hxxps://download[.]anytype[.]io/

Analysis

max time kernel
249s
max time network
250s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
23-06-2022 22:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://download.anytype.io/

Score

10^/10

coreentity discovery

Malware Config

Signatures

CoreEntity .NET Packer 1 IoCs

A .NET packer called CoreEntity where it has embedded the payload as a BitMap object which is later decrypted.

coreentity

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar	coreentity

Executes dropped EXE 6 IoCs

Processes:

Anytype Setup 0.26.1.exeAnytype.exeanytypeHelper.exeAnytype.exeAnytype.exeAnytype.exe

pid process

4456 Anytype Setup 0.26.1.exe
3156 Anytype.exe
4452 anytypeHelper.exe
4072 Anytype.exe
4940 Anytype.exe
3508 Anytype.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Anytype.exeAnytype.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Anytype.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000\Control Panel\International\Geo\Nation	Anytype.exe

Loads dropped DLL 17 IoCs

Processes:

Anytype Setup 0.26.1.exeAnytype.exeAnytype.exeAnytype.exeAnytype.exe

pid	process
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
3156	Anytype.exe
3156	Anytype.exe
4072	Anytype.exe
4072	Anytype.exe
4072	Anytype.exe
4072	Anytype.exe
4072	Anytype.exe
4072	Anytype.exe
4940	Anytype.exe
3508	Anytype.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery
T1057

Processes:

tasklist.exe

pid process

4656 tasklist.exe

pid	process
4656	tasklist.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies registry class 40 IoCs

Processes:

Anytype.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	Anytype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\ = "URL:anytype"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\shell\open	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	Anytype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\URL Protocol	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	Anytype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\shell\open\command	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616257"	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\shell	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	Anytype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	Anytype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	Anytype.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Programs\\anytype2\\Anytype.exe\" \"%1\""	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1"	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	Anytype.exe
Key created	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\anytype	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	Anytype.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	Anytype.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1809750270-3141839489-3074374771-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	Anytype.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

Anytype.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Anytype.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800001900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Anytype.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Anytype.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeAnytype Setup 0.26.1.exetasklist.exechrome.exeAnytype.exe

pid	process
3960	chrome.exe
3960	chrome.exe
4420	chrome.exe
4420	chrome.exe
4832	chrome.exe
4832	chrome.exe
3600	chrome.exe
3600	chrome.exe
4264	chrome.exe
4264	chrome.exe
2824	chrome.exe
2824	chrome.exe
3844	chrome.exe
3844	chrome.exe
4532	chrome.exe
4532	chrome.exe
4028	chrome.exe
4028	chrome.exe
4456	Anytype Setup 0.26.1.exe
4456	Anytype Setup 0.26.1.exe
4656	tasklist.exe
4656	tasklist.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
1412	chrome.exe
3156	Anytype.exe
3156	Anytype.exe
3156	Anytype.exe
3156	Anytype.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

chrome.exe

pid process

4420 chrome.exe
4420 chrome.exe
4420 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

tasklist.exeAnytype Setup 0.26.1.exeAnytype.exe

description	pid	process
Token: SeDebugPrivilege	4656	tasklist.exe
Token: SeSecurityPrivilege	4456	Anytype Setup 0.26.1.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe
Token: SeShutdownPrivilege	3156	Anytype.exe
Token: SeCreatePagefilePrivilege	3156	Anytype.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exe

pid	process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe

Suspicious use of SendNotifyMessage 31 IoCs

Processes:

chrome.exeAnytype.exe

pid	process
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
4420	chrome.exe
3156	Anytype.exe
3156	Anytype.exe
3156	Anytype.exe
3156	Anytype.exe
3156	Anytype.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Anytype.exe

pid process

3156 Anytype.exe

pid	process
3156	Anytype.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4420 wrote to memory of 5048	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5048	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 5044	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 3960	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 3960	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe
PID 4420 wrote to memory of 4664	4420	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://download.anytype.io/
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb7da54f50,0x7ffb7da54f60,0x7ffb7da54f70
2⤵
PID:5048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1652 /prefetch:2
2⤵
PID:5044

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=2020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2252 /prefetch:8
2⤵
PID:4664

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
2⤵
PID:4308

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3036 /prefetch:1
2⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:3864

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4916 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 /prefetch:8
2⤵
PID:4152

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5288 /prefetch:8
2⤵
PID:1356

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4804 /prefetch:8
2⤵
PID:2712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4832 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4864 /prefetch:8
2⤵
PID:1672

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4720 /prefetch:8
2⤵
PID:4140

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4772 /prefetch:8
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
2⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4836 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4264

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4760 /prefetch:8
2⤵
PID:4572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4780 /prefetch:8
2⤵
PID:2160

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5112 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4532

C:\Users\Admin\Downloads\Anytype Setup 0.26.1.exe
"C:\Users\Admin\Downloads\Anytype Setup 0.26.1.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4456

C:\Windows\SysWOW64\cmd.exe
cmd /c tasklist /FI "USERNAME eq %USERNAME%" /FI "IMAGENAME eq Anytype.exe" | find "Anytype.exe"
3⤵
PID:1644

C:\Windows\SysWOW64\tasklist.exe
tasklist /FI "USERNAME eq Admin" /FI "IMAGENAME eq Anytype.exe"
4⤵
- Enumerates processes with tasklist
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4656

C:\Windows\SysWOW64\find.exe
find "Anytype.exe"
4⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3676 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5024 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4028

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5708 /prefetch:8
2⤵
PID:2000

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1644,11035662844597418608,15408120995217949207,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5696 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2824

C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
"C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\dist\anytypeHelper.exe
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\dist\anytypeHelper.exe 127.0.0.1:0 127.0.0.1:0
2⤵
- Executes dropped EXE
PID:4452

C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
"C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\anytype2" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1776,i,897420453988465972,12048316466181366341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4072

C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
"C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\anytype2" --mojo-platform-channel-handle=2000 --field-trial-handle=1776,i,897420453988465972,12048316466181366341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:4940

C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
"C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\anytype2" --app-path="C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar" --no-sandbox --no-zygote --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=4 --mojo-platform-channel-handle=2372 --field-trial-handle=1776,i,897420453988465972,12048316466181366341,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
2⤵
- Executes dropped EXE
- Checks computer location settings
- Loads dropped DLL
PID:3508

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Caches
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
Filesize
139.8MB

MD5
14bca64f220380d079ebc447d3d1bd3d

SHA1
508bce6f5b5761e954611c134f80e38253ce76ac

SHA256
3b2cc653b4910ce90c89aece0a7f132413785c7729722228f345073284a3c75b

SHA512
683bde1c4cb85dff6a87027d19b46bdcdac944107ef9ca25dc5a3479a8f5b1fd1c2ef349d7d740b862ed266483aae59ad020c1d316a739177e0be520b40f36f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
Filesize
139.8MB

MD5
14bca64f220380d079ebc447d3d1bd3d

SHA1
508bce6f5b5761e954611c134f80e38253ce76ac

SHA256
3b2cc653b4910ce90c89aece0a7f132413785c7729722228f345073284a3c75b

SHA512
683bde1c4cb85dff6a87027d19b46bdcdac944107ef9ca25dc5a3479a8f5b1fd1c2ef349d7d740b862ed266483aae59ad020c1d316a739177e0be520b40f36f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\Anytype.exe
Filesize
139.8MB

MD5
14bca64f220380d079ebc447d3d1bd3d

SHA1
508bce6f5b5761e954611c134f80e38253ce76ac

SHA256
3b2cc653b4910ce90c89aece0a7f132413785c7729722228f345073284a3c75b

SHA512
683bde1c4cb85dff6a87027d19b46bdcdac944107ef9ca25dc5a3479a8f5b1fd1c2ef349d7d740b862ed266483aae59ad020c1d316a739177e0be520b40f36f2

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\D3DCompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\chrome_100_percent.pak
Filesize
145KB

MD5
237ca1be894f5e09fd1ccb934229c33b

SHA1
f0dfcf6db1481315054efb690df282ffe53e9fa1

SHA256
f14362449e2a7c940c095eda9c41aad5f1e0b1a1b21d1dc911558291c0c36dd2

SHA512
1e52782db4a397e27ce92412192e4de6d7398effaf8c7acabc9c06a317c2f69ee5c35da1070eb94020ed89779344b957edb6b40f871b8a15f969ef787fbb2bca

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\chrome_200_percent.pak
Filesize
214KB

MD5
7059af03603f93898f66981feb737064

SHA1
668e41a728d2295a455e5e0f0a8d2fee1781c538

SHA256
04d699cfc36565fa9c06206ba1c0c51474612c8fe481c6fd1807197dc70661e6

SHA512
435329d58b56607a2097d82644be932c60727be4ae95bc2bcf10b747b7658918073319dfa1386b514d84090304a95fcf19d56827c4b196e4d348745565441544

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\d3dcompiler_47.dll
Filesize
4.3MB

MD5
7641e39b7da4077084d2afe7c31032e0

SHA1
2256644f69435ff2fee76deb04d918083960d1eb

SHA256
44422e6936dc72b7ac5ed16bb8bcae164b7554513e52efb66a3e942cec328a47

SHA512
8010e1cb17fa18bbf72d8344e1d63ded7cef7be6e7c13434fa6d8e22ce1d58a4d426959bdcb031502d4b145e29cb111af929fcbc66001111fbc6d7a19e8800a5

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\ffmpeg.dll
Filesize
2.6MB

MD5
99e5e28d0491e83b66337ec895d0cf0b

SHA1
0cf64d91ac9338e79f251dc245f046c44c477e96

SHA256
341f00c2b98ebc334ae3b2dcd74dc6512d3439d9be6b639981d54fea2d33f659

SHA512
a9f0e32781bc916274f8a82444fbabd28b03cc6ba7a259f82b27dd35cf009546b3235fba4e01362ab531c766432a7e666051b9425dd1975ae2b77c1013ded7e5

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\ffmpeg.dll
Filesize
2.6MB

MD5
99e5e28d0491e83b66337ec895d0cf0b

SHA1
0cf64d91ac9338e79f251dc245f046c44c477e96

SHA256
341f00c2b98ebc334ae3b2dcd74dc6512d3439d9be6b639981d54fea2d33f659

SHA512
a9f0e32781bc916274f8a82444fbabd28b03cc6ba7a259f82b27dd35cf009546b3235fba4e01362ab531c766432a7e666051b9425dd1975ae2b77c1013ded7e5

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\ffmpeg.dll
Filesize
2.6MB

MD5
99e5e28d0491e83b66337ec895d0cf0b

SHA1
0cf64d91ac9338e79f251dc245f046c44c477e96

SHA256
341f00c2b98ebc334ae3b2dcd74dc6512d3439d9be6b639981d54fea2d33f659

SHA512
a9f0e32781bc916274f8a82444fbabd28b03cc6ba7a259f82b27dd35cf009546b3235fba4e01362ab531c766432a7e666051b9425dd1975ae2b77c1013ded7e5

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\icudtl.dat
Filesize
9.8MB

MD5
d866d68e4a3eae8cdbfd5fc7a9967d20

SHA1
42a5033597e4be36ccfa16d19890049ba0e25a56

SHA256
c61704cc9cf5797bf32301a2b3312158af3fe86eadc913d937031cf594760c2d

SHA512
4cc04e708b9c3d854147b097e44ff795f956b8a714ab61ddd5434119ade768eb4da4b28938a9477e4cb0d63106cce09fd1ec86f33af1c864f4ea599f8d999b97

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\libEGL.dll
Filesize
437KB

MD5
2a89eb1bfb14589873e8b3047a7cedbe

SHA1
481e3a34000bf401eb62312ce2ce80fc875e2573

SHA256
16c3c89e70cefadb45a5d8631c03dbc66c76001d56f4695f5888d8c6839d7d29

SHA512
00f99a843c698c8f7f335ad4934bb3639f07a678142e0b7a9f4c252e1aa895e7adb3dc595ae901c7b5e048c29522717731cb50d2a9506b81f6c4343d1debb25d

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\libGLESv2.dll
Filesize
6.7MB

MD5
57bfac57785ee34416054f065c9e376d

SHA1
81191333abd91d067f23294a6bc0f3cfd7e4857e

SHA256
c0018aabf22043044d1df6e36a1e0fbaf3bcf933f9a4b7948823a90ceb1d9dd8

SHA512
c22493ddd18cece76ec0673c6cdc082fa230ecd6fab3a4a65e966a7cccb652d803b68d79081845a74630383fb9925d84713dfa49f0603bb20dd4b1b80ae8c99c

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\libegl.dll
Filesize
437KB

MD5
2a89eb1bfb14589873e8b3047a7cedbe

SHA1
481e3a34000bf401eb62312ce2ce80fc875e2573

SHA256
16c3c89e70cefadb45a5d8631c03dbc66c76001d56f4695f5888d8c6839d7d29

SHA512
00f99a843c698c8f7f335ad4934bb3639f07a678142e0b7a9f4c252e1aa895e7adb3dc595ae901c7b5e048c29522717731cb50d2a9506b81f6c4343d1debb25d

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\libglesv2.dll
Filesize
6.7MB

MD5
57bfac57785ee34416054f065c9e376d

SHA1
81191333abd91d067f23294a6bc0f3cfd7e4857e

SHA256
c0018aabf22043044d1df6e36a1e0fbaf3bcf933f9a4b7948823a90ceb1d9dd8

SHA512
c22493ddd18cece76ec0673c6cdc082fa230ecd6fab3a4a65e966a7cccb652d803b68d79081845a74630383fb9925d84713dfa49f0603bb20dd4b1b80ae8c99c

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\locales\en-US.pak
Filesize
110KB

MD5
5cc884bf0ec1c702240173b35a421d1b

SHA1
19bdfb0b31dc4a75e7c135d1a8ef76f5f6cc3a31

SHA256
9f0c75c84381360677055d6197812c7a6c42dbfc6134eb8212d8a60ed1ca1601

SHA512
48772f50f6b0d846084a0cfb0d6433f2fbf73677b557b022d0d73d04790636c0c40ed873c32fd037013e943fb7c24816efdcde38429520895c00c2d85a17ea5c

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources.pak
Filesize
4.9MB

MD5
a1e5aafe5a1509ef461d584c98484ff7

SHA1
455a36fff7a12989d0d1fc944a3c8840141d865a

SHA256
dd0cdd9201c5966dcc8b3ac3f587fdb05cad09547e267e0d16b8b1a3cff14772

SHA512
f98e33fe7e89a7798c6c274b4220c7c5262a2cedd0c0a04c7821634679f71145eca78c7a36a9f576712a00ffbabfabf58c958483d2d69fa9960178a7c3581946

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar
Filesize
352.4MB

MD5
d55b25da794c15fc6e00293e29f254c4

SHA1
8264348c90ed7934909d89edae34645a32050653

SHA256
d7ae3588c9f4ee74e7ca79617ebc1ef58263c7f626b7bd868d2307b1847507fd

SHA512
ffa360a3bf530043eefe58c84e71313c00a5348aacf834279579e17b3cac72ece87aaa511d18a93ea9a69df6cc079d1a5e5526faf85d2ea9981b2f640d484805

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\dist\anytypeHelper.exe
Filesize
79.1MB

MD5
a10509bfccac25a75e1154f2a9b139b4

SHA1
5a84410c68385a002f9f6a20711d614e326c31c1

SHA256
557d874436ae8227c5e2122f92415c82512405224821bbe9c8f06710cf6c1b5a

SHA512
63db6a99c18a105c8e942f322e6ad1a5b51dbb71dad452d34f616cede831d1976ee43efb7325d5e92ad5d4828923fb3d584d5bf2bff1600d365d9c112c066122

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\dist\anytypeHelper.exe
Filesize
79.1MB

MD5
a10509bfccac25a75e1154f2a9b139b4

SHA1
5a84410c68385a002f9f6a20711d614e326c31c1

SHA256
557d874436ae8227c5e2122f92415c82512405224821bbe9c8f06710cf6c1b5a

SHA512
63db6a99c18a105c8e942f322e6ad1a5b51dbb71dad452d34f616cede831d1976ee43efb7325d5e92ad5d4828923fb3d584d5bf2bff1600d365d9c112c066122

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\electron\icon512x512.png
Filesize
48KB

MD5
190cceeb720d0552f3f2b371195a7fc7

SHA1
3431033614051bd0458e0951a26544526b4cbf60

SHA256
3cd1b53b178bb9e62f727342f690624b85bad512df08b05017142b3685ac7de7

SHA512
091bc342721554f8804cd76dffea25ad7b1190b0a58213b3cef9e583dbacb85be7e6c8cb47b70a1b193ec8d28f2083dbf160c88a5d1d124d18903ffbfca9d861

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\electron\icon64x64.png
Filesize
2KB

MD5
fe851462ec4c7e785c8d807167ade6db

SHA1
1ffea83d405747de5bc312f4a6bef0e1877b71e6

SHA256
2bb3da8e6423f534e599fd63192fe49257f8df5fe3b624c96aa0e7df1b15029d

SHA512
ca5468a3b62cede6e6a8d5673cad44cde632c99503623a53b1b2c981a97d13e0d02cad32ee7c04c7c51faf0cf1fce49a18ecb0da87274efda803ca3adc8a83f0

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
Filesize
690KB

MD5
dcbaf07491a4aca065e6784069f2264c

SHA1
9406e67ac2aace4ce770d139f53a667c296606fb

SHA256
cc5e9f89457d9317c47a755e56f93e341f0b5d821dc1333df798c86379d13cfb

SHA512
e94bdee348712966b56a291812eeaf5fe2b3a35569176ab032d22ef4bde787f0d88155b236b780edf772f4a36ba2a7794638ea7e5c7a25455121bbdbecdb2b19

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\resources\app.asar.unpacked\node_modules\keytar\build\Release\keytar.node
Filesize
690KB

MD5
dcbaf07491a4aca065e6784069f2264c

SHA1
9406e67ac2aace4ce770d139f53a667c296606fb

SHA256
cc5e9f89457d9317c47a755e56f93e341f0b5d821dc1333df798c86379d13cfb

SHA512
e94bdee348712966b56a291812eeaf5fe2b3a35569176ab032d22ef4bde787f0d88155b236b780edf772f4a36ba2a7794638ea7e5c7a25455121bbdbecdb2b19

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\v8_context_snapshot.bin
Filesize
709KB

MD5
dd0d4997dfab65b96aad66d035f6029c

SHA1
65faa1dbb7ccd902f1f1af544f6941234ff679d3

SHA256
f033fb86fa92df1be464de590aa312cc016bc5d6bea26672c896bf4d3f1261cd

SHA512
86b06bd0f91f50bd13b3af179f3f498f10a225d25ba5ca32258f75567e601c3f48f7a3fb436c3b0d2ba53cc9eaaa8f74c95b44458628b0ea716563694a3c7002

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\vk_swiftshader.dll
Filesize
4.4MB

MD5
78529d2ae871b3b99a6d34ecee08f48e

SHA1
5af9d6e49da575dfb7e949783a073014e4d537cf

SHA256
8c7f1f80cbd678b45ade5dab31e5979abf1e3a769175b94855041bddcd0153fa

SHA512
927907ad5ffe48a220844a05df063e2aaf1cc8ecb0a168e30fa235903c7c58d11516371efcf4151bdda66a0c648b2029e2fb8faa1a7f1db2d443cfaee93e381e

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\vk_swiftshader.dll
Filesize
4.4MB

MD5
78529d2ae871b3b99a6d34ecee08f48e

SHA1
5af9d6e49da575dfb7e949783a073014e4d537cf

SHA256
8c7f1f80cbd678b45ade5dab31e5979abf1e3a769175b94855041bddcd0153fa

SHA512
927907ad5ffe48a220844a05df063e2aaf1cc8ecb0a168e30fa235903c7c58d11516371efcf4151bdda66a0c648b2029e2fb8faa1a7f1db2d443cfaee93e381e

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\vk_swiftshader_icd.json
Filesize
106B

MD5
8642dd3a87e2de6e991fae08458e302b

SHA1
9c06735c31cec00600fd763a92f8112d085bd12a

SHA256
32d83ff113fef532a9f97e0d2831f8656628ab1c99e9060f0332b1532839afd9

SHA512
f5d37d1b45b006161e4cefeebba1e33af879a3a51d16ee3ff8c3968c0c36bbafae379bf9124c13310b77774c9cbb4fa53114e83f5b48b5314132736e5bb4496f

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\vulkan-1.dll
Filesize
830KB

MD5
c9fb3bb48c9d7d5079970714e600d019

SHA1
f94a3106a2be0c665f23298145eecaed129908f7

SHA256
9d262350a89e366d253bde5c295994645b1e0c1532749ff3e624c8b64a58b751

SHA512
de95cfc26874da7a1f4e972c73d6a7ef0edcc3f04f43149a4441e3d1b44fdf1a4567e04d02cf92e06b187c133c13c9299522b799b9cb9d44373427bd1bdb3160

Download Submit
C:\Users\Admin\AppData\Local\Programs\anytype2\vulkan-1.dll
Filesize
830KB

MD5
c9fb3bb48c9d7d5079970714e600d019

SHA1
f94a3106a2be0c665f23298145eecaed129908f7

SHA256
9d262350a89e366d253bde5c295994645b1e0c1532749ff3e624c8b64a58b751

SHA512
de95cfc26874da7a1f4e972c73d6a7ef0edcc3f04f43149a4441e3d1b44fdf1a4567e04d02cf92e06b187c133c13c9299522b799b9cb9d44373427bd1bdb3160

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\SpiderBanner.dll
Filesize
9KB

MD5
17309e33b596ba3a5693b4d3e85cf8d7

SHA1
7d361836cf53df42021c7f2b148aec9458818c01

SHA256
996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93

SHA512
1abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\StdUtils.dll
Filesize
100KB

MD5
c6a6e03f77c313b267498515488c5740

SHA1
3d49fc2784b9450962ed6b82b46e9c3c957d7c15

SHA256
b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e

SHA512
9870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\System.dll
Filesize
12KB

MD5
0d7ad4f45dc6f5aa87f606d0331c6901

SHA1
48df0911f0484cbe2a8cdd5362140b63c41ee457

SHA256
3eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca

SHA512
c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\WinShell.dll
Filesize
3KB

MD5
1cc7c37b7e0c8cd8bf04b6cc283e1e56

SHA1
0b9519763be6625bd5abce175dcc59c96d100d4c

SHA256
9be85b986ea66a6997dde658abe82b3147ed2a1a3dcb784bb5176f41d22815a6

SHA512
7acf7f8e68aa6066b59ca9f2ae2e67997e6b347bc08eb788d2a119b3295c844b5b9606757168e8d2fbd61c2cda367bf80e9e48c9a52c28d5a7a00464bfd2048f

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\nsExec.dll
Filesize
6KB

MD5
ec0504e6b8a11d5aad43b296beeb84b2

SHA1
91b5ce085130c8c7194d66b2439ec9e1c206497c

SHA256
5d9ceb1ce5f35aea5f9e5a0c0edeeec04dfefe0c77890c80c70e98209b58b962

SHA512
3f918f1b47e8a919cbe51eb17dc30acc8cfc18e743a1bae5b787d0db7d26038dc1210be98bf5ba3be8d6ed896dbbd7ac3d13e66454a98b2a38c7e69dad30bb57

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsk10E4.tmp\nsis7z.dll
Filesize
424KB

MD5
80e44ce4895304c6a3a831310fbf8cd0

SHA1
36bd49ae21c460be5753a904b4501f1abca53508

SHA256
b393f05e8ff919ef071181050e1873c9a776e1a0ae8329aefff7007d0cadf592

SHA512
c8ba7b1f9113ead23e993e74a48c4427ae3562c1f6d9910b2bbe6806c9107cf7d94bc7d204613e4743d0cd869e00dafd4fb54aad1e8adb69c553f3b9e5bc64df

Download Submit
C:\Users\Admin\Downloads\Anytype Setup 0.26.1.exe
Filesize
334.4MB

MD5
e8cbcafe444a9d82a690265053d49e9e

SHA1
ffb7049966a583663f46518d1484cbfa33d6b245

SHA256
2f5ffee37984891abe2bca31178b038f9a6f3790808a9c8fa780c5c55411677e

SHA512
ae365a3a760f4a77a5ba20cefc3def1a05b4703f4293d26cc21a2d993be10d32516998061c18e88a0be5f4561875bbb4c706666c02666888af3b72a771baee87

Download Submit
C:\Users\Admin\Downloads\Anytype Setup 0.26.1.exe
Filesize
334.4MB

MD5
e8cbcafe444a9d82a690265053d49e9e

SHA1
ffb7049966a583663f46518d1484cbfa33d6b245

SHA256
2f5ffee37984891abe2bca31178b038f9a6f3790808a9c8fa780c5c55411677e

SHA512
ae365a3a760f4a77a5ba20cefc3def1a05b4703f4293d26cc21a2d993be10d32516998061c18e88a0be5f4561875bbb4c706666c02666888af3b72a771baee87

Download Submit
\??\pipe\crashpad_4420_AVMWMUSXTNSVIKQM
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1644-139-0x0000000000000000-mapping.dmp

Download
memory/2064-141-0x0000000000000000-mapping.dmp

Download
memory/3508-179-0x0000000000000000-mapping.dmp

Download
memory/4072-162-0x0000000000000000-mapping.dmp

Download
memory/4452-154-0x0000000000000000-mapping.dmp

Download
memory/4456-132-0x0000000000000000-mapping.dmp

Download
memory/4656-140-0x0000000000000000-mapping.dmp

Download
memory/4940-177-0x0000000000000000-mapping.dmp

Download