49a8e807d10028a72517a2967b3b86876217

              SHA512

              837d2acd0443139f79f6920c3f6aa1aca08637556ea8c809f08032e2124f9427bbfda070247d9411fc905dfbd9d7ec3d6dec57205e98cd57c005334bdb8131c0

            • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_wide_alternate.db

              MD5

              a09acafd2296496773e5701c9ec1c891

              SHA1

              f091b9a6e9364e23fc5fa5c702deae03bc7772dd

              SHA256

              2e71617591daf75f63e1aa9789919b62ffa1278672c2a1a4fd45ca417a4efc12

              SHA512

              6c4b7eb6556b16fa1a360016633f50b665a40ddade22d1a0e1fcb7f0cf619bedc28cdf6d75fe05d7e70e124f1048f1c5a82411ba706feb13f4827fbaf3271500

            • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ShellExperienceHost_cw5n1h2txyewy\TempState\UnifiedTileCache.dat

              MD5

              78682ca408ac0c394ad5ec9e7ae36edc

              SHA1

              b721fbe9a7e8e9031add8b3d42ecea141d6e3130

              SHA256

              00f0158414ac6ecf96d49bd7f1961f112d44b351ef1ede454280cf3a61540073

              SHA512

              c5b8a1983a65da634af7f1223863b6bb45cd9305b0cb781f6bf38773e0814abb47c1cd5c7e2d51a7e7df345fd38e215887939256db788824b3cb00502e899517

            • C:\Users\Admin\AppData\Local\Temp\WERD1CA.tmp.appcompat.txt

              MD5

              573a631ebe2958dd73d3eea8c0c03063

              SHA1

              b7690fca8d976307755700380a6f3a0bf46c74f6

              SHA256

              54ac56f28ef8b1d5fcb697a16426d7889da4c6a4c66b1e2a61f22ba1fc4128f2

              SHA512

              c7424642afa01cf4abb39ee97f4d47c087f3f617e627480f1a9f19c8002cb306b1673d8fdafc783ddff8418e6051a8293ca523c759215b7bfab2614473267fe0

            • C:\Users\Admin\AppData\Roaming\827763568

              MD5

              d41d8cd98f00b204e9800998ecf8427e

              SHA1

              da39a3ee5e6b4b0d3255bfef95601890afd80709

              SHA256

              e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

              SHA512

              cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

            • C:\Users\Admin\AppData\Roaming\827763568

              MD5

              bc56a6edf3619ff519ba00f436a812d8

              SHA1

              a344a1d107b20ff70eb45ee9af00e19991493624

              SHA256

              917670687a68199f0258565da44a2a89f0e532c5c424b3efa8669ccc6d999911

              SHA512

              c0861202006f40252f021eb9b656e5f8777d83e2869e82382f6f60692ab82fc6ff5428b3fd7e14a31b77ebc53562a35608cfdc6e5845fe7deffdc700d3d608cc

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Themes\CachedFiles\CachedImage_1280_720_POS4.jpg

              MD5

              38ad9694abe9d773b00cc87fc340aa5a

              SHA1

              f7ff13ace4f027e253b2a9265ee892b5d5fd9633

              SHA256

              dbe6fbbcc7b80ec3ab4cc55a96779765614e32423e87bbd1a780749bad601f7f

              SHA512

              d98a42050a47044d99b2a2ab15d9f72d0b508825477284b1d0c02c60eee6de946b62977d3ef4ddd677148a47f10a3d802ea66f143c3d365dbe9ebef3108fad8b

            • C:\Users\All Users\Microsoft\Windows\WER\Temp\WERCF38.tmp.WERInternalMetadata.xml

              MD5

              629cf6726b358b100bb9eed7bb792d15

              SHA1

              c4f9aef8b9e8c385020f83a6c4ecf0bc28e4a182

              SHA256

              8b6813850aca9b807b9a691a07507f08ea918351d70718c659ee85fe050d3083

              SHA512

              782aa2b65b6ad661dadc2409d58fe107c1bb2067387dece0be78f879faebb3cff31c21e246a7cfca8c56ecade07effaec403dfcd7fa35b08043ca411dcc9c11b

            • \Users\Admin\AppData\Local\Temp\nsa8709.tmp\System.dll

              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

            • \Users\Admin\AppData\Local\Temp\nsaACD1.tmp\System.dll

              MD5

              fccff8cb7a1067e23fd2e2b63971a8e1

              SHA1

              30e2a9e137c1223a78a0f7b0bf96a1c361976d91

              SHA256

              6fcea34c8666b06368379c6c402b5321202c11b00889401c743fb96c516c679e

              SHA512

              f4335e84e6f8d70e462a22f1c93d2998673a7616c868177cac3e8784a3be1d7d0bb96f2583fa0ed82f4f2b6b8f5d9b33521c279a42e055d80a94b4f3f1791e0c

            • memory/184-20-0x0000020304800000-0x0000020304801000-memory.dmp

            • memory/184-18-0x0000020304800000-0x0000020304801000-memory.dmp

            • memory/184-19-0x0000020304800000-0x0000020304801000-memory.dmp

            • memory/584-13-0x0000000000000000-mapping.dmp

            • memory/948-5-0x0000000000400000-0x000000000041E000-memory.dmp

            • memory/948-4-0x0000000000405A20-mapping.dmp

            • memory/948-3-0x0000000000400000-0x000000000041E000-memory.dmp

            • memory/1188-9-0x0000000000000000-mapping.dmp

            • memory/1520-7-0x0000000000000000-mapping.dmp

            • memory/2148-12-0x0000000000000000-mapping.dmp

            • memory/2544-15-0x0000000000405A20-mapping.dmp

            • memory/4088-8-0x0000000000000000-mapping.dmp