privateloader | hxxp://avastpst[.]com

Analysis

max time kernel
119s
max time network
119s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
12/05/2024, 21:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://avastpst.com

Score

10^/10

privateloader discovery loader

Malware Config

Signatures

PrivateLoader
PrivateLoader is a downloader sold as a pay-per-install malware distribution service.
loader privateloader

Manipulates Digital Signatures 1 TTPs 1 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\TrustedPublisher\Certificates\8F2DE7E770A8B1E412C2DE131064D7A52DA62287\Blob = 0300000001000000140000008f2de7e770a8b1e412c2de131064d7a52da6228714000000010000001400000037566615f0b266ff2f5295d1ae83c4e065330e43190000000100000010000000aa6fd6bd7df2864341e10de037f41dc6040000000100000010000000a7c9563a13f15ee0e171ef6aa4c7a7870f0000000100000020000000dcb8261fa22c834b1ffb69470c0cc7baff034b5c656a6c297259addfbf73f1e35c000000010000000400000000080000180000000100000010000000021dfb9b16b1303a97b0bf78cda68e464b0000000100000044000000360036004100450033004200460044004600390034004100370033003200420032003600320033003400320041004400320031003500340042003800360045005f00000020000000010000002c0500003082052830820410a003020102021003e9eb4dff67d4f9a554a422d5ed86f3300d06092a864886f70d01010b05003072310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3131302f0603550403132844696769436572742053484132204173737572656420494420436f6465205369676e696e67204341301e170d3138313032343030303030305a170d3232303130353132303030305a3065310b300906035504061302444531123010060355040713095374757474676172743120301e060355040a13177068696c616e64726f20536f66747761726520476d62483120301e060355040313177068696c616e64726f20536f66747761726520476d624830820122300d06092a864886f70d01010105000382010f003082010a0282010100c670a0d7fd91b6a5a0608435029365d11e529a2d43df54680357ad83dfb4ee6cbf54d74c4bc9205fbbca3b436d0fe3370b3200d8c655e242c92b4b2a2fa6040c81e530fcc1a60d849d52886bf3e29c50b52413e2a321f756b314f3bcbc47e550ea4b6ecf895132ae6f99a947ea9ad00982b86ebce0cd6a198bc65f1cc1bb6a1638931cb630c26ca343eb7f2bb394f36cb302bec93f3828dcf165700e7a00712cc914ce5f4b6c6945f201d769ca2fffe1268b6cf57965bd8d5c4177a2d176f32c9c9e60a7a96c3f775e64b84734394983790f56701d1b8f9614028ca180e7d03ffafa30bb51149059ae4d93d8b696c1160319e9945a760a640dd6bd134ce6db270203010001a38201c5308201c1301f0603551d230418301680145ac4b97b2a0aa3a5ea7103c060f92df665750e58301d0603551d0e0416041437566615f0b266ff2f5295d1ae83c4e065330e43300e0603551d0f0101ff04040302078030130603551d25040c300a06082b0601050507030330770603551d1f0470306e3035a033a031862f687474703a2f2f63726c332e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c3035a033a031862f687474703a2f2f63726c342e64696769636572742e636f6d2f736861322d617373757265642d63732d67312e63726c304c0603551d2004453043303706096086480186fd6c0301302a302806082b06010505070201161c68747470733a2f2f7777772e64696769636572742e636f6d2f4350533008060667810c01040130818406082b0601050507010104783076302406082b060105050730018618687474703a2f2f6f6373702e64696769636572742e636f6d304e06082b060105050730028642687474703a2f2f636163657274732e64696769636572742e636f6d2f446967694365727453484132417373757265644944436f64655369676e696e6743412e637274300c0603551d130101ff04023000300d06092a864886f70d01010b0500038201010081f8e7b945d68610bab4057f23259843f454fd9c7aac4180dec936794e4a664dda255b30644288538121e30a69d4447dbc04c2da21e44f5c4ba41e706c9de0cb51c67931e31207ba3ac11791f9e551deb1aa3feee2a6e199a4d10b0cd71c05143f4466d6c84747d9bc3127e47102d90a2487440ea1b9a8e7317ddeeee3a0f42c296bf03314fa6e86f3743b9a4a6e756a54e67b0513c343e9e9f7c730af9f00acb32a27f707d3d04f22d58cbbb588c2fc72d5a37c4acaaab650c9533e96aa7a0bf53a60d86fb6ee8c982ec49b49130956b064d62e010da8a75e786a4445cff7b506eac4a40ab672d91dd23a272c7e28fb670cb502ff0f5572d88d8706580c5caf	DrvInst.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 7 IoCs

pid	Process
924	AnyDesk.exe
3980	AnyDesk.exe
3748	AnyDesk.exe
3560	AnyDesk.exe
3228	AnyDesk.exe
2508	AnyDesk.exe
4376	AnyDesk.exe

Loads dropped DLL 4 IoCs

pid	Process
3748	AnyDesk.exe
3980	AnyDesk.exe
2508	AnyDesk.exe
3228	AnyDesk.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in System32 directory 27 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver-manifest.ini	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.gpd	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriver.cat	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET4159.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419C.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET4159.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419C.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriver.gpd	DrvInst.exe
File created	C:\Windows\System32\DriverStore\drvstore.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419B.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419B.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\FileRepository\anydeskprintdriver.inf_amd64_07b22d0a6997cb3a\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\CatRoot2\dberr.txt	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriverRenderFilter-PipelineConfig.xml	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419D.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\anydeskprintdriver.inf	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET415A.tmp	DrvInst.exe
File created	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET415A.tmp	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriver.cat	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriverRenderFilter.dll	DrvInst.exe
File opened for modification	C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\SET419A.tmp	DrvInst.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\AnyDesk.exe	AnyDesk.exe
File created	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe
File opened for modification	C:\Program Files (x86)\AnyDesk\gcapi.dll	AnyDesk.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\setupapi.dev.log	svchost.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	DrvInst.exe
File opened for modification	C:\Windows\inf\oem3.inf	DrvInst.exe
File created	C:\Windows\inf\oem3.inf	DrvInst.exe
File opened for modification	C:\Windows\LOGS\DPX\setupact.log	expand.exe
File opened for modification	C:\Windows\LOGS\DPX\setuperr.log	expand.exe
File opened for modification	C:\Windows\INF\setupapi.dev.log	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 26 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\CompatibleIDs	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0009	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Phantom	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID	DrvInst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	DrvInst.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\CompatibleIDs	DrvInst.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133600255412543407"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" --play \"%1\""	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\",0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0"	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon	AnyDesk.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol"	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol	AnyDesk.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\Program Files (x86)\\AnyDesk\\AnyDesk.exe\" \"%1\""	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3980	AnyDesk.exe
3980	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3560	AnyDesk.exe
3228	AnyDesk.exe
3228	AnyDesk.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe
Token: SeShutdownPrivilege	3724	chrome.exe
Token: SeCreatePagefilePrivilege	3724	chrome.exe

Suspicious use of FindShellTrayWindow 43 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3748	AnyDesk.exe
3748	AnyDesk.exe
3748	AnyDesk.exe
3724	chrome.exe
2508	AnyDesk.exe
2508	AnyDesk.exe
2508	AnyDesk.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3724	chrome.exe
3748	AnyDesk.exe
3748	AnyDesk.exe
3748	AnyDesk.exe
2508	AnyDesk.exe
2508	AnyDesk.exe
2508	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 1848	3724	chrome.exe	81
PID 3724 wrote to memory of 1848	3724	chrome.exe	81
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3076	3724	chrome.exe	82
PID 3724 wrote to memory of 3984	3724	chrome.exe	83
PID 3724 wrote to memory of 3984	3724	chrome.exe	83
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84
PID 3724 wrote to memory of 3084	3724	chrome.exe	84

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument http://avastpst.com
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc4d68ab58,0x7ffc4d68ab68,0x7ffc4d68ab78
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1724 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:2
  2⤵
  PID:3076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:3084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2944 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2952 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3596 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:1
  2⤵
  PID:3512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3372 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4564 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:2384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4112 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4924 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4968 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:3700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4104 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5084 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:2348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4772 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:4804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5216 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:4308
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:924
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:3980
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3748
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --install "C:\Program Files (x86)\AnyDesk" --start-with-win --create-shortcuts --create-taskbar-icon --create-desktop-icon --install-driver:mirror --install-driver:printer --update-main --svc-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf" --sys-conf "C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:3560
  - - C:\Windows\SysWOW64\expand.exe
      expand -F:* "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\v4.cab" "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver"
      4⤵
      Drops file in Windows directory
      PID:1692
  - - C:\Windows\SysWOW64\rundll32.exe
      "C:\Windows\System32\rundll32.exe" printui.dll, PrintUIEntry /if /b "AnyDesk Printer" /f "C:\Users\Admin\AppData\Roaming\AnyDesk\printer_driver\AnyDeskPrintDriver.inf" /r "AD_Port" /m "AnyDesk v4 Printer Driver"
      4⤵
      Drops file in Windows directory
      PID:4544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4448 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:4528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  PID:4360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5028 --field-trial-handle=1896,i,1231605818246970218,17776896044078209413,131072 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4544

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:1308

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --service
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
PID:3228

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --control
1⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2508

C:\Program Files (x86)\AnyDesk\AnyDesk.exe
"C:\Program Files (x86)\AnyDesk\AnyDesk.exe" --new-install
1⤵
- Executes dropped EXE
- Checks processor information in registry
PID:4376

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k DcomLaunch -p -s DeviceInstall
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
PID:4596
- C:\Windows\system32\DrvInst.exe
  DrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\anydeskprintdriver.inf" "9" "49a18f3d7" "0000000000000144" "WinSta0\Default" "0000000000000158" "208" "c:\users\admin\appdata\roaming\anydesk\printer_driver"
  2⤵
  - Manipulates Digital Signatures
  - Drops file in System32 directory
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Modifies data under HKEY_USERS
  PID:2136
- - C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{f0b12566-6c0a-3046-818f-8d1d0b48fc24} Global\{65d3783b-acf6-8948-abc7-d44cb15ea731} C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\anydeskprintdriver.inf C:\Windows\System32\DriverStore\Temp\{9614ddcd-6913-a844-8011-30827fd558ad}\AnyDeskPrintDriver.cat
    3⤵
    PID:3124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AnyDesk\service.conf

Filesize
2KB

MD5
19d6c777561e3f9e2f109e9bc91128b0

SHA1
9e55bd0c4f968291186517f2ba350e832fb47016

SHA256
9f140c8b1a48e4c119842c810d3daac2db256ae539eadb22210397873b46c564

SHA512
13110b7d314096c55c31675ed1c30f3932f3c8c9eb376a1172fa717a89e20453608ba7c0cdf2ee12458022e1a2d4711525bd7f6ec1abc5508ebfae1d1fc7a572

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
9107bd3782e6b1676070b2e2325a7e6b

SHA1
6317f2e54a4b6f632c2e659c69e233aa5fda93de

SHA256
5a47942b92c8e7e5ce4b4b2f766a31db58b468bba00d7ab87c2bffb24368e971

SHA512
4beee0f2c5802a3b8113d9cbda38c7c326c15b9684c2927b4a330fc83af40d3457e4bd3f3112798adc7ce84c2c5b6a4035d39daa48f898aef85dc0a6aadafae7

Download Submit
C:\ProgramData\AnyDesk\system.conf

Filesize
921B

MD5
427709b6af05116114bbb1480f696a71

SHA1
047580c979dc08eea03f0a6753e7506b7520ffb5

SHA256
0b77b54d0df0dc5a92aec531940b86d8f3da1b2839243b1f7fbe5943810ce5ce

SHA512
f1457ea52a702ddbfa20ea7531ab715912f195962e718b193e6178ae80ea0710cc1e2a34c0ba6ad8a50644380194d747054dc0ba1cc9ae7019e5243729f85c6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
7646a3d9ec057be77acd1c2693b03d9f

SHA1
cd6cbd77d74a18d91a0d8f6219cb20ccb765fa38

SHA256
d3ead5dc151861f9a52fee612973c67a6f296304b83407b7118da21fccaa8a04

SHA512
1b3c53f43a5080e6ab2ca9d95e51cba538b1e6d25eefa1eefe27ba730960a77d26919f0ecd593ba8589df4abb14aecca7409ff21c5dad53734f8c3714b418721

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
739f7feb7a5e01cd755f3f909b7d7f6d

SHA1
997a1a28a7d5c5b7c5ffb89148812e88ba750a7e

SHA256
ecb8eeba3ba157cf6fecc4b5c5e0bc6a00271f27ceede479f2cfe9cfa6ac9816

SHA512
121d4a5da8768fa4c3e097423ec3db1271f4d3d2b441bceefadde9919653e9b40615d747a44af386c7cada006c7135d690487e1b90550ff3c7c6d01fb3f16ccb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b98d55140d0e5b1dba8681e72c52b2e7

SHA1
b512cdf9d78c47e72b5decfec8a32c2e019a7450

SHA256
4a685ab0bdb1b1bc094b4a8f15e19841a00eed8053de712ef0aa93740918aefb

SHA512
0ed72af2b0c77192510aff835478e3db7ab134c07eacb6f1217f102f012d5985994ae04896b3c7db9f3945c75dc523e382bda063979bebe8e86b6eda77051e3d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
756451f549bf22af040e41b16ebff4db

SHA1
7d8f9b2de11917c61f03739221e1a496864ca957

SHA256
da4f7969516ac58c6500eac2bfca4797c887b630b0f475da496f85489df04a5f

SHA512
c426f50f67af11d30e3654b07ada2f137488f55cbfb45cea56fe3d3809c20c3661b5dc16e610acf2dc36aca478ad1cb2e11787719889e4ac9455a703d50ac504

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
392c2f4c4346e61ad65b827371f398e1

SHA1
367a7fa970b4b58e2d9290e76bc668a793b3d77e

SHA256
92051832620b932faa63834229ada532858abf7cfc0da00a699724fe1638a2e1

SHA512
726b4f17e49e39e6b3c15745a44661d701f98050d899f1ce62ca4766ee0488404785f34e3bf91036e39d5824ef920b9e8b9f397e1bfc09975142c4ce46e52c53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
6417d0caad6e4808e7be9fb60adadeff

SHA1
41b90a635cd5e03c026efd66045cfc662bfaedcf

SHA256
5293d0690de81d2808720f4d90ca342764dbcc41994dae3ad284250815fc53c2

SHA512
9b959ee2ba25c4aafbe610945b4cc79c22baff2e58b56e2b3c92094fd6f465316dd39202e6975b377dbc1ad34a6bdda4906e656a1ec589d6df4db755fc92b7f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
cb846ff0c1501d0541c48c2a8a9208fe

SHA1
efcd784492e64a3b3929adc184f72cdd3cd93d7e

SHA256
465143f25ae8f4937a7670169a7eb3649984081249f06738a69d67c4a424ff5f

SHA512
a687548de075f11cca8fdafdeb55643c3d78bab0e42bc6ba917f7e00cbb9380ae8cea2286335f050e4f1e890e8e791ddabdef8f77ae58f3722a31c3f30e1101d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
257KB

MD5
a1f2864b65f3c20efa4613e9761f2193

SHA1
ba992350625b0ac2eacd1140cc5b23d63c01625a

SHA256
b8350cb519d696f404e0503c1b8c6b378053ba547fa82a47cf0c9b4e0c4401e8

SHA512
b4909c0e8e23c7259096dab1c397cc38f2a40be049965c5189cc8b9492696e276f53593f7f58182f798434031666cd548b6c47b26d79704c770943deb469d40d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
104KB

MD5
f693ae560bec6dc2ea710075850bd156

SHA1
855a238c944652c453bf618e961287b78e27e684

SHA256
0337ecc0d1877513d50d4e6adb6468be19b470405a18902398689e72185f88bc

SHA512
98a278dc10aea313af6da4d1137356751556d52935e7679ba99c4acf014970026683045486121feadf1232eebf037b741e394e36647b8fb88886ae5699551606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57f51e.TMP

Filesize
101KB

MD5
796f8cbbcb616610b2f021069eb687f0

SHA1
401d155efc4d4633dc9360504fbab8b63c06ca4e

SHA256
97b3b81ad71379a04583972e4296dae0ffc992d7ac031e5eab1492ebbb4f0927

SHA512
f39800a2aa782ddcd977bfad732cd171f1fc2983fe3835f06f149df57d9e7d0a202f35ada89b807be4f298f5353358d1559a262c4a7f603bb6a2a0e9f1c6e954

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ebaaa54b183df2bb0cdd802ac20ab419

SHA1
b8ca3450e76b5b4cf35bd0ccd758be2d218fbb03

SHA256
cf7b9825b31943674337b7c4fc051826564e3d29fc018b985939314f0d09d261

SHA512
169d631b9760943ef8367bddcffe5efac434eaea11a977581c32f4fa2eb2d82039783a86db5cc222bc65e05e587874a2921d840bc277235c261aeeae3cde6488

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F27.tmp

Filesize
277KB

MD5
1e4faaf4e348ba202dee66d37eb0b245

SHA1
bb706971bd21f07af31157875e0521631ecf8fa5

SHA256
3aa636e7660be17f841b7f0e380f93fb94f25c62d9100758b1d480cbb863db9d

SHA512
008e59d645b30add7d595d69be48192765dac606801e418eeb79991e0645833abeacfc55aa29dae52dc46aaf22b5c6bc1a9579c2005f4324bece9954ebb182ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F28.tmp

Filesize
584B

MD5
b76df597dd3183163a6d19b73d28e6d3

SHA1
9f7d18a7e09b3818c32c9654fb082a784be35034

SHA256
cba7c721b76bb7245cd0f1fbfdf85073d57512ead2593050cad12ce76886ac33

SHA512
6f74ad6bbbb931fe78a6545bb6735e63c2c11c025253a7cb0c4605e364a1e3ac806338bb62311d715bf791c5a5610ee02942ff5a0280282d68b93708f1317c69

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F39.tmp

Filesize
271B

MD5
0d7876b516b908aab67a8e01e49c4ded

SHA1
0900c56619cd785deca4c302972e74d5facd5ec9

SHA256
98933de1b6c34b4221d2dd065715418c85733c2b8cb4bd12ac71d797b78a1753

SHA512
6874f39fff34f9678e22c47b67f5cd33b825c41f0b0fd84041450a94cc86cc94811293ba838f5267c9cd167d9abcf74e00a2f3c65e460c67e668429403124546

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F3A.tmp

Filesize
9KB

MD5
6d1663f0754e05a5b181719f2427d20a

SHA1
5affb483e8ca0e73e5b26928a3e47d72dfd1c46e

SHA256
12af5f4e8fc448d02bcfd88a302febe6820a5a497157ef5dca2219c50c1621e3

SHA512
7895f6e35591270bfa9e373b69b55389d250751b56b7ea0d5b10ab770283b8166182c75dca4ebbecdd6e9790dbbfda23130fb4f652545fd39c95619b77195424

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F3B.tmp

Filesize
11KB

MD5
e0d32d133d4fe83b0e90aa22f16f4203

SHA1
a06b053a1324790dfd0780950d14d8fcec8a5eb9

SHA256
6e996f3523bcf961de2ff32e5a35bcbb59cb6fe343357eff930cd4d6fa35f1f4

SHA512
c0d24104d0b6cb15ff952cbef66013e96e5ed2d4d3b4a17aba3e571a1b9f16bd0e5c141e6aabac5651b4a198dbd9e65571c8c871e737eb5dcf47196c87b8907b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{fd4f4506-2a34-8d4e-ad8f-726df2eeab98}\SET3F3C.tmp

Filesize
2KB

MD5
d4ca3f9ceeb46740c6c43826d94aba18

SHA1
d863cb54ad2fa0cfc0329954cbe49f70f49fdb87

SHA256
494e4351b85d2821e53a22434f51a4186aa0f7be5724922fc96dfb16687ad37c

SHA512
be08bc144ee2a491fbc80449b4339c01871c6e7d2ddc0e251475d8e426220c6ef35f67698b0586156f0a62b22db764c43842f577b82c3f9e4e93957f9d617db4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
15KB

MD5
a564187de34fb46584ad7b3176252f08

SHA1
d0bf8e8d60c8ecc84867bf0f78732237bdca9051

SHA256
e4e66ddeff26aa6b0862d031ced070345a2c93b24bcfd329130f608a72ef424a

SHA512
d82adc9fb462968c21979cf1770dc876a94efa4a4f0f03f384532bf2d90f05fc2fa52266adb237264eab1d78f572738174fc8cbe886a4bda277e1c8d326ac18d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
28KB

MD5
95f3a19a1bc63f6664b332d4b298e347

SHA1
229ac0ecdfe3e0baa31047f99dd4714c45edba6c

SHA256
2c52fd54003b3381daf5798258424083b26685ac2955c537a023fd113a2cb324

SHA512
b9b4cdd774f596a9dbd0b2c550ad93950b2f574f67db1ee70ee2a1a2adfbf64b4fdcdc180d36e646fce6f6b5ee2673f66796019e8c72940c60d616dfb9604826

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
9e7339af1aecd73289f27c9381669110

SHA1
6fd99fd97945e7795029f1db38229a7922f4089a

SHA256
6afd187a6b2da552f54511a4c38a8809f8f6a055dd734d94047bd7489b224404

SHA512
b9ba9e7a236127cb5154001f247ed2d18ee478d0e419e717163b96f464eca2a7f6fb6260a20448bdff0a5f12d512bc4e5cabc391d94a4f4cb1c8850fcbcf0c96

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
05eb976ed6eb2d18e19181626276a71b

SHA1
8cf45fb70f4627bb201e7647e7ee976d873a3927

SHA256
c71f0e30fb64dffa4cd74f2ab4d67a7da915e0b88b814974e4e3d898bcd2f357

SHA512
aba04c8491adc16c7f53a66bd44f78c627fb2607479e3ad96cfd8ce64301aebc784b9904eb167cc684b02db5aaa588c9017966dd02403d5b770f44598e7baa75

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
f5d9cc30e2ece5bc3dd80ea7390d7faa

SHA1
3ded4be1ccc8f5edd8ec0b35f594e08fa6358e0c

SHA256
8d84d7b66e8fecfe8c69e4436e8f7578267cc634f1c859d2970fcd3234269b03

SHA512
ee5b9835fb4159f968857e43e8753a4dd77c172cc500c61ba90f980019159ed1c970bcf0cbc0a901c8b90549e1310cb485e646a3e3fa4a81779b07acb0900a7a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
612B

MD5
bb0642d7e90c8fc7ba38c0d8e4ba67a1

SHA1
4e275d7ac49735e26fcea2be02c9e55cea60a20a

SHA256
ef214343d47e656d0c356ddfa02fc6b5fc7d3932d3a415a2325028040d571c66

SHA512
77ec32c626822efd9045b321486474b3e671afb923e89139a8a6205cf6631d52cd3c9a84e881fd5df9591de3784e44bde37751e44fb96f0c5b37e197bdfc8024

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
733B

MD5
083b068ac28996d66b706122c854e1a6

SHA1
d73189fa893f2cb4b8845d54c75b259bbc584787

SHA256
b4d2110f13226c385bb34ee772004e8895224d55f7662d7b740a8268c0844fbe

SHA512
88b7ee57d6e10be56d13c106cd612a7f5a9fc754a7fe2bc866098e763b9ca055c7ec7da2e6536565d44380a2891d7351ddb463d5b6e9cd53dce8376531f425e0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
802B

MD5
7b782df7d0e82941ee6a0441fe53689f

SHA1
c3b1b25acde9427b99b108d8c95e20aae41bbb36

SHA256
7a79951591614f03f795bc94779231bdf841286a9eea321fb612a2393e92b047

SHA512
b2b88185f82a23842279e4f0bb0d0febf87b8940b7482b1181de3963eae50f854e9b2c7f2c798a060547bde51edb58ace675b3b83ce9c7e0b1246b41d1815738

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
db08011bee37e07a8873e90dd3bbff51

SHA1
81bda76b832b93b3e1244127aaa55161e1dde25f

SHA256
b1ac0e819896c335e092c91a826d9fcffc97578e18acc7b64247a44b90c9fe8a

SHA512
f0a39b71773deeda4805dcc25fc970c298281fe634b6f05cfeca068a530ef32c5ca53e90f7fe7df97961d001187684cd840a5e8ae1a6199224f09be72362df6e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9ea71759887b456f3f58f772f9b0a27c

SHA1
4c902fe2bafc2d3bb68edf7f554705d63550152e

SHA256
81ba5c492d05b4aa5eec1e71485c54dd5dda2f20d80664bcd7cc94f51e8df4fd

SHA512
3d22b044b370e4750cd9801f88cac912410ec6f17732d11db7129d4eabf1672224af1f26ad1385dea122bf585fb317027d7df8ef848d6624c5ba4ae8e8f4e6af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
2b2c073b2658f3ad18df502ef34e77ee

SHA1
75dd306303465ca70b5a12ab77f6d0c15246a03a

SHA256
ac9ffbb4b28b5684177767627e7a139504586504d22e0b11e10335731a993ec2

SHA512
b8d183dcdc864e82d0746fc4191a5b87aeb1b08b73ae82c055c43a37e9f00d020fbc742e31dbd6d55a1b3cbc1f87a7e2a15d7c07d4990ea8eece3a9a997e2f48

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c1aa4399ad17c683cd255c1e1522c11f

SHA1
5dc0c9d91ebacaf933e7644d2bdf2606fd8f576c

SHA256
c3f999a837d35077f18b7941425d832144e0c4bf29e5c7b7af10ab4e2e299e60

SHA512
039a6eec15665fd9a7ac5a2e90e97d58a27c7df6d320c36938d3a6017f33ad7575c8e49231ba9c61478fb7cc56185dd69d3c5c495071efb73bee52f5d3554b37

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
64ab8b11968d0b7871f9ed885299e4a7

SHA1
b51cd65fbd5d748defa0ec3027bc800a14b6368a

SHA256
ae6b5cc00bb909196dedd5e2074e50b23870edb344a88a7265c652ab0abc0cfe

SHA512
edecd6df988e1fa61163c119d20c06e0ae9957730ade43449571430b70838828da961c949a90816a352d124adf5dc57436cecd4203b5fd4d3c4194ad3ea56c85

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
91a1fb55b81031f0b6cab5b97ee03f75

SHA1
bf8770ab9540912a891da21c022616315553aed9

SHA256
53a1a7472b6c1266674dfb69cf5da07cdf30f7ca225c23abed137d5b44395e0d

SHA512
7ed459096889d31f50df98354c396f77b9d24fa8bdba1cf51c9d4e1190c472edec3538a4e8f6f5b7edd07ce5265b00d7759713f00ecf56af7425932d968b3de7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
87a70a994090d452efaba39cdf7c6c49

SHA1
42abb1e7885e5ad664aaf1653ba5ed8cb5cf7c1c

SHA256
0159c5d1600169f69fc06b5a4fcea663c373de1506fa5c9ee4bc3c15d8599675

SHA512
4d324fdde554c51a9cb4383d8842bb9a3665baf1ddfd46cdd325659fca2540c31595136a9dc516e74b797abb1420034b4094690f1cef28bba54a632520c0044a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
cda6bc83b046190d280692e5272d708b

SHA1
6985faa4514c16a8a4d168a6c7872dc42cdc4e64

SHA256
ec3ac778e93ad9b6f6f5683ccfe64e80a9b3f8d4e7b81b606fe496b3ac21ea19

SHA512
bebceb19358a1575cea6490fb4dda81616a325b4c07c128ec4f6a8002e97777725a786135ea18067108d398813a9f92771834d5f68c8164cf06cd0fcbdc196b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
c180fd2ac30f6bd24c90ec36b86e8d0f

SHA1
52f8cf1104742817ff76c5ed55fa6bd750ed846f

SHA256
4b15d3e4f28193f636e8462ad2529bf507597b878dff5eee97fd36b5aad384f1

SHA512
6c54785aa4abc8de66e6098ea2a24615f110b555b91d63eba2677eacfb3570a09c02e45bf03925d3f70160d9747be35a4094006b4de9d5ffbfc75da7bb2d1ecf

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 504134.crdownload

Filesize
5.3MB

MD5
75eecc3a8b215c465f541643e9c4f484

SHA1
3ad1f800b63640128bfdcc8dbee909554465ee11

SHA256
ec33d8ee9c3881b8fcea18f9f862d5926d994553aec1b65081d925afd3e8b028

SHA512
b3a48230fc6f20038c938e5295b68a3f020b94e220ca2fab6a894d126dc41f6f1021c239613bf9d6de84370ad7df9d9a91baf716a87d43eb101ee3e48578e5ff

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
memory/924-115-0x0000000000724000-0x00000000019B0000-memory.dmp

Filesize
18.5MB

Download
memory/924-121-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/924-325-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/924-358-0x0000000000724000-0x00000000019B0000-memory.dmp

Filesize
18.5MB

Download
memory/924-380-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/924-113-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/924-381-0x0000000000724000-0x00000000019B0000-memory.dmp

Filesize
18.5MB

Download
memory/2508-500-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/2508-698-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/3228-404-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/3228-697-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/3228-700-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/3560-480-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/3560-368-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/3748-129-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/3748-328-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/3980-127-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/3980-327-0x0000000000720000-0x0000000001EF0000-memory.dmp

Filesize
23.8MB

Download
memory/4376-527-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download
memory/4376-699-0x0000000000D90000-0x0000000002560000-memory.dmp

Filesize
23.8MB

Download