privateloader | 55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
01-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.0MB
MD5

a21768190f3b9feae33aaef660cb7a83
SHA1

24780657328783ef50ae0964b23288e68841a421
SHA256

55e4ce3fe726043070ecd7de5a74b2459ea8bed19ef2a36ce7884b2ab0863047
SHA512

ca6da822072cb0d3797221e578780b19c8953e4207729a002a64a00ced134059c0ed21b02572c43924e4ba3930c0e88cd2cdb309259e3d0dcfb0c282f1832d62
SSDEEP

98304:NzTZ3cINQscs0m++LNkT6OpwDGUUH57yvZ/49Mr8EO3QhA9Kq:Nzt3cINQscNmvLCwDkHEvZ/4R79x

Score

10^/10

privateloader loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1040	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4808	AnyDesk.exe
4808	AnyDesk.exe
1476	AnyDesk.exe
1476	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
4808	AnyDesk.exe
4808	AnyDesk.exe
4808	AnyDesk.exe
4808	AnyDesk.exe
2284	msedge.exe
2284	msedge.exe
2968	msedge.exe
2968	msedge.exe
4796	identity_helper.exe
4796	identity_helper.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4808	AnyDesk.exe
Token: 33	3040	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3040	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
620	AnyDesk.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
1040	AnyDesk.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe
2968	msedge.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
620	AnyDesk.exe
620	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1476 wrote to memory of 4808	1476	AnyDesk.exe	88
PID 1476 wrote to memory of 4808	1476	AnyDesk.exe	88
PID 1476 wrote to memory of 4808	1476	AnyDesk.exe	88
PID 1476 wrote to memory of 1040	1476	AnyDesk.exe	89
PID 1476 wrote to memory of 1040	1476	AnyDesk.exe	89
PID 1476 wrote to memory of 1040	1476	AnyDesk.exe	89
PID 2968 wrote to memory of 1452	2968	msedge.exe	107
PID 2968 wrote to memory of 1452	2968	msedge.exe	107
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 4580	2968	msedge.exe	108
PID 2968 wrote to memory of 2284	2968	msedge.exe	109
PID 2968 wrote to memory of 2284	2968	msedge.exe	109
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110
PID 2968 wrote to memory of 4860	2968	msedge.exe	110

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1476
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:620
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1040

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x504
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3040

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff9d5d346f8,0x7ff9d5d34708,0x7ff9d5d34718
  2⤵
  PID:1452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:2
  2⤵
  PID:4580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2264 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
  2⤵
  PID:4860
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3404 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3424 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4800 /prefetch:1
  2⤵
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2096 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  PID:4600
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4796
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1268
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3616 /prefetch:1
  2⤵
  PID:116
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,15361315528937866423,6719562645538982304,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:5216

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3820

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3548

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1cbd0e9a14155b7f5d4f542d09a83153

SHA1
27a442a921921d69743a8e4b76ff0b66016c4b76

SHA256
243d05d6af19bfe3e06b1f7507342ead88f9d87b84e239ad1d144e9e454b548c

SHA512
17e5217d5bf67571afb0e7ef30ac21c11ea6553f89457548d96ee4461011f641a7872a37257239fa5f25702f027afb85d5bd9faf2f2f183992b8879407e56a0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4e96ed67859d0bafd47d805a71041f49

SHA1
7806c54ae29a6c8d01dcbc78e5525ddde321b16b

SHA256
bd13ddab4dc4bbf01ed50341953c9638f6d71faf92bc79fbfe93687432c2292d

SHA512
432201c3119779d91d13da55a26d4ff4ce4a9529e00b44ec1738029f92610d4e6e25c05694adf949c3e9c70fbbbbea723f63c29287906729f5e88a046a2edcb7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
00a455d9d155394bfb4b52258c97c5e5

SHA1
2761d0c955353e1982a588a3df78f2744cfaa9df

SHA256
45a13c77403533b12fbeeeb580e1c32400ca17a32e15caa8c8e6a180ece27fed

SHA512
9553f8553332afbb1b4d5229bbf58aed7a51571ab45cbf01852b36c437811befcbc86f80ec422f222963fa7dabb04b0c9ae72e9d4ff2eeb1e58cde894fbe234f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b062229cdf00b0844230e038e7e761f7

SHA1
25767f9f0183f5d2395a366497f1d966dbbd80c0

SHA256
c37e5e3b45c2479f26174d140a5484193c7dd16346cb43ee38ea15332d1b2e5f

SHA512
4da465bf5505d03400cdf7fa2852d2911abff0e197c25e361082da3adcf888f1ddf3676fca3321ffee713b222739bfe5c58467267f4cf646414fe47c73064daa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a7878de39e33e921c9f08b4c061cb034

SHA1
7a508ec4fe702d04b146877e96a4966b0d2194de

SHA256
f350f1b3b2feec93372f9fe58e83c53bbe92d82d3600c52a2fa3c9a9a826d9d5

SHA512
02e9b0d07a48138b593137874357eff9f67a8e0dd052cb8e67c06ccd835a8657179c6f9a21f0c0b9ea98cbecbcca6db7f61c523aa1d3c88dda06cbf6bea97d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
42c6322dfa782f6e12713edd599f074d

SHA1
971b109c2edd4476c8dcd36091ae3f2cd43c8f75

SHA256
43242ee2f2f3d929b4915d406d981f19b46d4904de27440b2c970053da211b72

SHA512
e9f3d11296d0bbee8c48525eb2de7977d8caa0ebf1eacfab9ee7e09c5f6d6fbaf09e6d4bb48adf0059282031de6d5571bb3ee1570bf87971d7d647593d1d6010

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
853161664359b68a096ac976fcbecee3

SHA1
513f6748cabc94815bff29abfbfa0fdd50146ffd

SHA256
75e42fc12b8880e225a72bc890667264886f543c862399071700d378f5c199ae

SHA512
12fe3bb5718615afc1d3072218ef12eaf78d837efb3300f2de213be56692593019d49b2e3e5e727a13b342e04cbb6baf8374bebfe7eb9b25d221682e2d24ef24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6ae4c5573b6f226f2de34dfe38fdae76

SHA1
9e13d9d0aaa2273e2832e86ccfdd0d1d5343321f

SHA256
af56ccd8ebcbcc167e0d2c6bb2abca9e05029f92ec1621bcc53bfbea9971eb03

SHA512
bddba89f3895e3f327fc2afcc1a51f464a9095663f07256067d4a87a02c0b0986079ca595bc1e5a5cd5ecc1a7c2f93f343a14281c8aad75065ed60a014492219

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
8ea2acb93800025882c71b26780cde3e

SHA1
2e175c86d0bb8a5cd18f46f60011fdc50f72465d

SHA256
59452e4a5996a2c40e3d78686696e8222b3ddf2e09df0cbf7b74b169219edc15

SHA512
ae4bcf2ae81a45291cced541096fefe77304f235fff19e0db9f62e555f7e8fe2e7891e9b38e932804b51887a3d75c7aa7ea4866994b70c04ee6dfc16a6db7057

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
8946bd6264f9740cdbd4742bdb2dd66d

SHA1
3e5db27d9053219e8544060aa1042d1244b2c8a0

SHA256
c3272de2ce63add131d73404741341c72b7d696cc01119e213ec503c7b9a6e2a

SHA512
8bbb24d2bae4e96e064053d740de81ad6c36449a25fbaea7e378faecfbfe8d96feefd8615af7905a282d61de4e185ef156bfbcee083c4800e06a317565d8e403

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
34423cd45e5e9381f85d4e31a80dfbe9

SHA1
bae02ab812c06699bad26f04e3057223ba3b2a56

SHA256
ade75b6f8bb0d7d1f3e7ab1a0033cbf9643a8727f997cc14ed656a64421817a1

SHA512
a9a865ccec378528f4346dea7a25cd1145f2e090c9730df241f4b8a88cf998d64c95a2312b87182fb12839fe901122b6ebc8304eebb6edd1725d7351decdd48a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
b11c10e012770e58aab6ee56eaec1ec5

SHA1
fd9fbf525711d3976c8bbce80de50609ca21e146

SHA256
1523688ac79f7af33b612052a4576c96ef948efb6e9ede4e40453538b8f9a714

SHA512
b01d8cded3ded2bc4aa51184035bcdb7e585ef9d3eb1e340948865dc3e7b29ffd09b5718e5b7d66152eff9aefd084d9f123c08eceb42883aaea2f6c38c29ec25

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
681B

MD5
379493977b0b7ead0b2d05bdbd8ab07a

SHA1
2be299bb18ac8691b23baa3aad13eae29bd008eb

SHA256
e12af7ffdcca6ecb01e16e9bb288e0d9fec58b8092938a95d1bdf28b06d138f4

SHA512
478681ce1f00a72b2b8b239d92335f7f366845c67d845a8a760a12a091d71947c6cbfb04e3e0f6b0d5599eb31bdaa881ff7c19abf67ba10ae7f54b489dd77cab

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
7cf2c7fd689258b546d1c5add3ce1625

SHA1
fef688d119cd376d459c2088687bded1a982b1aa

SHA256
9c5e635e6677f5d2e5df71b3e809e2ffd342180b457788da4dbfa0843192b7e6

SHA512
b1ddb75ff46475d4de3e675986528d12a72054ac2c9a05751ad14cf306a9f937acc07e72aa757dc1da42dd9449ce6e254fa430d7f1261a6ce9cb1addb0af6afa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
406ffd8d840b91b9da532c7f84c46754

SHA1
9c6666960c2174601d59590a612a5c86e56e0c52

SHA256
76cc614de6fcc8db565e599fbd640117a195618afbad03521695bddd3552db7b

SHA512
c26dfc876fbef5fe810aa8454a5bc68d1367cbe1b6e91bc70b8d5c2101b4c30fc187d4a17b7bda1c9a6069b374617024fea509eae27d0d0e9186af2155869123

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
6aab091f6953f72fae9c0e9b7bf46ef1

SHA1
075445ce5850e5c3204db27a7bb335d63ea0e106

SHA256
78887385320384c2b32466f91a5553714a075485ac46c80d1b1d48d8ddd973ff

SHA512
7f7490c2d373176272c82682f168a8fefa978b524402866cd10184e3905736769c7747d4abd3a3b53d74869b8f41cc008bc1ac2d4493f5fa2d6775c75962855e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
f7f921e0cf230e2eefe358b2b2ea2d9a

SHA1
d5a2789d434cf3c62fb9cddee85d41c90d929765

SHA256
9df67360642a83edb4d5a59187a1c7fff96758d7294adeef833e23c7f29245aa

SHA512
b19c8d09f0c3d812f33d92aeecd2fde06fda2bf8340799ed32bb9e5b786e8bbdc5c75fa4d75056cbd9ca54bd0e78d3a86f6057700876c84b3ce6f221c3a630cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
d999d4062d6516ee2fb7a2358809a12d

SHA1
437effe21409aa3455ed3d62ecace44549c73650

SHA256
eac39832036487ef8768d56ec5853391330946db3bd2aa8a274adba9de811504

SHA512
af51da4fadf559dd51dd082b9ea137dbcea1a1017717a2a53671ef8e0fef5af0da5fdcb3ace7984e9c359d83bf2f5ebd2996aca62bd7f352456e951539fedece

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
1204fe412d5b51c2037fd514cce18540

SHA1
f11af1e7e1f63eb62c1416e905ebe1e4470afc4e

SHA256
06aada000ea9e66df6b8f4067c8e779975942a03687f01a9f0c6d38599b51afb

SHA512
ea47602872953359072a59a818065bd47005fa75d9ac598855384f0f0087c800101841e880ddbd808b0d1743153edf9908911a4358c6ab8bb61eda6fb117e9b8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3da7cb63c38f890415826058dd20fcc0

SHA1
372d7159481d0d8ba91599185dcfbb95f3f7607c

SHA256
82c6021b2d062150719cca35e522eaf771a6e016f67c14c028615d7e7404cdb5

SHA512
099bc94cd1a9538bf8c179b6c774cfb1af506c81628936985b70d91b7ee558f971167e2dba6c38290af4d4962eca86fa7e3290fef04cb504e13236e818355f5d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
b26f1706803ba2a0e5c9f99c2644efa0

SHA1
89597021b67db6849be47099b1b860b22f20db75

SHA256
1eb95d4dcda5e48b4455886e77f8db768314a84ef6c188e88e61bf12b74cd4ce

SHA512
ce8f5b3a4c4679501d73bdc0d8dd5f0727cafdc0d8263ec4a227c4d49f2ed37f5e7f452e71b6ddc99a8524477f3fdd6ac96cd988ebd7ed8c7a00bcf28ec37b6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
1dd544993d5d82c0ad44e5026e4097d6

SHA1
d22d0f46dba956433b0ddf0d51d4181e4b3ca26e

SHA256
fadbdb67ce13dcc06ce483506c53c4d1908ae9c24bccfeb2ecb7249342dcad6d

SHA512
96aa4be973756a60c2a3cdceab35d1d70a8c077c387f274f59d4a80b23ac4ec1d9f5d8c678066502d291673611c3e6e4be1dffbd03860e31ed13416949b2712e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
ac9cd7c8d0b1f6046ac07a855849ed79

SHA1
a8a1ceb4cda863f103e2af90d2dfe09c2597ae17

SHA256
f10b3c0cab90ca687c804791883f20e3fb3a9a3e5f49ed07332b3d618c75f6f3

SHA512
47fff2ce741b4d198285fbbf9019c24454a8c691a5e7f7766f5fc9d97aecd6a12f3a4f8f852aa0f8741956696bb60927b88a2c4548a4c69c0f09fdcbfa8bd1e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
c6157bae81aa28e58f35ad5f7b979232

SHA1
8c4263b33a644786edd97f1e07092b9297865ec1

SHA256
798ea1ea879c95fd1fda0d0814306348d3b75706c30d249b56d59f0a012d8b0a

SHA512
10eb3e625a1e8db9719699ecf70fec778e26887e1c60d331c1a14e15337bf11a534b07249ce3649517bec3df4761944a491954d863d0c05aba81a992482ca66c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
f26ac676e3efc2151ae6a39f83ade944

SHA1
bd310efad4e8503593ddca762fb68c4fadf2e730

SHA256
0695ac36177261db691cb66982996108bed678b69deb04537fa8c30ae5651a15

SHA512
3e018be36229a5d4ea589bdd62bafd232380175831a214d6c3042b8add38e88d7b8f283257582e422fa1b6a510d6478e704d77a39db01e6af0601fc9eac19128

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
dfb635ddabf8ac552d0aa967bd5c08ef

SHA1
01965b93ad797307756840e9c17ebc576e10bfa0

SHA256
43bda8326c93985b2890af1d02cfd24c69878afeacae8962038116fe4b72164c

SHA512
7506b46e0540d25202ca12f67f9f9f60f843946348218e47e1db41ba08f6cd962d31c3ca52aec8b5bf043c3b44cbc6ac2653b04ba94860f3d62950b526ce23e5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
8ee1bedf326f9cffd6a2fcdc3d32789d

SHA1
71b7b3ba60b3d42c3781134d2604cdf87a5ffd4e

SHA256
2c6e8a77a02f466686c0c774dca38ae8631e690fdf2e172697c3c252825a2d0d

SHA512
4c60490f4524dc783277cabdfd7fa5af0bd44ee2d94e60f61bf1a28526dd78c6cfa86afc94c174e2558579071e8204c82142540016a21e72de4f555a947adf9b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
a4e69d737dc184efba178e92a2ae71e4

SHA1
c7b62f596f4852bd25585e72dc7aca188e29b2e4

SHA256
eddb2707de2e35bdcb321cc25529a986e34e41e018e9bb05fd151d8fd622718e

SHA512
8123a22998abee0c07f438a949207ced0a747b8464b896fe8f4c20579269eccaed725ded463f9742d5a2e2c35deb83d114d8c255c3d2296c7f0c519b7d69e314

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
5b3dbb56202bd26c9cd3148eb9a78619

SHA1
8bf33ba2a0642caa84df10d15639a5af31d7370b

SHA256
5d4bdbcb87d368539166b2f5b12b8d1477a9e5647ee1e818b34315e8cf8ebc37

SHA512
bbd147cf7d85e078718ded4ad7b885289d45ae39adc1dad0bf9659bedc9fcc019bcc002121c7671e83a0fe2e0ce720e7c34a7cee9e6329bfb12a58ecc456115f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e82cc1404f98b5c542699d585f103e33

SHA1
45838e3e5a722772dd5043e860a67ee534cda1ff

SHA256
667f5c257e0b1febff0ccaa86836f7adbdb4db9588c0975e533c3bfa03b9c726

SHA512
6167fe582d63c959837ed5d6b325b44c04c0e3c1112d4914fc75a4de97e31686bb3174094b61f82ad578ee5a282f0c848a8689d1221a5d12bd4147ea97e4770f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
6f510451036b6277879c878b346e11cc

SHA1
ac1e289421cfa35e1728f52aa4cf6406b74b9e6e

SHA256
7013a667757278a475d42d3f19bef6c19d396fc99cd36df91c1d4979a4f75826

SHA512
4d78b4fc363575189a01bf8676fc43a21d9dfb367cf89671ad2954bddcee60d648a21b4b3806c2991d750156e350e303f37531a144fadc980d2063487145472e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
58507783cd4b2ff726337546b5d67e4c

SHA1
0aa728f4e68e5adb97e24308efb182902c728523

SHA256
dd8767d61ddc8e0053e8f6dec30e91711a6ce412555020806e46941e24065871

SHA512
042787d0ec46bf7d89202cd4b53d5d6ea3f5655980c76ed887445d9bda1ea180cca95803f575f1e1addd4d71385b5e6e7d9c04feb37bb616792da982ae0e0916

Download Submit
memory/620-365-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/620-275-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/620-297-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-12-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-287-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-324-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-296-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-364-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-260-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-257-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1040-503-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-274-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-8-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-322-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-0-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-255-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-500-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-362-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-501-0x00000000003C4000-0x0000000001603000-memory.dmp

Filesize
18.2MB

Download
memory/1476-258-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-288-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-261-0x00000000003C4000-0x0000000001603000-memory.dmp

Filesize
18.2MB

Download
memory/1476-262-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/1476-2-0x00000000003C4000-0x0000000001603000-memory.dmp

Filesize
18.2MB

Download
memory/1476-263-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-323-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-286-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-259-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-295-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-256-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-363-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-11-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-15-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download
memory/4808-502-0x00000000003C0000-0x0000000001AF7000-memory.dmp

Filesize
23.2MB

Download