quasar | 55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240221-en
resource tags

arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
submitted
23/02/2024, 21:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

quasar vanta spyware trojan

Malware Config

Extracted

Family

quasar

Version

1.4.1

Botnet

Vanta

2.tcp.eu.ngrok.io:11346

Mutex

2f626b58-6546-4776-989a-1b970e109b69

Attributes

encryption_key
4811C43E776477A0F19082FD684C2586D1559271
install_name
VantaFN.exe
log_directory
LogsK
reconnect_delay
3000
startup_key
Discord
subdirectory
SubDir

Signatures

Quasar RAT
Quasar is an open source Remote Access Tool.
trojan spyware quasar

Quasar payload 2 IoCs

resource	yara_rule
behavioral1/memory/3452-581-0x0000000000E30000-0x0000000001174000-memory.dmp	family_quasar
behavioral1/files/0x000700000002328a-587.dat	family_quasar

Legitimate hosting services abused for malware hosting/C2 1 TTPs 1 IoCs

Web Service

T1102

flow	ioc
97	2.tcp.eu.ngrok.io

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File created	C:\Windows\system32\SubDir\VantaFN.exe	VantaFN.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\system32\SubDir\VantaFN.exe	VantaFN.exe

Executes dropped EXE 1 IoCs

pid	Process
5140	VantaFN.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Creates scheduled task(s) 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4568	schtasks.exe
768	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Local Settings	msedge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
6064	NOTEPAD.EXE

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4864	AnyDesk.exe
4864	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
2292	msedge.exe
2292	msedge.exe
3020	msedge.exe
3020	msedge.exe
5216	identity_helper.exe
5216	identity_helper.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
372	AnyDesk.exe
5076	msedge.exe
5076	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe
2424	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	372	AnyDesk.exe
Token: 33	4792	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4792	AUDIODG.EXE
Token: SeDebugPrivilege	372	AnyDesk.exe
Token: SeDebugPrivilege	3452	VantaFN.exe
Token: SeDebugPrivilege	5140	VantaFN.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe

Suspicious use of SendNotifyMessage 35 IoCs

pid	Process
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
3020	msedge.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe
4864	AnyDesk.exe

Suspicious use of SetWindowsHookEx 5 IoCs

pid	Process
64	AnyDesk.exe
64	AnyDesk.exe
6072	AnyDesk.exe
6072	AnyDesk.exe
5140	VantaFN.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3240 wrote to memory of 372	3240	AnyDesk.exe	90
PID 3240 wrote to memory of 372	3240	AnyDesk.exe	90
PID 3240 wrote to memory of 372	3240	AnyDesk.exe	90
PID 3240 wrote to memory of 4864	3240	AnyDesk.exe	89
PID 3240 wrote to memory of 4864	3240	AnyDesk.exe	89
PID 3240 wrote to memory of 4864	3240	AnyDesk.exe	89
PID 3020 wrote to memory of 4232	3020	msedge.exe	99
PID 3020 wrote to memory of 4232	3020	msedge.exe	99
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2864	3020	msedge.exe	101
PID 3020 wrote to memory of 2292	3020	msedge.exe	102
PID 3020 wrote to memory of 2292	3020	msedge.exe	102
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103
PID 3020 wrote to memory of 1256	3020	msedge.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:4864
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:372
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:64
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    PID:6072

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xfc,0x128,0x7ffd966246f8,0x7ffd96624708,0x7ffd96624718
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
  2⤵
  PID:2864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2088 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2612 /prefetch:8
  2⤵
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:2168
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5092 /prefetch:1
  2⤵
  PID:4872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:5000
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:5196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3768 /prefetch:1
  2⤵
  PID:5344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:5504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
  2⤵
  PID:4016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4076 /prefetch:8
  2⤵
  PID:1532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:2092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,18070256570784095342,12284214467728864346,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1848 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2cc 0x304
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4792

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4872

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3140

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5972

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\VantaCrack1.7\cracked_by_zerox19.txt
1⤵
- Opens file in notepad (likely ransom note)
PID:6064

C:\Users\Admin\Downloads\VantaCrack1.7\VantaFN.exe
"C:\Users\Admin\Downloads\VantaCrack1.7\VantaFN.exe"
1⤵
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
PID:3452
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\VantaFN.exe" /rl HIGHEST /f
  2⤵
  - Creates scheduled task(s)
  PID:4568
- C:\Windows\system32\SubDir\VantaFN.exe
  "C:\Windows\system32\SubDir\VantaFN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:5140
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Discord" /sc ONLOGON /tr "C:\Windows\system32\SubDir\VantaFN.exe" /rl HIGHEST /f
    3⤵
    - Creates scheduled task(s)
    PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d4c957a0a66b47d997435ead0940becf

SHA1
1aed2765dd971764b96455003851f8965e3ae07d

SHA256
53fa86fbddf4cdddab1f884c7937ba334fce81ddc59e9b2522fec2d19c7fc163

SHA512
19cd43e9756829911685916ce9ac8f0375f2f686bfffdf95a6259d8ee767d487151fc938e88b8aada5777364a313ad6b2af8bc1aa601c59f0163cbca7c108fbc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
343e73b39eb89ceab25618efc0cd8c8c

SHA1
6a5c7dcfd4cd4088793de6a3966aa914a07faf4c

SHA256
6ea83db86f592a3416738a1f1de5db00cd0408b0de820256d09d9bee9e291223

SHA512
54f321405b91fe397b50597b80564cff3a4b7ccb9aaf47cdf832a0932f30a82ed034ca75a422506c7b609a95b2ed97db58d517089cd85e38187112525ca499cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
8fcf533cc39a60bd0d82356dcb670327

SHA1
55f068c355b09baad916c474694ee7c8b45f5440

SHA256
84dc7b0589d86b3f9ecffbee6663d46fde4a59a9ac375cc6fd042d4c749a43b1

SHA512
1349cd5465d3f06d6a85ade56560b242566bde644177e2349065041033b02df6bfc0c327f056ab19b2b516973cbb4c40799ce589f54776d9a96eef10c71eec59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
765f07e07a632eb3361873f3bdda5343

SHA1
f892421650f49fcda5331d28c3a7e4989e67ecc3

SHA256
868bdd54e6ba7c4e7395ba04b28f53083b8d77bf72547ebf1251257ab333de09

SHA512
adf485400bc698ca36a33693ec91af42890244c78c2d9064759feb8e9768d7acadce0e1b017b1782525860dba5fffa40b06d58cfb740e718cce656561f9afc7d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
94894cd87008f9a8594fae02aae2ac99

SHA1
8bc703195068579e5c306de0bc960b60456e88ae

SHA256
871e33cbda44496ab9c32a9605208241305150362e8a74a8dc695810c899a19d

SHA512
26dd7b11269de843f96a432620e8fb2424c6c99fe4ad9485b224d8f2b7a4bd61e2dbe24e5878b63fe82bb4b38ae7b0b0ae399ca10a2bb8baa1c12ed94c0cdd8a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c2ac0477060a394779da45cf5edc30f1

SHA1
4a9fe2266b645eb464b19b17e04b58d0f138e651

SHA256
dbca9685551e2f7600e9499df46313235e0063710b9a5bb1a56a167093841464

SHA512
5a3365bc0e24c283aa7793c6953c1d966cf1f87315382c68b083c0ca30a37cb7bb0229482217067de75bae9ad6420d6497f6f23b1c41ad1c43349e50f77b0cfa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
522f88c596de26ae7d87c0aadafa0f9c

SHA1
eb4ad865c03716cb0aed9fd86e5e2cb18b48de7b

SHA256
e472a590a120c9e54055889f2403c02c7328dddd898ccddbeec55244644aa074

SHA512
3704e34e2d9f6f0f8b68805fd4d0d32da42476a4e893a77803def6fbd0fadc7b1b0e9715b68a6d16ee05b21ec7964a5f95420daa2c20b87f5973a955ad1428d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c8772fffd3194de628f1b61c216721eb

SHA1
c75bcaec5c45ed6638da379dd2064c0609bfc745

SHA256
de9e30ddc6a0c9c443b036f6ade0bd940934fd336d2430de1c2942d2cac03ee5

SHA512
2c63154885471bdbd2ade4170804ba86113b96843b9ef930cea0d904a5900af906355bd32d3d76218b28045a5a66dd7e21e93886502a697402397672393a7478

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
ace63f9cba0077dd3cd49383ff06ebd7

SHA1
f2315e69c58d77a82af3fa84abddc5ed992aa4be

SHA256
b082dc43be58e6604ab36b3060ba42bff155533ce6e4652ce5c2856475de5a94

SHA512
5d6e9d3fa733cf55ec7dab65c213f3b622ace2716d0cf308fcd4548bbc11890929d9e84e11b34ecdb69b55b9be61e267b8217233eb16e8acca1a422fc9302d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
5KB

MD5
636f5e52f839b691c75f165ecf94c192

SHA1
01539fdf62bf4b7b245c0f443e2054431ef7f722

SHA256
b948b5cae8b5596f008dd347305b46c422b4ff81b0d187e9c730cea03fc67f0c

SHA512
51959c312d2ed374108abe83b02cd8e92781181f4b2cd3f609434d2eb42656511efb78fa15de49e2a0d37f408c04e64980aab15cefd11267abb2407e3b4fd95b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
39KB

MD5
5867d9179c08cc71c2fc991fe09b6683

SHA1
a3efbf2410496ffcd3b8ef63366b9f7226b653c9

SHA256
25f455db9927a2b32995ad9c02f64bc944b3869fe150d8dbf4378657dfe2d897

SHA512
021ed74ccf1f62fba627748dd3a5e0f01b0909dedfca5df6a032285d7a7fcd19a0b235a2cc07ee5a47c6a0c4a7a8f204fbf63a63aca4d16b93b35c9e702d9385

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
79KB

MD5
4a6f528dfd6cda8c08debcf6dd7835b8

SHA1
a3b6fd862baf6c517cffb8bb033d71d0efe1f4d1

SHA256
00355cb3fd9440ddcaadcab0a16e6f6bafe81b467dd5bd3479b1c3255f313edf

SHA512
0a72d3b1f39287d7ecda04b5593aa7aa576b9e68c0acfb625279412fa4a5509e1aba8068e067fd217c7f4719499f38c98488adee8b62f7b247dcd028b474ea2d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0b6578f39088293ab050e6eb2c76adb5

SHA1
037b39add39729212478001456695290bbbcfd3d

SHA256
998f26993d03d037397f3d13b1aecb7fc247d6ffa6c43ea05c4f7d997f4da292

SHA512
9e0896ceb0b38ff0f082a3910ca852d4b0d2795e13ae1bfb37bc830089857820acf2d36a30111c2d415a1cc29abf4897ab2fff1e1f4c374404107cd9159341ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
0cfe15c24805e59d07f95310372fc4ce

SHA1
3e0aba95c1c76b7a4f2816e4decf971f769d7ad2

SHA256
078ba9a2c47869d7b788a59615585fcadb8d110895901c2fd1f241cbd7212039

SHA512
0e84e74ce2eb00a2f659952a64ad3f2405777cc22eae8693fcd7d9e97d1f8f92e6dce3f3f1d2b6b053cfed0c8bef86dc3f090ac7d804b0a486c6f78397b5f9f5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
c181b896c516219a9582c9426c9f6a73

SHA1
cd12ac364a89b9350a61ce8260d332c409918152

SHA256
78ed9bd901010cc517595ebb7b7f6942c48702263c5a6db9dfd42858db19e4ee

SHA512
d542925060cbbbe705229b4c2affbcd50ff805d3e86f1ff5fd869c1858b3509c250ae791cf4821e08c8621214f74f46291fed114196af2592be4c5928f81813a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
b5e9de8c2032c788b401469ed6fbf1d9

SHA1
3de8ef667460e340393e7e5a84f98605f190ac6f

SHA256
9f42cf2b72dedca9bda52657236b222d16131ba0b27deb2f5cbdbc73f76de432

SHA512
6208aa8da58618c4edeab90551a39e2da3f3537da76b11d57d097dcc4bc422bff43cf227e721dd1289beca0cce88a897ae437b724744be59e7e694750ec66b9d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
98d1df94cbfe0614db4956e985106e6f

SHA1
4288bd009b58018a4cdfbef749fe5f6f302f4530

SHA256
9e8260ed3253d81f14e15aad01e388c24d551a73a53232ddd51c429ae6753104

SHA512
516db9c727df107863da61e9f0f6be2497716e8d0456b50c67ab3381f9ebf853f81b95ff9d0a3edf86cb76c6d2f9d456018ffddaadc9a86695f370e639795ef7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
c527a38a58563f8f5ddf18e241a5fd64

SHA1
00b5e4df6b3fb437b0d6ba01ed91a1f377b3fd2d

SHA256
cdfc35c6bfcf442deb7f92d5e30aba281d1422e5c2989ed969e4b893e938cedb

SHA512
bcb56b4fed3c9519c24695652cf442487cb71b656d7442fea27cdbe924f3643a8052e394426bd4be598fd210ec23160fb2fb09fc51646bce93ae63ae88cdd57b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
feaa71aa72d19731613c90fb517a0f9e

SHA1
7043cf14f612eff019df60f3135020313472c1fd

SHA256
512dd2fda11cfce313ccc03a5f6afae57ee9566840d541d425d4df8540307066

SHA512
7fc75fd638b4c9b54672dfa45d07bc2f94dd88a34d4ddb4ad1c8efa445584e9f7d2eb0bfaf77f3cb102c61eb3b1291a533d3927219be420fa5b53b0a0043d2f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
0b5f865c97b920f99bb2c3aed19076d6

SHA1
f046e88c8f17c0adb32be48d4940a112637ce85a

SHA256
691e3c9d7aa608fe1055cf4ec021aae0aa9070e1fc754a13a347b8f90bc25e57

SHA512
1380e29502c80a0d26008cc3dd1eafdb5a9fddd771e9001843f6391a0b776c30f79ec54ab658bc017a9a5641cacf7d877ab62d820890f1c47a6ddb6329f941e7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3c171eb94756f2e010995e6dbcdae069

SHA1
6c08c1569f14f2627d3502afa0d2817f2eede46e

SHA256
02b02dd7ed5342c4642e266bf890097cc132007c2fb53f4d68142b014d82c948

SHA512
744a3dc29779c0fda1025845a3ac54ba0b294eb54796281756922b15c774517bf3549ddf25662fc3ff14bb529d0008c5d7e573a43467a7271912a48565ead73b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
929eb7aa37884c1a9bf65b4a439cc591

SHA1
12b929e76def0f5aa7a5f57660cb097ae3d6553e

SHA256
f109bfc35b3e18992378152fd36016f5755b74b7134295ff3c86686e16056956

SHA512
b833caf69d42671c7d6b5e4e5a6257d01fd39607fab3210f4ef75bc7d712c49f78200828045e0105351debb26df1c3e60073b4252ba50cae4eb93e6b89b467dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
e1987393a66b2ae6d927a1075c9441e1

SHA1
ae314109f3b129aaec4d5549dbb4cfb7214f334a

SHA256
b0daf9820c9090a55c0bb229f8453257c5ff186053df8bf357d577d6298d3bc6

SHA512
44a1cd2515a1bef5a28c527193a54ad25cae1f9e912656db4348d8539b0f5ba47318316558d152580fe021025d5904f87a05f3329d6cd96fd4233ad49447605e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
f7cccaf8c27db3240606078ba5db3038

SHA1
c4f3ee1d78bc66416809362ddc25e571c2746e0c

SHA256
3a89e59f11293282f41d94649e339a2b5181f490ff62268b5bba19b64fcfeff6

SHA512
bea8be080ffe7bc7eaed5575d289fa8880c7b23a667fb5359cbbf5a973a714417a5a0725ce1f2182aae5ade61139e5de3a2db2ebab4562648c21a6ff7bd8c4a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
66ecf46eae05e34bd91d5e18bd02ccb3

SHA1
3ede66a0c4533f9f904be7942a8c0e96b9231fc8

SHA256
38500feddaa7e129aaf9aba64cb4519f58f2e17bb45b4f9ab5b8592c8e10db4b

SHA512
9d18adda07bb47e9512faa2cc138519ac514f3dd7335a56bf74ffd8cdef9c805a6df92ae5ca131498e28cecb06bad31dc565a538ff9c38ff91699469dbc7d945

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0fd8dae8c62e7619c781758e446dc060

SHA1
8afa342d687a634b471e53fa737f8c3e4e630659

SHA256
5ba3a806873780e65c21c909d41988cad3dccdbf52ef96b7561b62c992d73eeb

SHA512
221185a69c1814adff8cf584dd8fa5aa0031418c6715cb43299936cc2584f490e68e73831609ace834301238ddd292e364b671eb32013fec318344e18cd7ef1b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
e082e0ae8a8d184a32f984525c8ad0e3

SHA1
6d87ddca3a9d33f1d6a873df51b75c9be2edd662

SHA256
e1cb77827ded634605a59728934ee296d35f85fe0dbe47e0cc1bf3eef10bd30e

SHA512
d764dc622766e4b727f5bbfe1f96d830831b285b961ed36f2609f77b105cf8992da82fd8d8202503f37e4732909ec66a124e6dcf8390c28615d019931ff844cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
9c103052e87f9048b9e000931984a403

SHA1
870aec8841666f42c3753210ba6d03642f8f532d

SHA256
201a214e11cb869a1520f361cfe39d1005670c95f32a4fa1a6d1034401acf1b6

SHA512
4c7a1c924f31b80237c996e37efeb5cc6df3ded7d6007d0ea77aa4ecefe0a74b56af219bf9107fb5f977efb458c4609c364b5c38048fec8669665d87cd31565f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
8f093d1d22defa70d9f2ba62bb5d07cc

SHA1
45bd06373ad5ae3b5693e50b91580d97c0c25654

SHA256
b6770eba0af0cf0955afe98941fb2980fde2211886707cea5979e6a07719d582

SHA512
3754de10f0f2b67bad450ffe270649e1be91f14b9960fc800cd9d760bd045a3676c85742ad759d01c8bf4fba3e6fcf599d0c676c7735076d1e2ebc0b3e13c130

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
5e36853ee1f8f38601e0aceb44f04a73

SHA1
cdcb07b43cce9c719236cd159b59dc6ab858b576

SHA256
2bcec8a7f6fd0133152acf0580d587d858ed11ec586c8dd657ab0971d114ba16

SHA512
02d11c20d10361f517143e73b9ca634e58aaf12ae029a980fda739100ec098c5dca4218ba94ddd16c191eb9473f04b65d96e01cdc7f8bb86f2add89a3a220061

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b945d21443f810ce96a1ad66ad597d72

SHA1
1a5db6304e5fd1bbb51bd4325cd488efb7d4bfa2

SHA256
328284d207b2cf852a8894f450d84389d1a0a29b65ea11611a3fda58020e12ad

SHA512
12a4930edbfc9acd51d9b08037480a45c5107e54a9f59dbaf194f742e7a17b7868a7435265ccf5d46d2e697cba94d96b0ac8ca2a622103ac464a18f8ddd24d50

Download Submit
C:\Users\Admin\Downloads\VantaCrack1.7.zip

Filesize
1.2MB

MD5
43b8cca39d98016c0c741241df57acd0

SHA1
a794a597598bb35d21e49a792863deb898fe4cf0

SHA256
708c4c0f8426f2f2c6aaaf2ab850bb9a35ab39ee2461d43ced1eaeac82dbf724

SHA512
164faa55c067a87d80e810c371033b11d6d8c332b81cd027e74dde8d00a4ed7a7d47e236b0a65c18c8da239847f65d24340f3831d06ccccc66096e246d947975

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db

Filesize
1024KB

MD5
5120931921bffd1031ce80023e6bacca

SHA1
14f04720e68c9feb3c9bedfaaf2b44e33994f358

SHA256
766cec83331fb9a964881dba8a4d6f764e7fbb05f73d1f6ba73257ec9bfc8312

SHA512
ccd7bd8e8eaa6afba4caf95056d29ec4716aa7870384da4b56c81a2ecfc378bb106677d0bec937adf9cd43502f746090b82f2e3bd5b6ae3cc3aa0b553fa52df3

Download Submit
C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
7KB

MD5
14bda2f1ac3ff6639c3c240fbfca881a

SHA1
5850f40a49e51fccfd4c45fc251b6e76d1d91d44

SHA256
13530fe3ccbf7c3e7e3f57932e2d86174041250362f350f87f9ebcc1a8a16eeb

SHA512
f2ccbb9706ae08e591c2dbd21c5c5bd289ca3772be1dc7bf970bac6fc31dd5aa283d66425cd1ce04d01a80ac9f50e1315f0700878fd35387bc97dd791c9b7993

Download Submit
C:\Windows\System32\SubDir\VantaFN.exe

Filesize
3.2MB

MD5
d56023f4312f45812b358ee694603c17

SHA1
e9559cbb4964ecd13705e6e03ca638258695eaa3

SHA256
ccb211135aad7dc5820840db5cb4c098ce12b27cd601fe29254ee2817b04e6cf

SHA512
e7e033f185ecbfd52353c5c8dd1bb3f41ef60fa11293a761436488b4299d9e5b6d9f5f043b115367fa96ded636d99f9e135445a80ac16016afdce92977322d60

Download Submit
memory/64-254-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/64-268-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/64-269-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/64-270-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/64-274-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/64-272-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/64-276-0x0000000005A00000-0x0000000005A01000-memory.dmp

Filesize
4KB

Download
memory/64-271-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/64-275-0x00000000059F0000-0x00000000059F1000-memory.dmp

Filesize
4KB

Download
memory/64-278-0x0000000005A20000-0x0000000005A21000-memory.dmp

Filesize
4KB

Download
memory/64-277-0x0000000005A10000-0x0000000005A11000-memory.dmp

Filesize
4KB

Download
memory/64-279-0x0000000005A30000-0x0000000005A31000-memory.dmp

Filesize
4KB

Download
memory/64-280-0x0000000005A40000-0x0000000005A41000-memory.dmp

Filesize
4KB

Download
memory/64-281-0x0000000005A50000-0x0000000005A51000-memory.dmp

Filesize
4KB

Download
memory/64-282-0x0000000005A60000-0x0000000005A61000-memory.dmp

Filesize
4KB

Download
memory/64-283-0x0000000005A70000-0x0000000005A71000-memory.dmp

Filesize
4KB

Download
memory/64-284-0x0000000005A80000-0x0000000005A81000-memory.dmp

Filesize
4KB

Download
memory/64-265-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/64-285-0x0000000005A90000-0x0000000005A91000-memory.dmp

Filesize
4KB

Download
memory/64-292-0x0000000005AB0000-0x0000000005AB1000-memory.dmp

Filesize
4KB

Download
memory/64-293-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/64-291-0x0000000005AA0000-0x0000000005AA1000-memory.dmp

Filesize
4KB

Download
memory/64-294-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/64-267-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/64-266-0x00000000057A0000-0x00000000057A1000-memory.dmp

Filesize
4KB

Download
memory/64-259-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/64-255-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/64-345-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/64-393-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-249-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-434-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-330-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-486-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-494-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-20-0x0000000001F90000-0x0000000001F91000-memory.dmp

Filesize
4KB

Download
memory/372-395-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-529-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/372-12-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/3240-86-0x00000000080A0000-0x00000000080A1000-memory.dmp

Filesize
4KB

Download
memory/3240-237-0x0000000007120000-0x0000000007121000-memory.dmp

Filesize
4KB

Download
memory/3240-91-0x0000000007110000-0x0000000007111000-memory.dmp

Filesize
4KB

Download
memory/3240-32-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/3240-0-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/3240-248-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/3240-33-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/3240-3-0x0000000001F50000-0x0000000001F51000-memory.dmp

Filesize
4KB

Download
memory/3240-1-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/3452-581-0x0000000000E30000-0x0000000001174000-memory.dmp

Filesize
3.3MB

Download
memory/4864-559-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-531-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-396-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-11-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-331-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-23-0x00000000020A0000-0x00000000020A1000-memory.dmp

Filesize
4KB

Download
memory/4864-487-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/4864-250-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/6072-441-0x0000000003840000-0x0000000003841000-memory.dmp

Filesize
4KB

Download
memory/6072-460-0x0000000005950000-0x0000000005951000-memory.dmp

Filesize
4KB

Download
memory/6072-461-0x0000000005960000-0x0000000005961000-memory.dmp

Filesize
4KB

Download
memory/6072-462-0x0000000005980000-0x0000000005981000-memory.dmp

Filesize
4KB

Download
memory/6072-463-0x0000000005990000-0x0000000005991000-memory.dmp

Filesize
4KB

Download
memory/6072-464-0x00000000059A0000-0x00000000059A1000-memory.dmp

Filesize
4KB

Download
memory/6072-466-0x00000000059C0000-0x00000000059C1000-memory.dmp

Filesize
4KB

Download
memory/6072-465-0x00000000059B0000-0x00000000059B1000-memory.dmp

Filesize
4KB

Download
memory/6072-467-0x00000000059D0000-0x00000000059D1000-memory.dmp

Filesize
4KB

Download
memory/6072-468-0x0000000005780000-0x0000000005781000-memory.dmp

Filesize
4KB

Download
memory/6072-469-0x00000000057F0000-0x00000000057F1000-memory.dmp

Filesize
4KB

Download
memory/6072-470-0x0000000005970000-0x0000000005971000-memory.dmp

Filesize
4KB

Download
memory/6072-471-0x00000000059E0000-0x00000000059E1000-memory.dmp

Filesize
4KB

Download
memory/6072-459-0x0000000005940000-0x0000000005941000-memory.dmp

Filesize
4KB

Download
memory/6072-485-0x0000000007F10000-0x0000000007F11000-memory.dmp

Filesize
4KB

Download
memory/6072-458-0x0000000005930000-0x0000000005931000-memory.dmp

Filesize
4KB

Download
memory/6072-457-0x0000000005920000-0x0000000005921000-memory.dmp

Filesize
4KB

Download
memory/6072-488-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/6072-456-0x0000000005910000-0x0000000005911000-memory.dmp

Filesize
4KB

Download
memory/6072-496-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/6072-506-0x0000000005C10000-0x0000000005C11000-memory.dmp

Filesize
4KB

Download
memory/6072-455-0x0000000005900000-0x0000000005901000-memory.dmp

Filesize
4KB

Download
memory/6072-519-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/6072-454-0x00000000057D0000-0x00000000057D1000-memory.dmp

Filesize
4KB

Download
memory/6072-453-0x00000000057C0000-0x00000000057C1000-memory.dmp

Filesize
4KB

Download
memory/6072-451-0x0000000005790000-0x0000000005791000-memory.dmp

Filesize
4KB

Download
memory/6072-536-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download
memory/6072-452-0x00000000057B0000-0x00000000057B1000-memory.dmp

Filesize
4KB

Download
memory/6072-450-0x00000000056F0000-0x00000000056F1000-memory.dmp

Filesize
4KB

Download
memory/6072-449-0x00000000056D0000-0x00000000056D1000-memory.dmp

Filesize
4KB

Download
memory/6072-448-0x00000000056B0000-0x00000000056B1000-memory.dmp

Filesize
4KB

Download
memory/6072-437-0x0000000000060000-0x0000000001797000-memory.dmp

Filesize
23.2MB

Download