acb362c4192ed139f523b70d57b1cda99586971f8b4261d7e60b33307a7de0ca

Resubmissions

17/05/2024, 17:59

240517-wkyarabf43 8

17/05/2024, 17:55

240517-whkxmsbd6y 7

17/05/2024, 17:53

240517-wgnxxabd65 1

Analysis

max time kernel
150s
max time network
151s
platform
windows11-21h2_x64
resource
win11-20240426-en
resource tags

arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
submitted
17/05/2024, 17:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TLauncher-Installer-1.3.8.exe
Size

23.0MB
MD5

d4ecfc9d8262e3289ee86c467c0b6ccf
SHA1

5e53be039083d3e10a75e3bedcb12fe375c6e056
SHA256

acb362c4192ed139f523b70d57b1cda99586971f8b4261d7e60b33307a7de0ca
SHA512

20f207929ccd1c2ef56cfb5e9cba97c2a94113363a143ebb65abc1807357d9532b12002d18513f38b44fe205a3a3b4ea5644ffdfd6b1dd69983c0bb4aa4af5b3
SSDEEP

393216:I25K5o5G9bK5Q5+LTc2rr6of5MJ7ZWqxPAIgtMIMlFRqWM/DX9QMIuLLf0a+jV0t:tK5o5GbKO+LtrrKJBH5lFRqlDYkLf0aL

Score

8^/10

upx

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 5 IoCs

pid	Process
560	irsetup.exe
1984	AnyDesk.exe
1192	AnyDesk.exe
5076	AnyDesk.exe
3956	AnyDesk.exe

Loads dropped DLL 5 IoCs

pid	Process
560	irsetup.exe
560	irsetup.exe
560	irsetup.exe
5076	AnyDesk.exe
1192	AnyDesk.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000100000002a983-5.dat	upx
behavioral1/memory/560-14-0x0000000000AF0000-0x0000000000ED9000-memory.dmp	upx
behavioral1/memory/560-650-0x0000000000AF0000-0x0000000000ED9000-memory.dmp	upx

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133604423886039020"	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
5076	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1192	AnyDesk.exe
1192	AnyDesk.exe
1192	AnyDesk.exe
1192	AnyDesk.exe
1192	AnyDesk.exe
1192	AnyDesk.exe
1564	chrome.exe
1564	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeCreatePagefilePrivilege	1152	chrome.exe

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe

Suspicious use of SendNotifyMessage 18 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe
5076	AnyDesk.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
560	irsetup.exe
560	irsetup.exe
560	irsetup.exe
560	irsetup.exe
560	irsetup.exe
3956	AnyDesk.exe
3956	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4508 wrote to memory of 560	4508	TLauncher-Installer-1.3.8.exe	80
PID 4508 wrote to memory of 560	4508	TLauncher-Installer-1.3.8.exe	80
PID 4508 wrote to memory of 560	4508	TLauncher-Installer-1.3.8.exe	80
PID 1152 wrote to memory of 2928	1152	chrome.exe	85
PID 1152 wrote to memory of 2928	1152	chrome.exe	85
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 2732	1152	chrome.exe	86
PID 1152 wrote to memory of 1720	1152	chrome.exe	87
PID 1152 wrote to memory of 1720	1152	chrome.exe	87
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88
PID 1152 wrote to memory of 1736	1152	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.8.exe
"C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4508
- C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe
  "C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe" __IRAOFF:1773458 "__IRAFN:C:\Users\Admin\AppData\Local\Temp\TLauncher-Installer-1.3.8.exe" "__IRCT:3" "__IRTSS:24079198" "__IRSID:S-1-5-21-1230210488-3096403634-4129516247-1000"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetWindowsHookEx
  PID:560

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7fff30edab58,0x7fff30edab68,0x7fff30edab78
  2⤵
  PID:2928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1608 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:2
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2112 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2184 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:1736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3052 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3060 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4196 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4380 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4376 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4440 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:3108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4736 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4888 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=4944 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1804 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:832
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3104 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:4636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4728 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3364 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=3440 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:3768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2272 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4548 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=4996 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:1340
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5412 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5600 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:2296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --mojo-platform-channel-handle=5840 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:1
  2⤵
  PID:4900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5932 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:3008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5444 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  - NTFS ADS
  PID:4852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5428 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:1396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5772 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:4696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6568 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:8
  2⤵
  PID:3720
- C:\Users\Admin\Downloads\AnyDesk.exe
  "C:\Users\Admin\Downloads\AnyDesk.exe"
  2⤵
  - Executes dropped EXE
  - Checks processor information in registry
  PID:1984
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:1192
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --backend
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetWindowsHookEx
      PID:3956
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: AddClipboardFormatListener
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5172 --field-trial-handle=1820,i,6879815675648633516,13287613020958019633,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1564

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:3096

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004E8
1⤵
PID:4956

C:\Windows\SysWOW64\werfault.exe
werfault.exe /h /shared Global\2ae5f87c5c0c4afbb94f3d7d14611163 /t 644 /p 560
1⤵
PID:5504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\88113bb4-868d-412e-b1de-b2b0c050cc2a.tmp

Filesize
6KB

MD5
5e477513b6f9e9c66f89cf6defdaa169

SHA1
b939ae1c088742793a5b3e318fed505c5fb298a9

SHA256
75e86303647e46b8bf0a3dd1875563be01e1e41bd1ad94da3afa6da737af0a5e

SHA512
cd56532b3025c16e1c4e2aca559ba146064aac6f462249976a77aa69981f6ed1112c7dbf802f288fa3ab5e137eb1e65a0a615d2c49cc5831a3a04fdcf6da7e49

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
204KB

MD5
41785febb3bce5997812ab812909e7db

SHA1
c2dae6cfbf5e28bb34562db75601fadd1f67eacb

SHA256
696a298fa617f26115168d70442c29f2d854f595497ea2034124a7e27b036483

SHA512
b82cfd843b13487c79dc5c7f07c84a236cf2065d69c9e0a79d36ac1afc78fa04fba30c31903f48d1d2d44f17fb951002e90fb4e92b9eae7677dbb6f023e68919

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000051

Filesize
24KB

MD5
1fc15b901524b92722f9ff863f892a2b

SHA1
cfd0a92d2c92614684524739630a35750c0103ec

SHA256
da9a1e371b04099955c3a322baee3aeee1962c8b8dabe559703a7c2699968ef4

SHA512
5cdc691e1be0d28c30819c0245b292d914f0a5beaed3f4fc42ac67ba22834808d66a0bfc663d625274631957c9b7760ada4088309b5941786c794edad1329c75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
b2dfaf7622747ec552ef2deb00a6ff54

SHA1
821f35e2f062198a74ba459b068d3b9b2cd58221

SHA256
9b6090b1dcb0bb520c2b94c657006d8e83ff2422c4df4041e70f3d9df3b69f3c

SHA512
5eaee84fa3bc3e76bf7b3fe16d1a7a3a636c36911b5df02cba4baa076320c89e92405d0cee9fa61fd2687c3c41e201574fa611bd804ed32dc4e0239fc9390629

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
3730ce802cdcc16f8fd18b6def192d9b

SHA1
253b51d547109e93fbf87e9351c35a5cba2570bf

SHA256
e977fc485e95611b42be6d4b07aa7706682f6e4d63c21b54b4ff4d1f44475df8

SHA512
2064c158e4d9c7071ac9b20d253f3057a5a8fec900bc73f67305aa6a303e578eee4dfb3b175aa7bcf7f1af6182afbb1da5289b89ba4aff8c6ee8677993416678

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
92b25628c9b4dbfafbaf0f42a9d358d9

SHA1
f6e2ff3c0dab69447b256a781a00751f87a39769

SHA256
15ca574e7442b082c5684706d293aaf46e4d1a1eba73b6b4ca1098bfc5b86bcc

SHA512
b866d2920f78e5cad154484d33a506c2aff6adbd99c2b94b3692265e2ecb4f25cd73f53606c14a4277dc160e8e7d53387279cc0c8f9724e54a5c769091bc2fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
5e9cd7490375259c7e9e204ec4421c6c

SHA1
2eb67fa7b1b96eb0c709accd0126201298083330

SHA256
26de40d5aea197f6d4ac652cfc60dc2a4b3840b02e53a7119654f66cbae769f9

SHA512
3b7d956247b233a439776e4204428f2b5a1c5c5a0e4882612f895118c7747463605340c69044c5c3fe1e5edfe5db5ab60cb5a4d5be3ee1cb469918709a3629a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
fe5a87ba64488ea7f29e7e62fd31a620

SHA1
bd56ebc3deda63409c03b2b05dbd3538da450ee9

SHA256
2a6bb8f53a67eec4b9a931a331dacf209f771a2956f6bd97aaa96bb054228841

SHA512
790570cc2989aa0c5c041a50098b2beef12da9337c71b2b6e83976b8268e166580eec29ce705a332d4e5a0210eec5d041129f1f5a0f73b5ea2c7af677a7f9720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
2KB

MD5
6790a0193d38b42ac7e25ad78905130a

SHA1
cb7a326ac7127c20c1ac1211b1e38d769dc6637e

SHA256
1990fef4e3f46ae5983be8432ed9d6c92cc0a75327b8d9b93c0a24026c7d5afe

SHA512
0e61d62d4ac258b9b4c45eba281e4328d7165878d2dd496b7b3bc466f6455766c65c591ee2684f30a5f82c9dd28e762513a1845e88b6bbfe6d24556ed75c7ec1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
6f87082b281c0e018af8d359f39331e7

SHA1
852831c77a8e2cd19f8e2c124930717a7585ccc9

SHA256
c41afca2c79ebd33d9a3994cefa6d11ed49836fa40c4b8d5ecf8d1cd85408b35

SHA512
3d90af07647e21f6dd1aba2ca6ec9f9792c72f20a6fd59e98753e8f746692327bfc159dd36151a8fc664965f27e0367b33ec9ea34af488b81975550bf07cbd60

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
3KB

MD5
cc676c1adb244b26e43a7db814fe50e0

SHA1
4d8f096c25f77289979b1ce66be488d7cff473fa

SHA256
fbdf84c0658d232855d48fd2aaa0433aeab79b11fc24959b6a29f3c678c00f2b

SHA512
519624e85e6887b8e1dd593d12c5efb4f55c98b89053ee6d42c34be8480cae52ae56cd587db6d603b60412bba0721aacee94320c38230c594ccc6d249ad1356f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
80b558111b88b3e920216c0f5acc2fda

SHA1
22328098d3ade0d877fea4057a39da4917ae4834

SHA256
b1bb6bcbf9f38cf0354a4a10afd1fea8dc43e92a3528c2aca78391bc35d6dd40

SHA512
eb42b504e791f3088c7fdcc3961d4900758b2435e8b615c95860513c3a71d24e397f9b8ea17c98a6ce47ed51081c2b1ba9a46d31fa58695b2e20d4504a423dc2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f378225ebfd959b667e977e6c540c353

SHA1
79cfcf94c3c784265b2bf74386ade9d0483e39b2

SHA256
ebd55733397b78e7d1b88a711e35dc27f61fc96ad20eb39e910909738eaaacb6

SHA512
9d6799bffbb87909133168adbb9ecba958909bd555c11ceefeea6bc7dbaaa13b88d02da5b94d4bdf05d039b601785adedf1a748fe9e022648f09fc34317184ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
b7e50dfd29996a4f5ad2964f8a2b1883

SHA1
3555761062b2edaccde9842de0851dbf1b2d2f09

SHA256
185795b94987b2d006a451338623c9291daf9fc28280b87cc30c24c549e1a18d

SHA512
868eed0a92f39908a2e7362152166520f2927f74059391e5900f54fdec0476f312c9f8e9edc6b5f78dee7b56af3bb231bc3ba531d7497e4ae1a18edb55887646

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
805ba3774e1b1829f1afb629ac6438f0

SHA1
f470b862e8aec2d3c184963efcd459721b2b8f87

SHA256
c9b4650030f572669b2ef6fa347c66a22bb218e9fdbde73f574c56c164cb4784

SHA512
2f5f18844ab1c31e298f06cf5b01ee2758c4b744c82fde9a716bc1b66dfe945abfb9ec552a71e4dafbc035ed2efffdc1205dbf0f63544e07e0cf23d4cf177f24

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
5d49e9664f78eadc56192b522d3a06b1

SHA1
2a20e80d08848e92f50bc334e0077d27cf1c8028

SHA256
178195919303893ea9267e0457555e0aeb199191a47a6ac046dd75c8d350d967

SHA512
d54e60b465a630f4cb4ac027136589991fb6fb9780d6a8badfc42705a1657327ae70c2f57cc910fdced7dadde90304cdb870d8969844b93f83ef0026d47f825b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
a73fb6e058a3ba48f27ddf9bc695ca7c

SHA1
e7cc939866a88801d3f4a6dde76c2dc97de18446

SHA256
d84bdc79ebd953477115441589ab50c37ad7d28b92fe7eb72c72753d6cf64bf4

SHA512
4203b4791722468bdebf4688839193b0666aee65005ee4cc04e685bd69eb3ed9c4a9964d3150627ba0b26b6494553e54a57544db64826bb4fdbea91305f67e70

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
112B

MD5
f6988c9e10a389fb7dd16398bae98efc

SHA1
a290590d9ca915ce7876dbd74704cc6096b6d793

SHA256
9b1bc3ddbcd8f370e67622f4adf0d058ccab970e27e3e9d28b30f22bdf4ed4a0

SHA512
6ed808e62431be792a222957042e10c2c84f14ad30060510a24fd87086337070782ab7ec15241e058bf49c6687dad6674d6eed4753417e65269891035d89f5a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt

Filesize
105B

MD5
c534b150e1f22636f2b661002d2dd34e

SHA1
43bb3948051cfef847affeff5d3db595cb612041

SHA256
d494d21a18e5f26a1fde39eb3e563d2ce284b0ca54a1288dacabba83b4270128

SHA512
0d506814e56600ca9deb18c34dee4a429ffe4879eb8e9b28264b348ecb3cff81539333c9749f79905bdbf21f655c2d4355a45b81658ad9b4664720db5c4467ec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\ff1cdc8c-1251-4df5-9c64-97fa3a9cd4b0.tmp

Filesize
16KB

MD5
8f0b2bf6dab35c8d7274eef378f2ffec

SHA1
86cdb907021a5aceb92b323b1577d81a9cec841f

SHA256
38405612111a4690658684187889f4f7a6318bb2432d32b332e553229aa06ddd

SHA512
cefcadfce1372e49ca5de1ed4295803ddd7d513b61241c4f33eaa3cec40f3246d11de731f317a6629cce273599155df21d62dfbb0c6af695ce4190de8ec7372d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
259KB

MD5
1b0483ff5c815876f7851d3741ec2a99

SHA1
f0c9c9de29fcf823cbcf11fa18326a7f4983a7c5

SHA256
aec614f34a085e1c95a70b26d5e82e9de0589b0c63a4428e80681fce5579acc5

SHA512
c38500306ca6f785a5c76d1380a765dbf9d1ba8fe0fef46b953512031c37b08c80ea3bf77c60da9c455448dd7e308004b837b21e1b05e964d14cb31da0120e5b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
103KB

MD5
f1bd1886749044e72ef79146139e4623

SHA1
7cd6e926bb1709405dfbe423c0702a1cc862f100

SHA256
6b84676f72ca614ff7da854776f877ef31bb6508f00911a9aef71903b8470bb2

SHA512
e9bc09024202ec06bdbd6fc69e940422d8886d45c6f6240a250d52de00ec384765d80ffe71b2b82267541881de69ffa20d0a0fa8dae9dfbf03fbddcd27a7ef21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe589239.TMP

Filesize
83KB

MD5
37a9387395f9ba61c5aa337b01afaf64

SHA1
1e249c7e67efb43583b3b7fcccb771054200ae98

SHA256
4504a78f07eda9293d3df261728d2d19ffc79b9e7bd81f048309c099ddaa979b

SHA512
f1a36e02e0882b08af955956b627c1a6301b081d7f22a4dfcf14b63e6712ba33296d505547caf0aa7c4eb7a909a12607414c817e8302cf8f063d94964f2f61db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\e85f5f52-cd8f-42b5-a279-398bb159fa31.tmp

Filesize
259KB

MD5
83381a328e5db46062f816a9930abee2

SHA1
c6af0577ce9be50eba120fcd208ba77d696de7ef

SHA256
355e35448c6aa94040f798eb799d756b079b7b7bcdfbf55424226cf842a584b4

SHA512
093190d520810712dabd34ab6a9915619ffc4bcd9a5ca05f614c88fbde1f48e471329d1e5b82263fb2f3eab77d686c384ca0ba27531560b73e345f086170e0fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db

Filesize
14KB

MD5
fbb72a305048a8cc6cf3d5c86875b48d

SHA1
7f692c0689b8488e7eee97a6fbc61fe0fb6c3dd6

SHA256
5e3173fa1bedace1aabe88222ff68cf7fd0d6962d4e824f9288e516ca40eb9ce

SHA512
6dc5cc27cb048a43d9200264f7227425cc6a4621c6522375414c3971b7a03dca1fed3482c797fa38d19f2191c4c2903091c1899ced50c27ac6e3d20dd830e5d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\200.ico

Filesize
116KB

MD5
e043a9cb014d641a56f50f9d9ac9a1b9

SHA1
61dc6aed3d0d1f3b8afe3d161410848c565247ed

SHA256
9dd7020d04753294c8fb694ac49f406de9adad45d8cdd43fefd99fec3659e946

SHA512
4ae5df94fd590703b7a92f19703d733559d600a3885c65f146db04e8bbf6ead9ab5a1748d99c892e6bde63dd4e1592d6f06e02e4baf5e854c8ce6ea0cce1984f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\BrowserInstaller.exe

Filesize
1.6MB

MD5
83a8f0546164c9ba1a248acedefd6e5d

SHA1
7652f353ed74015e7e78bc9f9e305a48d336b6d1

SHA256
e7c5072ec60d32022b3c818c527ad86f4985837a4f0e9fc6477f54ae86d9f1c9

SHA512
111d11acdaef0036ff5cabeb16ed55bf4c681fa6eb3c006af450a0ebadae3e213a8f3abb0f4a9aecc8e893af7a79b4eb7f74a5fc3743e338c3e3136b5d7f9f2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\IRZip.lmd

Filesize
1.7MB

MD5
dabd469bae99f6f2ada08cd2dd3139c3

SHA1
6714e8be7937f7b1be5f7d9bef9cc9c6da0d9e9b

SHA256
89acf7a60e1d3f2bd7804c0cd65f8c90d52606d2a66906c8f31dce2e0ea66606

SHA512
9c5fd1c8f00c78a6f4fd77b75efae892d1cb6baa2e71d89389c659d7c6f8b827b99cecadb0d56c690dd7b26849c6f237af9db3d1a52ae8531d67635b5eff5915

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\Wow64.lmd

Filesize
97KB

MD5
da1d0cd400e0b6ad6415fd4d90f69666

SHA1
de9083d2902906cacf57259cf581b1466400b799

SHA256
7a79b049bdc3b6e4d101691888360f4f993098f3e3a8beefff4ac367430b1575

SHA512
f12f64670f158c2e846e78b7b5d191158268b45ecf3c288f02bbee15ae10c4a62e67fb3481da304ba99da2c68ac44d713a44a458ef359db329b6fef3d323382a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\irsetup.exe

Filesize
1.2MB

MD5
9c1463eae93979fb58c2f7d76ccea725

SHA1
a39f2bf168f4d0125d38ae06b60e6b54ce2ecf0d

SHA256
7af2713fba2119eeb1c62854981aa9ef4486900e21d8e718dd4626d688d6b180

SHA512
e7faee07c7cd8ac1157e56e4dc890e5b626c1498c16f04ae6ecef790927848303b5eac869f1c571a4098dae7c2ed7cbb940cef5e5aee7dd9707e71afbc992de7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_ir_sf_temp_0\lua5.1.dll

Filesize
325KB

MD5
c333af59fa9f0b12d1cd9f6bba111e3a

SHA1
66ae1d42b2de0d620fe0b7cc6e1c718c6c579ed0

SHA256
fad540071986c59ec40102c9ca9518a0ddce80cf39eb2fd476bb1a7a03d6eb34

SHA512
2f7e2e53ba1cb9ff38e580da20d6004900494ff7b7ae0ced73c330fae95320cf0ab79278e7434272e469cb4ea2cbbd5198d2cd305dc4b75935e1ca686c6c7ff4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
10KB

MD5
cc75b749d970f45e4e2d36cbdd604a29

SHA1
3d433dd0777b54464e5654b6bcf1608d91b5284c

SHA256
7214a88f167616140b407763ce1a1989de6d73d08b45f269b34839d161758b5a

SHA512
169cc04036ffd8509c1c040de7e2a0a3136bb193ce64995a57d08e577696403dd78824daff78dcdf1cdf52243132412443c74387282ea038b0c568af096b01b7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
aaeff538f9c0256378fa1befd164ce3b

SHA1
d147c3e325164886868cfb581737cac4d167e896

SHA256
b74cf20c4e8bfa870948a736aad01ec56a6311daae495ba1a3da217ba8aef7f3

SHA512
2d0a5f490d0201d0785923fee6a60a9ccc139b7aadf02d840e63593631cffc1634d51cb076473b5081e17c0652d6ece2d8cde832bebe1f4d4c84e88f126083a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
470164147b31025bfddd4d65397a6eab

SHA1
36935000142df7477497a724f51b2e15993049c2

SHA256
d237073b9fdaf0ca57ff54a529880b7b9c9d1ff39d8fbcfb44f42680b718820a

SHA512
55e00bfb0086618c333b0127e7be559ab0f2c8a086743adbd9a854dc49fc99e9a3e5d46ca7eb1c728e6e1273c3982f199b2f6910fd69d69101e79fda8d4101f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
424B

MD5
02e7b09a76a88b1b62a70d60c86fdab4

SHA1
3f95019c3733a582d16f2639a0ea64c0002129ee

SHA256
570073444bd95b544d90e968c9e08b8ae7c47e4b413e7f2eb67da6ffa0fa3468

SHA512
6a2e77f099c2acaae0ac2ed8d669279fdb5e0c1eb7c3a9839a462b50ade121d3c9fdf927bc9d384f9d908cab97524963ed14657447228df0a15c668ce01e280e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
701B

MD5
4bd2916a4ff231624c30ac679e23bbf1

SHA1
c84fe0dca79e02e2380990403924eaafd83a142a

SHA256
069c639515475ce6c1fc6409d3d6be0988abe8eb8ea25c94a623d2b94de14b37

SHA512
6b5b349f04df75744b9ae29be031d37832a6ef43bd92e3c769938a9d384255729adf9231c78d087f3b04299403c234539938ccdd1f9d350f119b3545972b32bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
822B

MD5
89fbf2247bb67db8ae55b44014120f30

SHA1
f63f6ff0ef3efbec5101d8403c8b0b63b2815896

SHA256
ff09428c1c931e502648e792cc7cc3db8ff993c2b86d0b2a4c5979465d4469e1

SHA512
9f6ca167e2a6f15c058b438a25095fab7b405d3982b49eb09141a337f96f9d3862a5fedc3c73d9492f1a1a532cdf50c7daa4b695b61327bd31aa0ee739c4a9ee

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a426133aacdbdae41e446bdc245ad53b

SHA1
75ac05dc88e6f52208201db8563f5fde1f852a60

SHA256
02e859f7a182712dfb9c298daeed37194ea597a42d6542b373fd731dc4ef201a

SHA512
c86d1b84fe2bced5a49bc305c6ba0110af7fcc487d669bf11c2560fa139162243a98b3ccc685b006c8c6075ebef319a7ca80b4a47bc6817be62adede1c44fcc2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d072b3ea8fdd1e69edf7eedb973cab81

SHA1
12c7c9b0233806b83c5e5b2bc38565579f43672e

SHA256
5c4b2f7cd327ebb17ac0205a172c040df23893fffc3925bb07e52f99ad468d59

SHA512
b3847e3fe524fe87603204293a3226e035fae409780b0f8de067b43a1401f1be1a5cf306a93e2f3ec47d3461c780b4c69ba56e6dff20ba95c3f9a392aef4cc79

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0b9e57e349e0f29dc41f93c459a7ecf9

SHA1
2554b3d6d1fab2524bdd30b4569aef0c3d75d884

SHA256
ffbc0738fddbe94a4605c7f6cccbb79e2e768365a50fb59d2565633d0093c791

SHA512
90dd65dea049ecb4a47bb6b94b48d528c4c0c4d1878c34557b9152edaeb30bdad10df2cfbd64b338294bf047e1995a6a3c5d115c565e01d94549dc47ac090e12

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
54f2034c886cd6140269f11fb31564c6

SHA1
00a3c95277a237a48b4cca27b0d3e903f07d612b

SHA256
d637e4087978ac1f0c7489850ddaae7b4c06f46d4d23859670fa316f42a9b673

SHA512
6faa2fc85057fc48514ba928b154505cf217fb4bbf6fda7fd596a032c4e3d5db8ef3cf0649d5ac903dcf0a461baf62658934703dbbbecd94a2233fcd3651b23c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3c499f07c39ff2c150a1a218281eb857

SHA1
8ee2b803a1487751da8d7a064e496a519abd0dee

SHA256
ea1d76115c081b97f2b9887f563d36a1d2a0d1d4cfa1dc346a8e1f2372e26d50

SHA512
a2d2fe250c53174a569d67061bdc8d89d50e892ffe18adf571fb3c6520e77484332f9f4ab9707195b98aa4b00cd12c16b3744f46b9b06f916bd8b12d2d6cca3b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
64b2ba181cb5a5c34f0c9bde88d88e72

SHA1
3a8f9c54d4d821dd8d983f2d9b0cbc76090c3575

SHA256
f679be8d28524ca3fd9d55d97e99a5a81aab3c044a6c9051cd4d8fb3362ce5e2

SHA512
7b06f8e1f72dec3722d3682a45433aa7568544f1f007478fa9fc81df91c5872b8fa05a5715607892d78fe11802cc8c11b9c9330baedaf959cab519a6eeeff2a2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
23f58fd3de51354630c83f48282be509

SHA1
c6cb9252ed7aa4098eaca60166e0b727422337aa

SHA256
1e6904e7e3311e01d2b19fa48443bfd0525d122485207ff4e3a1cca0db530a3c

SHA512
58545b024b5890ed1de8f5d83245d7e87f39569e58e4b5ff1331999a35b3ea3098d68b98087d3fcbcd53a3e174566853ed51d4fc4fd1389847917bfae25c1def

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
6KB

MD5
493871ce5b3bad74f6abb7fd8d689ea9

SHA1
5bbd024208b62780529628cd1fa770e755e0c8a5

SHA256
35d68413b77549ae74dec5b7bc0d15d0a3156d3e0e0b8b4fff81a5d2966b1d32

SHA512
d6dff69e72e75f13f1eec403ea47854a733aff4b24856f4b2834f4f2d6e00d220c0ade277ffb12420b98425927f4dcf2bfc29f1db1e405b8c35bfacf595359ed

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
7KB

MD5
93b071b3faaefb2d6e66098d15714789

SHA1
14aa73d05cb8b2d842a09eff8f32275b1fb53361

SHA256
98b04967c72dfbc396114041b64ae8c378576e42ec8124fd849df5a4956e10c0

SHA512
c556e75a84d61a8efbccf004f09b6110d813a965d5dd846510e9515fbe604991a32c97b74c677cedde24f2ef8956ae99c300f442235aa225d124237cd0c4121c

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 345171.crdownload

Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\Users\Admin\Downloads\gcapi.dll

Filesize
64KB

MD5
ecb9969b560eabbf7894b287d110eb4c

SHA1
783ded8c10cc919402a665c0702d6120405cee5d

SHA256
eb8ba080d7b2b98d9c451fbf3a43634491b1fbb563dbbfbc878cbfd728558ea6

SHA512
d86faac12f13fcb9570dff01df0ba910946a33eff1c1b1e48fb4b17b0fb61dded6abf018574ac8f3e36b9cf11ec025b2f56bb04dd00084df243e6d9d32770942

Download Submit
memory/560-651-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/560-592-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/560-1526-0x00007FFF51EA0000-0x00007FFF520A9000-memory.dmp

Filesize
2.0MB

Download
memory/560-598-0x00007FFF51EA0000-0x00007FFF520A9000-memory.dmp

Filesize
2.0MB

Download
memory/560-1519-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/560-731-0x00007FFF51EA0000-0x00007FFF520A9000-memory.dmp

Filesize
2.0MB

Download
memory/560-14-0x0000000000AF0000-0x0000000000ED9000-memory.dmp

Filesize
3.9MB

Download
memory/560-1504-0x0000000010000000-0x0000000010051000-memory.dmp

Filesize
324KB

Download
memory/560-650-0x0000000000AF0000-0x0000000000ED9000-memory.dmp

Filesize
3.9MB

Download
memory/1192-1463-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1192-1457-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1192-1192-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1192-1442-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1192-1500-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1192-1515-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1984-1172-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/1984-1441-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/3956-1517-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/3956-1445-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/3956-1465-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/3956-1459-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/3956-1502-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/5076-1191-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/5076-1443-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download
memory/5076-1458-0x0000000000F30000-0x0000000002679000-memory.dmp

Filesize
23.3MB

Download