b297a3e0403dc3b27fcd955c9a00efb0b757da79bc3de9bba4e14a89d30a330c

Analysis

max time kernel
77s
max time network
49s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-01-2023 14:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

1024.0MB
MD5

eaad183f45933c9a0555faa8fc11ad18
SHA1

18f60cb6fc480c630ebb7840a0ce221204c1a35d
SHA256

001089c78854b89c19d1636239e822160f1e84d3ffd1f60d59907e075c71c7a0
SHA512

4b8c93e501a1be9d1b819089d6e7fb5b29c9b355acb2b9018b19cf5e675b5d3c3630ac861a4a2ad576984cce48d5e5c651d431b18d60decce6837fa6fa720791
SSDEEP

393216:yqvNmrbQZmAPE6a2/vVyBTVKc7c85j4euNCb/9rEaQWwdKmleIw6v0vo:X8A8l2/oWcI8j4euC/dEaPwdKmAIxvM

Score

10^/10

evasion persistence trojan

Malware Config

Signatures

UAC bypass 3 TTPs 10 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe

Adds Run key to start application 2 TTPs 20 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Key created	\REGISTRY\MACHINE\Software\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\readme = "C:\\Users\\Public\\readme.exe"	AnyDesk.exe

Checks whether UAC is enabled 1 TTPs 20 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

powershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.execonhost.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exepowershell.exe

pid	process
1812	powershell.exe
268	powershell.exe
1820	powershell.exe
1876	powershell.exe
1700	powershell.exe
2024	powershell.exe
2028	powershell.exe
1420	powershell.exe
768	powershell.exe
2056	powershell.exe
2000	powershell.exe
2184	powershell.exe
2212	powershell.exe
2324	powershell.exe
2224	powershell.exe
836	powershell.exe
2724	powershell.exe
2772	powershell.exe
2760	powershell.exe
3064	powershell.exe
288	powershell.exe
2196	powershell.exe
2152	powershell.exe
544	powershell.exe
756	powershell.exe
1452	powershell.exe
2424	powershell.exe
2364	powershell.exe
1956	powershell.exe
948	powershell.exe
2708	powershell.exe
2524	powershell.exe
2296	powershell.exe
2916	powershell.exe
2812	powershell.exe
2784	powershell.exe
924	powershell.exe
2840	powershell.exe
2800	powershell.exe
2776	powershell.exe
2996	powershell.exe
2152	powershell.exe
1972	powershell.exe
3032	powershell.exe
3016	powershell.exe
3068	powershell.exe
2216	powershell.exe
2068	powershell.exe
1452	powershell.exe
1260	powershell.exe
2884	conhost.exe
2164	powershell.exe
2304	powershell.exe
1524	powershell.exe
516	powershell.exe
2312	powershell.exe
2116	powershell.exe
2740	powershell.exe
2420	powershell.exe
2992	powershell.exe
2696	powershell.exe
1828	powershell.exe
2388	powershell.exe
1028	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

description	pid	process
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	268	powershell.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	768	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	288	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	544	powershell.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2524	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2784	powershell.exe
Token: SeDebugPrivilege	924	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	3032	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	2884	conhost.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2740	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

AnyDesk.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 1492 wrote to memory of 1640	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1640	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1640	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1640	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1892	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1892	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1892	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1892	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 996	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 996	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 996	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 996	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1712	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1712	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1712	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1712	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1984	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1984	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1984	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1984	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1980	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1980	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1980	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1980	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1092	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1092	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1092	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 1092	1492	AnyDesk.exe	cmd.exe
PID 1640 wrote to memory of 1876	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 1876	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 1876	1640	cmd.exe	powershell.exe
PID 1640 wrote to memory of 1876	1640	cmd.exe	powershell.exe
PID 1492 wrote to memory of 888	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 888	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 888	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 888	1492	AnyDesk.exe	cmd.exe
PID 1892 wrote to memory of 1812	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 1812	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 1812	1892	cmd.exe	powershell.exe
PID 1892 wrote to memory of 1812	1892	cmd.exe	powershell.exe
PID 1492 wrote to memory of 696	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 696	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 696	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 696	1492	AnyDesk.exe	cmd.exe
PID 1712 wrote to memory of 836	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 836	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 836	1712	cmd.exe	powershell.exe
PID 1712 wrote to memory of 836	1712	cmd.exe	powershell.exe
PID 1492 wrote to memory of 544	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 544	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 544	1492	AnyDesk.exe	cmd.exe
PID 1492 wrote to memory of 544	1492	AnyDesk.exe	cmd.exe
PID 1092 wrote to memory of 1420	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1420	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1420	1092	cmd.exe	powershell.exe
PID 1092 wrote to memory of 1420	1092	cmd.exe	powershell.exe
PID 1984 wrote to memory of 268	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 268	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 268	1984	cmd.exe	powershell.exe
PID 1984 wrote to memory of 268	1984	cmd.exe	powershell.exe
PID 1980 wrote to memory of 1820	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 1820	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 1820	1980	cmd.exe	powershell.exe
PID 1980 wrote to memory of 1820	1980	cmd.exe	powershell.exe

System policy modification 1 TTPs 10 IoCs

evasion

Modify Registry

T1112

Processes:

AnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exeAnyDesk.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- UAC bypass
- Adds Run key to start application
- Checks whether UAC is enabled
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1492
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1640
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1892
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1812
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
  2⤵
  PID:996
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1700
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1820
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:268
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1712
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:836
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1092
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1420
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
  2⤵
  PID:888
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:768
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
      4⤵
      PID:2656
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
  2⤵
  PID:696
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2024
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  2⤵
  PID:544
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2028
  - - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
      4⤵
      UAC bypass
      Adds Run key to start application
      Checks whether UAC is enabled
      System policy modification
      PID:1672
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        5⤵
        
        PID:1172
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        5⤵
        
        PID:1812
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        5⤵
        
        PID:2084
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        5⤵
        
        PID:516
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        5⤵
        
        PID:1876
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        5⤵
        
        PID:432
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        5⤵
        
        PID:1460
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        5⤵
        
        PID:892
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        5⤵
        
        PID:2632
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        5⤵
        
        PID:2648
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        7⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        8⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        8⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        8⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        8⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        8⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        8⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        8⤵
        
        PID:900
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        8⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        8⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        8⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        9⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        10⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2076
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        11⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        11⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        13⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        14⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        14⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        14⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        14⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        14⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        14⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        14⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        14⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        14⤵
        
        PID:560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        14⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        15⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        16⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2256
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        17⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2740
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        17⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        18⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        17⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        17⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        18⤵
        
        PID:2884
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        17⤵
        
        PID:624
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        17⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        17⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        17⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        19⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        17⤵
        
        PID:664
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        17⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        18⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        19⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        20⤵
        
        PID:1116
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        20⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        21⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        20⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        21⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        20⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        22⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        23⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        24⤵
        
        PID:2064
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        23⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        24⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        25⤵
        UAC bypass
        Adds Run key to start application
        Checks whether UAC is enabled
        System policy modification
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        26⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        27⤵
        
        PID:2960
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        26⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        27⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        26⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        27⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        26⤵
        
        PID:1184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        27⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        26⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        27⤵
        
        PID:828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        26⤵
        
        PID:580
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        27⤵
        
        PID:2688
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        26⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        27⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        26⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        26⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        27⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        26⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        27⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        23⤵
        
        PID:2184
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        24⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        23⤵
        
        PID:1224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        24⤵
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        23⤵
        
        PID:2800
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        24⤵
        
        PID:2012
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        23⤵
        
        PID:2788
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        24⤵
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        23⤵
        
        PID:944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        24⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        23⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        24⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        23⤵
        
        PID:316
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        24⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        23⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        24⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        25⤵
        
        PID:1208
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        20⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        21⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        20⤵
        
        PID:696
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        21⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        22⤵
        
        PID:2476
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        20⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        21⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        20⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        20⤵
        
        PID:1740
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        20⤵
        
        PID:888
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        21⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        21⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        18⤵
        
        PID:2000
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        11⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        11⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        11⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        11⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        11⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        11⤵
        
        PID:576
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        11⤵
        
        PID:1588
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        11⤵
        
        PID:892
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        12⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "102665436-2977590771396001302-818841774-17517350599568495-10933549181001288605"
1⤵
PID:664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7253216252111658761115370772-404077636-556101221-615063255374718747-1240839882"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
1⤵
PID:2700
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
  2⤵
  - UAC bypass
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - System policy modification
  PID:268
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
    3⤵
    PID:2268
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
      4⤵
      PID:316
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      4⤵
      PID:1892
    - - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        6⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        7⤵
        
        PID:828
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        7⤵
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        6⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        7⤵
        
        PID:2676
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        8⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        9⤵
        
        PID:1092
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        10⤵
        
        PID:1876
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        9⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        10⤵
        
        PID:1892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        9⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        10⤵
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        9⤵
        
        PID:2708
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        10⤵
        
        PID:2104
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        9⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        10⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        9⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        10⤵
        
        PID:2600
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        9⤵
        
        PID:2028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        10⤵
        
        PID:836
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        9⤵
        
        PID:2852
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        10⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        9⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        10⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        9⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        10⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        11⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        12⤵
        
        PID:1872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        13⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        12⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        12⤵
        
        PID:888
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        12⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        12⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        13⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        12⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        12⤵
        
        PID:680
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        12⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        12⤵
        
        PID:1900
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        7⤵
        
        PID:460
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        6⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        7⤵
        
        PID:2384
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        6⤵
        
        PID:2112
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        7⤵
        
        PID:2560
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        6⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        7⤵
        
        PID:2156
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        7⤵
        
        PID:1872
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        7⤵
        
        PID:2120
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        6⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        7⤵
        
        PID:1520
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
    3⤵
    PID:556
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
      4⤵
      PID:2908
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        5⤵
        
        PID:2840
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
    3⤵
    PID:3012
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
      4⤵
      PID:624
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
    3⤵
    PID:1096
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
      4⤵
      PID:2096
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
    3⤵
    PID:2536
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
      4⤵
      PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
    3⤵
    PID:2280
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
      4⤵
      PID:1124
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
    3⤵
    PID:1872
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
      4⤵
      PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:2188
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
      4⤵
      PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
    3⤵
    PID:2152
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
      4⤵
      PID:2772
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    3⤵
    PID:2396
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      4⤵
      PID:2144
    - - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        5⤵
        
        PID:2216
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        6⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        7⤵
        
        PID:1184
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        6⤵
        
        PID:560
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        6⤵
        
        PID:2088
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        7⤵
        
        PID:2608
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        6⤵
        
        PID:2404
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        7⤵
        
        PID:1908
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        6⤵
        
        PID:2848
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        7⤵
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        6⤵
        
        PID:2224
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        7⤵
        
        PID:548
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        6⤵
        
        PID:420
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        6⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        7⤵
        
        PID:2624
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        7⤵
        
        PID:2228
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        6⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        7⤵
        
        PID:2312
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        8⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        9⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        10⤵
        
        PID:2536
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        9⤵
        
        PID:2804
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        9⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        9⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        9⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        9⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        9⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        9⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        10⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        11⤵
        
        PID:1296
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        9⤵
        
        PID:2940
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        5⤵
        
        PID:2272

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
1⤵
PID:3032

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
1⤵
PID:2960

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
1⤵
PID:2184
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
  2⤵
  PID:2300
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
    3⤵
    PID:2812
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
      4⤵
      PID:1168
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
    3⤵
    PID:2040
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
      4⤵
      PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    3⤵
    PID:3068
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
      4⤵
      PID:3056
    - - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        5⤵
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        7⤵
        
        PID:1396
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        6⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        7⤵
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        6⤵
        
        PID:1064
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        7⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        6⤵
        
        PID:516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        7⤵
        
        PID:2028
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        6⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        7⤵
        
        PID:2332
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        6⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        7⤵
        
        PID:2500
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        6⤵
        
        PID:1524
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        7⤵
        
        PID:2768
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        6⤵
        
        PID:556
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        7⤵
        
        PID:2204
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        6⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        7⤵
        
        PID:980
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        6⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        7⤵
        
        PID:1208
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        8⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        9⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        10⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        9⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        10⤵
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        9⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        10⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        9⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        10⤵
        
        PID:324
        
        C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
        11⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
        12⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
        12⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        12⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        12⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        12⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        12⤵
        
        PID:964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
        12⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        12⤵
        
        PID:2200
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        12⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
        12⤵
        
        PID:1964
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
        9⤵
        
        PID:2252
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
        9⤵
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
        9⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
        9⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
        9⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
        9⤵
        
        PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
    3⤵
    PID:2720
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
      4⤵
      PID:1700
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
    3⤵
    PID:3016
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
      4⤵
      PID:2276
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
      4⤵
      PID:1984
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
    3⤵
    PID:2880
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
      4⤵
      PID:1196
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
    3⤵
    PID:2420
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
      4⤵
      PID:1380
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
    3⤵
    PID:828
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
      4⤵
      PID:2456
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
    3⤵
    PID:2100
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
      4⤵
      PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd.exe /c powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
    3⤵
    PID:2384
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
      4⤵
      PID:2328

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
1⤵
PID:2180

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
1⤵
PID:2644

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
1⤵
PID:2168

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
1⤵
PID:756

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
1⤵
PID:2608

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
1⤵
PID:1588

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
1⤵
PID:2348

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
1⤵
PID:2524

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\Users\Public\readme.exe
1⤵
PID:2888

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Downloads
1⤵
PID:1824

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Music
1⤵
PID:1876

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public
1⤵
PID:2724

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Downloads
1⤵
PID:1992

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\Desktop
1⤵
PID:3016

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local
1⤵
PID:1908

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Public\Documents
1⤵
PID:420

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp
1⤵
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
f0858bc3d69b44e4410eeb8a2d1a9cae

SHA1
d3d8f846f45b152dd8ced9c394d57283bd059893

SHA256
738eda103831516c2e70cc6ae7a7d0770edc095536f7f0d992da56b2359fd3bf

SHA512
f79f478e752b0ecfb90ff5b8783dd0f1f6ce39ba03f7b9ad550963534b492eb8750cf1f71d8886cd84f6c9696ac018dbe8c31e52285d026c2713a7c5b1727fd2

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/268-117-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/268-71-0x0000000000000000-mapping.dmp

Download
memory/268-93-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/288-180-0x0000000000000000-mapping.dmp

Download
memory/288-202-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/288-225-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/432-110-0x0000000000000000-mapping.dmp

Download
memory/516-113-0x0000000000000000-mapping.dmp

Download
memory/544-69-0x0000000000000000-mapping.dmp

Download
memory/544-211-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/544-231-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/544-193-0x0000000000000000-mapping.dmp

Download
memory/696-65-0x0000000000000000-mapping.dmp

Download
memory/756-189-0x0000000000000000-mapping.dmp

Download
memory/756-215-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/756-230-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/768-101-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/768-129-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/768-80-0x0000000000000000-mapping.dmp

Download
memory/836-67-0x0000000000000000-mapping.dmp

Download
memory/836-151-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/888-63-0x0000000000000000-mapping.dmp

Download
memory/892-108-0x0000000000000000-mapping.dmp

Download
memory/900-182-0x0000000000000000-mapping.dmp

Download
memory/948-267-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/948-244-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/996-57-0x0000000000000000-mapping.dmp

Download
memory/1092-61-0x0000000000000000-mapping.dmp

Download
memory/1172-106-0x0000000000000000-mapping.dmp

Download
memory/1420-70-0x0000000000000000-mapping.dmp

Download
memory/1420-100-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1420-128-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1452-229-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-218-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1452-196-0x0000000000000000-mapping.dmp

Download
memory/1460-109-0x0000000000000000-mapping.dmp

Download
memory/1476-192-0x0000000000000000-mapping.dmp

Download
memory/1492-54-0x0000000075921000-0x0000000075923000-memory.dmp

Filesize
8KB

Download
memory/1584-181-0x0000000000000000-mapping.dmp

Download
memory/1604-186-0x0000000000000000-mapping.dmp

Download
memory/1640-55-0x0000000000000000-mapping.dmp

Download
memory/1672-104-0x0000000000000000-mapping.dmp

Download
memory/1700-147-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1700-73-0x0000000000000000-mapping.dmp

Download
memory/1700-97-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1712-58-0x0000000000000000-mapping.dmp

Download
memory/1812-95-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-102-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1812-107-0x0000000000000000-mapping.dmp

Download
memory/1812-64-0x0000000000000000-mapping.dmp

Download
memory/1820-94-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1820-72-0x0000000000000000-mapping.dmp

Download
memory/1820-137-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-62-0x0000000000000000-mapping.dmp

Download
memory/1876-96-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1876-111-0x0000000000000000-mapping.dmp

Download
memory/1876-103-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/1892-56-0x0000000000000000-mapping.dmp

Download
memory/1940-235-0x0000000000000000-mapping.dmp

Download
memory/1944-183-0x0000000000000000-mapping.dmp

Download
memory/1956-205-0x0000000000000000-mapping.dmp

Download
memory/1956-222-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/1980-60-0x0000000000000000-mapping.dmp

Download
memory/1984-59-0x0000000000000000-mapping.dmp

Download
memory/2000-136-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2000-112-0x0000000000000000-mapping.dmp

Download
memory/2000-149-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-99-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2024-78-0x0000000000000000-mapping.dmp

Download
memory/2024-127-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-98-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-116-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2028-79-0x0000000000000000-mapping.dmp

Download
memory/2056-114-0x0000000000000000-mapping.dmp

Download
memory/2056-148-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2056-135-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2076-227-0x0000000000000000-mapping.dmp

Download
memory/2084-115-0x0000000000000000-mapping.dmp

Download
memory/2152-228-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-221-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2152-187-0x0000000000000000-mapping.dmp

Download
memory/2184-121-0x0000000000000000-mapping.dmp

Download
memory/2184-140-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2184-152-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2196-188-0x0000000000000000-mapping.dmp

Download
memory/2196-226-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2196-220-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2212-122-0x0000000000000000-mapping.dmp

Download
memory/2212-139-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2212-144-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-154-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2224-123-0x0000000000000000-mapping.dmp

Download
memory/2224-150-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2296-262-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-132-0x0000000000000000-mapping.dmp

Download
memory/2324-142-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2324-145-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2364-207-0x0000000000000000-mapping.dmp

Download
memory/2364-219-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2364-234-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-223-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2424-201-0x0000000000000000-mapping.dmp

Download
memory/2424-232-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/2524-260-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2632-153-0x0000000000000000-mapping.dmp

Download
memory/2648-155-0x0000000000000000-mapping.dmp

Download
memory/2708-247-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2708-156-0x0000000000000000-mapping.dmp

Download
memory/2724-165-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-170-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2724-157-0x0000000000000000-mapping.dmp

Download
memory/2760-173-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2760-160-0x0000000000000000-mapping.dmp

Download
memory/2772-172-0x0000000073BE0000-0x000000007418B000-memory.dmp

Filesize
5.7MB

Download
memory/2772-161-0x0000000000000000-mapping.dmp

Download
memory/2776-264-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2784-265-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2812-261-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2840-266-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2896-169-0x0000000000000000-mapping.dmp

Download
memory/2916-263-0x0000000074370000-0x000000007491B000-memory.dmp

Filesize
5.7MB

Download
memory/2960-174-0x0000000000000000-mapping.dmp

Download
memory/2972-175-0x0000000000000000-mapping.dmp

Download
memory/2992-176-0x0000000000000000-mapping.dmp

Download
memory/3016-177-0x0000000000000000-mapping.dmp

Download
memory/3040-178-0x0000000000000000-mapping.dmp

Download
memory/3064-209-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-224-0x0000000073630000-0x0000000073BDB000-memory.dmp

Filesize
5.7MB

Download
memory/3064-179-0x0000000000000000-mapping.dmp

Download