Analysis Overview
SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
Threat Level: Likely malicious
The file AnyDesk.exe was found to be: Likely malicious.
Malicious Activity Summary
Looks for VirtualBox Guest Additions in registry
Stops running service(s)
Checks BIOS information in registry
VMProtect packed file
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Executes dropped EXE
Launches sc.exe
Checks for VirtualBox DLLs, possible anti-VM trick
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious use of WriteProcessMemory
Checks processor information in registry
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Uses Task Scheduler COM API
Suspicious use of SetWindowsHookEx
Modifies data under HKEY_USERS
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Kills process with taskkill
Suspicious behavior: LoadsDriver
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-26 12:27
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-26 12:26
Reported
2024-06-26 12:30
Platform
win10-20240404-en
Max time kernel
140s
Max time network
227s
Command Line
Signatures
Looks for VirtualBox Guest Additions in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Oracle\VirtualBox Guest Additions | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
Stops running service(s)
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
VMProtect packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
Checks for VirtualBox DLLs, possible anti-VM trick
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\VBoxMiniRdrDN | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-873560699-1074803302-2326074425-1000_Classes\Local Settings | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe:Zone.Identifier | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Program Files\Mozilla Firefox\firefox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x38c
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.0.1546790538\1489199427" -parentBuildID 20221007134813 -prefsHandle 1716 -prefMapHandle 1708 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a83e3921-1efd-4d9b-86dd-fdd8a3b0304a} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 1796 25d7d8d8458 gpu
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.1.855491774\1053699062" -parentBuildID 20221007134813 -prefsHandle 2140 -prefMapHandle 2136 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e3996eff-b6e1-4759-869c-89fd45cdecf5} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 2152 25d7d7fbc58 socket
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.2.1919139020\191223638" -childID 1 -isForBrowser -prefsHandle 2724 -prefMapHandle 2852 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {9644bac8-180b-4e75-ac55-9379c0863487} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 2928 25d022b8f58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.3.793801263\237681544" -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3536 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {103e78d7-5d13-43ad-95fe-d03ba96f917b} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 3544 25d03111058 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.4.630676053\20312612" -childID 3 -isForBrowser -prefsHandle 4396 -prefMapHandle 4316 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abe177a3-f2a8-4330-b4f9-3735598ec866} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 4404 25d04804d58 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.5.26356846\1735182918" -childID 4 -isForBrowser -prefsHandle 4892 -prefMapHandle 4904 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {6f9cb915-bb32-4209-8241-1dd36a6d64f5} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 4912 25d03145258 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.6.1680764667\1457358836" -childID 5 -isForBrowser -prefsHandle 5052 -prefMapHandle 5056 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {29a927a9-76f6-4690-9bdc-cc34d56f1fd7} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 4936 25d04bb2558 tab
C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3884.7.1532518522\1298502764" -childID 6 -isForBrowser -prefsHandle 5248 -prefMapHandle 5252 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1212 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f238b57e-2343-4d4f-aa7b-f5b37177ffb4} 3884 "\\.\pipe\gecko-crash-server-pipe.3884" 5332 25d04bb3158 tab
C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe
"C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq floss*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0B
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\System32\Wbem\WMIC.exe
wmic baseboard get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic bios get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic bios get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic cpu get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic cpu get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c wmic diskdrive get serialnumber
C:\Windows\System32\Wbem\WMIC.exe
wmic diskdrive get serialnumber
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c vol | findstr Serial
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" vol "
C:\Windows\system32\findstr.exe
findstr Serial
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c getmac
C:\Windows\system32\getmac.exe
getmac
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0B
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0B
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0B
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c color 0B
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerProSdk
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\ImmersiveControlPanel\SystemSettings.exe
"C:\Windows\ImmersiveControlPanel\SystemSettings.exe" -ServerName:microsoft.windows.immersivecontrolpanel
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq die*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebugger.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FolderChangesView.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HttpDebuggerSdk
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq floss*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq charles*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq charles*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ida*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ida*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerProSdk >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerProSdk
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker3 >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\sc.exe
sc stop KProcessHacker3
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker2 >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop KProcessHacker1 >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\sc.exe
sc stop KProcessHacker1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop wireshark >nul 2>&1
C:\Windows\system32\sc.exe
sc stop wireshark
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HTTPDebuggerPro >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HTTPDebuggerPro
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq cheatengine*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq httpdebugger*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq processhacker*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x64dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq x32dbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq ollydbg*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq fiddler*" /IM * /F /T
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq die*" /IM * /F /T >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq die*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebugger.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebugger.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im FolderChangesView.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im FolderChangesView.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop HttpDebuggerSdk >nul 2>&1
C:\Windows\system32\sc.exe
sc stop HttpDebuggerSdk
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c sc stop npf >nul 2>&1
C:\Windows\system32\sc.exe
sc stop npf
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /FI "IMAGENAME eq floss*" /IM * /F /T >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /FI "IMAGENAME eq floss*" /IM * /F /T
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerUI.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerUI.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im HTTPDebuggerSvc.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im HTTPDebuggerSvc.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Ida64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im Ida64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im OllyDbg.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im OllyDbg.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg64.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg64.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Taskmgr.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Taskmgr.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c taskkill /f /im Dbg32.exe >nul 2>&1
C:\Windows\system32\taskkill.exe
taskkill /f /im Dbg32.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| DE | 195.181.174.167:443 | boot.net.anydesk.com | tcp |
| DE | 195.181.174.167:80 | boot.net.anydesk.com | tcp |
| DE | 195.181.174.167:6568 | boot.net.anydesk.com | tcp |
| DE | 195.181.174.167:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-2cf7befd.net.anydesk.com | udp |
| GB | 195.181.165.139:443 | relay-2cf7befd.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 167.174.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 139.165.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| GB | 57.128.141.163:443 | relay-ad195ac5.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 163.141.128.57.in-addr.arpa | udp |
| FI | 84.250.189.116:7070 | tcp | |
| FI | 84.250.189.116:49934 | tcp | |
| N/A | 192.168.0.145:7070 | tcp | |
| US | 8.8.8.8:53 | 116.189.250.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50111 | tcp | |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | content-signature-2.cdn.mozilla.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | tcp |
| US | 34.160.144.191:443 | content-signature-2.cdn.mozilla.net | tcp |
| US | 8.8.8.8:53 | push.services.mozilla.com | udp |
| US | 8.8.8.8:53 | shavar.services.mozilla.com | udp |
| US | 8.8.8.8:53 | firefox.settings.services.mozilla.com | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 52.25.179.107:443 | shavar.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 34.117.188.166:443 | contile.services.mozilla.com | udp |
| US | 34.149.100.209:443 | firefox.settings.services.mozilla.com | tcp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | contile.services.mozilla.com | udp |
| US | 8.8.8.8:53 | prod.content-signature-chains.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 166.188.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | autopush.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 34.107.243.93:443 | autopush.prod.mozaws.net | tcp |
| US | 8.8.8.8:53 | shavar.prod.mozaws.net | udp |
| US | 8.8.8.8:53 | prod.remote-settings.prod.webservices.mozgcp.net | udp |
| US | 8.8.8.8:53 | 107.179.25.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:50119 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | tcp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 233.130.159.162.in-addr.arpa | udp |
| US | 162.159.130.233:443 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.179.89.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
Files
memory/4300-1-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4300-2-0x0000000000914000-0x0000000001B4A000-memory.dmp
memory/4300-5-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-10-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4404-11-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | ff5f58bc56474233e52a2cb99608adaa |
| SHA1 | 3e16d9a0e6766367ad2298f1cd4deba488f321b4 |
| SHA256 | d92270c410572c9ec305d3bd58d44fe3f33f8ab42875efd54dc1196a05faa873 |
| SHA512 | 480436319fe84cf1587410af26bb934200c830ff5578bb7b58cfb48d01d97b5963a4240928e45d8abf8cbc9a13250d3482e2ac1561f84eef9fb54df5ea031230 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 95615bb09afcfc1dfecfd644d87ea109 |
| SHA1 | f41fe9b42d976360265707885fdd9fb692b8ce74 |
| SHA256 | 170cdc89c707e27958fc00cb8ee3ee2a124d451786ef11f3d0f0ea653e92f82f |
| SHA512 | 68be2b8a1f12809b6b1f68d3ff48ffa46cdb297f33efc03911c5759bb036cebd778318b7e84bccb8b0d61fb182e0448d8220c35eb52e05aa7a2c2c6c3f942e9f |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 0c04ad1083dc5c7c45e3ee2cd344ae38 |
| SHA1 | f1cf190f8ca93000e56d49732e9e827e2554c46f |
| SHA256 | 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0 |
| SHA512 | 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | f8d29c406be7ebdb29263e7c8aea30db |
| SHA1 | 8ee8016ef567ea3b0ba98c6d0e4dcbae7af79b3c |
| SHA256 | ecf79402aaa1913c0eea09d07262036a1f5ee408839998d1b093ed9e062fc645 |
| SHA512 | ee48bbfdef08446be1daeac16bc8c64cc101675e8d7f40f4e3d9d72d44c2b395f186b1e4f397caa43cfa68c91f32893bd063f08af2cdaf9dddf45f160fd698ee |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 08e6555f0c3fc061e65089eac843a987 |
| SHA1 | 95b89b49298aec6dcfca7f067cf833e201f5b483 |
| SHA256 | 41c432167b89bf7ddfb4232c86768624e0daeef81618481426125e54ee3860ac |
| SHA512 | caf6374ba1b3cc779bd714844a8fb601540506ade67e401f424ccc4f0a39b2774003121b113b5175f1f292cd293b515b225f108ef08820e8aea008c1439f3606 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 465c71d2871617020c55c8704abf7c5b |
| SHA1 | bf9f0ea610bcca905cf1955799c51a9d02273a19 |
| SHA256 | 1209a82c6bc449489194cf65ed5ba20a4fd62fd787dcf743e43743ebd3da3cd2 |
| SHA512 | 22e39e814a99c589fe0b650d4302d7affdc40251c2300309f1b8a7710829304efc813796f27c1a9b8c1bbf901d0e67adab6520415e1d824db6e6713994bcf103 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | e624a1d19a0566b80a982bd4b65cb197 |
| SHA1 | 4225c9760d24ddeda3c64800ebbb2b1027dd2a35 |
| SHA256 | 0413d3194b884d6ca71ef4b72b63f9ba349a292c2e9a5060c37b1b67fdbc9565 |
| SHA512 | ef0ed14ce7cfd322364a45f69dcf39ee0740ab28d6329d2a6c747ce53aa0522c758b4465aa5f0a5da69454f12d14f69cf50bb3e4c2748a7a32b10679b5edbc9a |
memory/4300-94-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4404-96-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-95-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-116-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f2015dd5e5366aa8419481890fb47685 |
| SHA1 | ab6fed54eb311c0663d445a71d291653cb8ed770 |
| SHA256 | 864f3c7b57921409d1bccbdf10f76a4323d43a7b94322f178e922a08f5356e4b |
| SHA512 | 7f33011af45a8ae89c27b7f829b041ee710cf85092c53a8cd5010755a37daec15c1c5a40e61fa9ec04273754669ba343871e62eac4689f7d1418f42cbaa345f5 |
memory/4300-154-0x0000000000914000-0x0000000001B4A000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 396a4eaae401b1f32c79c247c2f94982 |
| SHA1 | 330666d8fbe007556fc53bda9fab2ca4dea5741c |
| SHA256 | e4496c33421f5390a5cc9f2d2248a0a21de8683451480827dac6e4995a662279 |
| SHA512 | 89a86cdf38cdcebdfc86348199428222b8200ab8c3c24b1df7eff8e460333662bd0836ca8337db81c2964e4fa28819cdbed4b1684050aae67c94521200f4df04 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 310c5606c5476f246b5fcd68c77311cd |
| SHA1 | 69ed368904a33aee9f38bc5eeabac087b1917254 |
| SHA256 | 54743e11da4db7a874d23c13f09aa69f13c67328cb5d1f67c92e3eef3a1e50d9 |
| SHA512 | e5a35ef82c03bb833b1737dbd6832795b391678de1aed195c453ff2d4311b5b060e0bfd33bc9e9426b2720e79dcf3bea7ffdf417a8d8643703a95ab6a3e0dd56 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | b93c2c8379739dc1e8d55367e2964765 |
| SHA1 | 2d494d00fc1f158310f1eff67bdd2e70af524e48 |
| SHA256 | e8c1d2d62b18689217f06558ef9186a67535ef4344057e39808fd20d8da8a906 |
| SHA512 | 281cc2891273f1303bfe0bd52e44385b255e0c9f31e478a3e3cbb52699491d1abe6bffec8b444c8712f151f3eff8dfb81ce84a516a17d79eb73c377154e36807 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 164d47861bc847cab17a4c79f5639c94 |
| SHA1 | 07b1414a1cc73750e2e0600a2a15302b8e37c0c6 |
| SHA256 | 192d8dff8c76efd758643b1cb5e4fc8231c6f1e44482af13e7389bb12b1cdf23 |
| SHA512 | 9057eab49a96aca6dad25936749555f6586c6813e89725df174629237bcfc2cb846dbf8783dd3c78f7d20a326a4410c4d27feef9204efcc6badc8c6fbe65c207 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 25a099d6e1cd630fe3d26eec0dcf2608 |
| SHA1 | 15889b0850298eabc744a9f996b65075b75054e0 |
| SHA256 | 04625e2ce36f900258fa22326b0e262922d5c4f341bf4240fd5672cd0601a560 |
| SHA512 | e39131c2f691f0f020b2b650826139c27f71d9f2fb88c6da4cea41715e1ca893334fd10d097793aa44de6e3bfcc1e2a9d4a66b630e254e144dbcd2225d9dbd6b |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 997683a1735d5738412ea0b33aea070f |
| SHA1 | 7edce2f3a4d8d756532594b0931b15cc93bc6f3a |
| SHA256 | 3584b8cd0d58f78acf86c2f383443192bfa421307a53ac173ade5bfc7d81d0d4 |
| SHA512 | 1b3493c9049d879abcd15c42d8458b7a8379440e2a9975b0d166060fb07d565b18b675dfe5010351bfaddb6c8a5992ce8a871a5d18570326875fcd5b3e868e0f |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 380e5e014f9fb6b2c9add725aa4e6eb7 |
| SHA1 | 29fcd8905e2f299b22891566167f7ead69feb98f |
| SHA256 | 0c2f480261f7c8ed2bdebe5338999108bdf27e75230d26cc9edc290657864cff |
| SHA512 | e149f11cb4d9502898fb0ec70c930dbe3115cee812092589ed7364536b6dca0aec6defafce23bf02f016418d23b2b18af17ea61fc65bfcfa2c6f43f75666ce3b |
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
memory/4300-297-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-298-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4404-299-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4540-303-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 9bbf9a4883ab198e712449527b9f9e18 |
| SHA1 | 4db272b36c5f79b253ea94e4dde206be2fbb52f4 |
| SHA256 | 5ed1a539ec558d89c51363242ebf1b1975862eca3c5f54a4ee897a59e012c2fc |
| SHA512 | b46489a9963b9a1039372221ddc2a0bd621b11547d69e4724565775fe6cabe9ce0d9094c5279a74d378a498478f26756214368adffea847400ebdd071ce58de1 |
memory/2168-310-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | e5412e8ed3d7fd9f24318efcaf093431 |
| SHA1 | 233d94a5755d77d755eec53f764fcc2b485d6d44 |
| SHA256 | 740195a100afb9ce8b7da77d0b18cab774b995736153378df8253b038811cf43 |
| SHA512 | 256a667acf9ebde429803d07ea5d4e1a59f86d755db169a4109b39f502a404678051e2a98a7e88dd7b75de5fd1245d6040255c3b021ca62bd7476f720cafc0fc |
memory/4540-320-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-321-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4404-322-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4540-329-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-330-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\316ef601-fc83-4b78-ba33-6b9162b34505
| MD5 | fc339fb05c835146eb4076a8934ec1e7 |
| SHA1 | 9f7425c4195a2d9ad13d0dc16a22208b5faedfe4 |
| SHA256 | d997610476c295fa9719319c2e9b49c79d417d5000521c960eac5c973326aec5 |
| SHA512 | a80834550286c4131040cf6dc1e8450176cb455f46263006fe48f2a804ffe19d4e69090e5bea657db1abc04331ae394f3a6e5a4a6da8bca2ae3b14c0f4ee73f4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\0173dc66-d916-4cdb-9012-e50cb078e35c
| MD5 | 9b17280392376960a002193a27dde902 |
| SHA1 | a91d1b3d7fe5cd930e779782457e58478d8006e5 |
| SHA256 | 7b5b5bba67de25b261c8699e7a343ecaa6f6261d28c61e03c1fc2aff3fe6dbb6 |
| SHA512 | a0cc73d465e70ddc4049618b9815865643176442240e11cfb34b37aa76561ed8e108fdb5cb709d7670dceb0d96260eec12778693fe5692f74b763f9ccfd95859 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
| MD5 | 9eba0120402778d29bca0d90d46489e3 |
| SHA1 | a1a4878f6ea9f7b7e5940b17dd89bce41c828113 |
| SHA256 | 3bedf94710b6ce9969b017584adbd90ae921c5652ce5e4abc7f15cf3d5eeb323 |
| SHA512 | d86278cb4c5e2eca167ddf7d69a7fd3ecfbce15a88f7927ba1e9ffc0495010e47adc4564f34283d779383b7139d7cb2247d759116ae7b0b68de69772d0ca1061 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 62c5a89faf2130dfa96598ce787ed724 |
| SHA1 | 4552e2864f09361fb4b4755bf13a1b2ff6096b33 |
| SHA256 | 1725834aa1f8c344d3d4e06883b54d14ef5b27a998980f44ab5f011e1b287b9d |
| SHA512 | 23bce41ef02103c78ef2a1ffff93a73cfb5b2066f70e81460e1ab6ed4c5edbffba1d8786488d787fdb7d50c3660eb5de71274fef61cee63827f5ed65cb6ad87d |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | b3c9a64ab8e278aed38607503ae0d838 |
| SHA1 | e18136797f3c0c20df9a8da7e2b82d01024e26ae |
| SHA256 | de14f32acd7267b00ceaea7f5b59364c565f9cdb21a87eb235651f650e446f60 |
| SHA512 | 1b1c0fb446cd6f925322a5200c5a71e41a403e94e80cdd989183b54fd5fedb94353931226d137bd17a55b152486df7fdbc5e44abe993ba5486ae78922e4345a1 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
| MD5 | 0d0013d9708d9fef539adc917f5b87f6 |
| SHA1 | 5e071e6b4d8abf007c8bb78ee948caf5bb0439e1 |
| SHA256 | f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b |
| SHA512 | 851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
| MD5 | f3d6c4acb9fc2c1bd8b15249316f17f7 |
| SHA1 | 9a48487c58641735557c2ee293139b7484c19c0a |
| SHA256 | 21c292fbcbef0af0963a80b95e1bff30d7ea01cfd9a9657daddc6c4f14e15eba |
| SHA512 | d5459b2ed68a15a898fcfdc6b74c80c12cf67d6ae50c3a22484d384cf6c68e27fb2c093a6dbe05632d727305327cd7d603974a5761e61d06646468bc5032b2c9 |
memory/2168-436-0x0000000000910000-0x0000000002059000-memory.dmp
memory/4404-437-0x0000000000910000-0x0000000002059000-memory.dmp
C:\Users\Admin\Downloads\Blueberry Free Swoofer.uFenbrOa.exe.part
| MD5 | b601b3b7427748a2561a8ab81408fd0e |
| SHA1 | b25d6575edab936c209df2549b191339a1bf035a |
| SHA256 | 486feda63c9005bb392f40eda1ea5a8e12e8081becdfc82fb7db2b719f5788ed |
| SHA512 | 123f46666ad945e7d34db267d6c2440e35f6f040abf088b86603e6f8d90aa11c361bcd38c7f4fa0e33164f676da3ad45572f63dedf685c9e381bc7a52f7685e8 |
C:\Users\Admin\Downloads\Blueberry Free Swoofer.exe
| MD5 | 8f88795b9df3306f8f9f24b413dea84f |
| SHA1 | b7a60c2a54be9c85c8f1a1e88e31c69647d708ab |
| SHA256 | 1a6f8a9b534719c549cbcbed6a90c35885cd3d098f92b9a05a4b4922f4d8919e |
| SHA512 | f39daf69c829e012ef23b8d0540f894778de00defcb22c0407e5b43be3ccb51f39e6ac2a40afb722dbf0ba318cae08371c4d77148b6905da6f2777ba533dbf29 |
memory/5004-477-0x00007FFF6B730000-0x00007FFF6B732000-memory.dmp
memory/5004-478-0x00007FF79E010000-0x00007FF79E8F7000-memory.dmp
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionCheckpoints.json.tmp
| MD5 | 700fe59d2eb10b8cd28525fcc46bc0cc |
| SHA1 | 339badf0e1eba5332bff317d7cf8a41d5860390d |
| SHA256 | 4f5d849bdf4a5eeeb5da8836589e064e31c8e94129d4e55b1c69a6f98fb9f9ea |
| SHA512 | 3fa1b3fd4277d5900140e013b1035cb4c72065afcc6b6a8595b43101cfe7d09e75554a877e4a01bb80b0d7a58cdcfe553c4a9ef308c5695c5e77cb0ea99bada4 |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
| MD5 | 8b918497474ef371ae7f3454e248287b |
| SHA1 | 6188f0ac6c4a0d9dad96827597347434a74a1fa9 |
| SHA256 | 07be6eacd67bb0365b0693bae3f73d4adbe5137aeb95070354b96ad142ab155d |
| SHA512 | 1a4e7fc0ff50750b97c79b0164cf26a96ad26c301e0b4ba21d9ba09acd24150b6581be4aa678714cd137359b51ed603a109be5bb8e3c6d8a3e780d766b85ceaa |
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs.js
| MD5 | 1540678e0e6106aef00cca34dba6e900 |
| SHA1 | 8829fe4848a79f50f57d4da0e76d6bfc117d0afb |
| SHA256 | be6a9f248e8574f1616f171f65d4ae5c7ec5d28ba2f2868630479c712b1483d9 |
| SHA512 | 2a942ee740ff7680f62097a98f50ffb6a370ad4cb79e9b760d979aba9b0d03c1ad449ff0c96db9f3c44ea0ff43bea5ba2031a02732766141458ce29d735f40c3 |
memory/4540-524-0x0000000000910000-0x0000000002059000-memory.dmp
memory/2168-572-0x0000000000910000-0x0000000002059000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-26 12:26
Reported
2024-06-26 12:31
Platform
win10v2004-20240508-en
Max time kernel
267s
Max time network
268s
Command Line
Signatures
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133638784571910646" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffd5af8ab58,0x7ffd5af8ab68,0x7ffd5af8ab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1804 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2252 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3116 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3124 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3648 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=4120 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4824 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5004 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4600 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5084 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3264 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4948 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3276 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=4600 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=1956 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1928 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2328 --field-trial-handle=1940,i,2159766307855383044,10339974179379193277,131072 /prefetch:1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| US | 1.1.1.1:53 | boot.net.anydesk.com | udp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.4.4:53 | google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | udp | |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| US | 8.8.8.8:53 | beacons.gvt2.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
Files
memory/4616-2-0x0000000000CC4000-0x0000000001EFA000-memory.dmp
memory/4616-0-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/4616-4-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/3344-10-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | f713e3cbfc35c67d0674c32c7cd5c52b |
| SHA1 | 964ae4f5a627327914cd29560e035e4e600878a9 |
| SHA256 | a3b4b1eb32b0c05f67d62c3b3d6a0f0bcf49e848f24d778cf7391044bd15b844 |
| SHA512 | 91c8d0790ce4cd5d7ee6a19b57ea5b52b2d680a0af4022bb983a1473d91890dea55681ed9205faaaf21ae969c8d1da0d62b5552cbdbb22e3cacdc5c3453bf1ea |
memory/4840-11-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/3344-20-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 95184259d553e7e4d523fb9aa7ef1bee |
| SHA1 | 33a7d3dd29f2d270ccf34bf5e1a06c87aa0a6a0d |
| SHA256 | 5bf5186221f047b43504d8c60113dbf46bef0fb9fabba6ded010b7036165807d |
| SHA512 | 2811c49be405652896fed78d0c5f13066f33c2ad5c635224fc6d0140cd0b4c81ca477819f4193557f16f36ecd7c2e0756d17c679e9036dad3e21616ead638bc6 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | a1effab005d3b415fa0d44623bc24af3 |
| SHA1 | 41df9be17bf6207955c6d29c2a3d0ce347d1d93e |
| SHA256 | 5810e700b785dbb6b64fb47269263ca94380204f63d7db687badc23325e58e47 |
| SHA512 | 88850ad0ca636e84ce85a2e56e1d2b331300c365237e36a40e9d74c6648b550827f59e4a91ac23c6fee19d90384ddfb095533a67dad4207cf102cd0497224f4e |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 0c04ad1083dc5c7c45e3ee2cd344ae38 |
| SHA1 | f1cf190f8ca93000e56d49732e9e827e2554c46f |
| SHA256 | 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0 |
| SHA512 | 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 72434710ea8dafbce7ce1b70485665fd |
| SHA1 | e2014b5b45efcd73b6b37bca079b7d131596d90d |
| SHA256 | 59607db669b08753174bc92c123c5297c171ab892e7768c662c438fd4c877b9c |
| SHA512 | afe399dc1311f86012f05ae0770611e0f8f33bfcf8aa9f32024de6ebfd2691dd36aabd554eaaea39831b206cd6ee1c05a0c27e9fc1be25ae501c9c47bf5f852d |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 97a603043107f9b7570cf35f9f480c50 |
| SHA1 | d2dab47197a31e2716110a735148b6f842f5fa43 |
| SHA256 | 11f4eabe2695d595a7de4ca49c5798316910db35462c6d3b6e19300c093da8ce |
| SHA512 | f5a86efdb5235fb8fc0d7197c27c86fe728fbbfbafedf584012a99397512e0f3b32f0c11ed14a86eb8c4663c10b6e9b30e29418e50c5ae2a291034a54f5388bc |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | bfa4396a3c60f2977efae17a23097770 |
| SHA1 | 1deffc56b8a31c2ec13448a34915d199fbc2efda |
| SHA256 | 61f6d33e0a1651498931c49fda679c3fc834d1bfe16a03c32b4b46ef9b6ead1c |
| SHA512 | 0ccc528c2484d18f18cc0a9949d3872006000fdc4e38eb414e742f9e8d58d119833c272e9eeec7e71e42de346d1e247bd1f189ec0532184207a1b19499df2833 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 3ca5af0a3d5ba0865659ef32c0f40414 |
| SHA1 | b1832cd57aa6af7a5eff71aaf066c6a532fe3cfd |
| SHA256 | 3910a7d4ebe6ef36096a78857090074d88e0c958268a94ee32dbb2838f2143bd |
| SHA512 | f1d5fce3cf80e0cef30304fe783bd84c24cbda3234c9ad3dda2c392f12ea9f9cf011c810f77afe425e8970a6b1333df589c465e267a8e741ea19a465980b8089 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 02175d4e5484afe77482cb9313d8c843 |
| SHA1 | c8b2fb368453264df5969341010da30ea84e76b8 |
| SHA256 | 28ae606b68829c5d0da8cf359e0f5d9f91e535ad005d90519993c5ef7eefd943 |
| SHA512 | 8c07250a97840bb60ede44895e3c92d88822a12cdfc1e8fb65d471a4dde6f2835d0f34079fbdff05d2a4aad26a24d24c168adfacdb7b781631781eaa883f22c5 |
memory/4616-79-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/3344-80-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/4840-81-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 261cae9718069da1604543db326660a2 |
| SHA1 | 571f5ae15f02426c87cdd76d63c9a86e2aa5e20d |
| SHA256 | bd55ab7a61041bcd44d0d7c84265e3e04dafe4533a5d97c2a825c8c73b7a0a75 |
| SHA512 | f8ba8c2892a41f9b9cd548977d5b62646f4d0ea6ccb1b37bea20ef7e7d65dde26b1bc85efcb226dcd43d71c991db0815144b3239e0f2975af95e95c1d259c67e |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 90164f1a9fe2bef848623cdacc83d90b |
| SHA1 | b370f78768ea585bafc4d6923639bcd3156f509e |
| SHA256 | db6834322dcb7fbf90d1fc8b4ec2b9a1bcbef125e47d16aafefbe21c14e18dbd |
| SHA512 | c9832eb5039eaa78cdec19c2644d845e2805bb375ed13ef932638978a94d5cf58b9c7325fc384d351f966657195b8ecaf456d0bb7be67f9f74446c6c26427095 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 0b467ac63038a1a47c8ab16cb5f5a659 |
| SHA1 | d18e75e6f75f03eb106c209de7d7e30532db4981 |
| SHA256 | f8b0aa017248333c42369702d671fa289f5559b8f604df84ef20689cd61c0406 |
| SHA512 | a7c4892b5ddc0a1fec7dc051e01f19f8c2f00039b1d0e61352694683fd096d4420f6ae9fe65e7d01c5baec99bb755aadf707cb48a89de077f601fc281a19cfc4 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | 85149c24a14bb5b6af71ff4019b61f1f |
| SHA1 | cb5c153a3e54da02fdeca90b77f0e5d1eb103e2a |
| SHA256 | 1b70df4a3982a02f0fa04a60160f2e316a9b67dfac34a92254a1b6403d138e7b |
| SHA512 | 1d0da8c3e3d6b5fd2882b3b2957816f6fb441e2d1785a23272fd23ad70faf47d93e4118c1d27948a89626bb5344aeb760fdf125f6097e6e0d147ef8e9bd4e597 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms
| MD5 | 3ebd6e350911ef4eb27079a1b9c9078a |
| SHA1 | 344235371f0034b21fe6ae2e72c9df3c29b556ed |
| SHA256 | c0ee4116794ab5f83dd3d6837e3c52fae57c857e2f9c591bef46029a7027b2c2 |
| SHA512 | 583c16ece6a1692a307d604db5f9d229c694a0a1b806f28ae3fd441df2d937c868f5609dc3a7c6794f37c9276defa9ae3be67e27eea28c4ad90b6ec33aa02d39 |
memory/4616-129-0x0000000000CC4000-0x0000000001EFA000-memory.dmp
memory/4616-128-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 41e31bb85e1b5db271a60f55f9f4e458 |
| SHA1 | 5325f32ce5e9144e3b4171b6d5b5f0f91147448f |
| SHA256 | ef7da3c1ef4b24bdac0f3e48445cea1a6efd24a36c222855579499d2f6b1cca2 |
| SHA512 | 972d99003532c5c2711841b2692a5e3ffdb13302e56b36d3f24ddf72cc248025806eb7bc5fba4dc718a3191c1cd7d0c577f9a38ec7504bdd81d71111f60d0291 |
\??\pipe\crashpad_1164_TZBSNBSDYEZSQXLO
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/3344-144-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | ecabe4025ba0be7f4c781977f2d288b3 |
| SHA1 | a7679b4414a07b09f38880a78b58fef51c871bed |
| SHA256 | 8e5075df1fcb1bdf6eb68a517b319539a1f7c4675a0564bef33f099372e80a81 |
| SHA512 | bff8de3d9a863941451e859c53e8a418129927fc981e84dbf75052661372926693fa60d4538caa44b1b281a4e83e4e6ac5a541b7ef462c9f3fbe79dbb3915bd6 |
memory/3344-166-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/4840-170-0x0000000000CC0000-0x0000000002409000-memory.dmp
memory/3344-172-0x0000000000CC0000-0x0000000002409000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 484be5cdd616d1fc70482bd518a8876d |
| SHA1 | 156103d0f5faafe3e1882f20fd27551767e1753e |
| SHA256 | d9913ff3c5aea4805d4c68b18308bc2a6400643305fb34b8545bc5603126bdf8 |
| SHA512 | 2652dc393ba0458c2478bced195b57186f07ceb40a9436355ddd0917fd0a782b9451e86a90f6afb3471da882f293f03e3e0acf6c66a46007882fe8e38ffc8d41 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 2725ba9d09d392fa9b2842b9999f9101 |
| SHA1 | c4c8298124197629ed2de90d0f7475e34a5540d1 |
| SHA256 | 19ecc1706c997e4bc01ff178641383a78e5865a81d666f5b60d9acb429e06c06 |
| SHA512 | 62963cd771d349488e748883eef4785ea18dab26fa859dd751b1f4e0d8e34ffae804e18b60247896c85f34408e1d27640a4008c8ad374ee92953da0f4b5c0ef0 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 47d44aa16d4faf54b35505e7d62d2665 |
| SHA1 | 0faacb3f0ecb1ed079e295f2dee815773d34735d |
| SHA256 | 4c6a9b30254cfecb320c56f557829825769570b70d46cfc194d44333d6481ec6 |
| SHA512 | 7ebbff8e1cd620f89cebdc04965e93454b348d5d2c5cec2aa7caab80546085dbff650189c7c9c382656abb7e488b2173f6f743c92062ab24cd2596dcec0e5804 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | c2b4fb00b9e760beac5a09441686364c |
| SHA1 | 56a69f591a80f23ff748b01d807253748526c34d |
| SHA256 | 1a4789d5028d094553d53a8b1c6a24f89ed4ab1f4141041a1b483c02e0ac60e1 |
| SHA512 | 6fab06b73f4c930a5e588444655aed2e3008e70bfa8f2cc132d44787066480c93f5911cce58c41f1da71fd1a4ab255090f701497ed4c0fde08515964946949f2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe586d5b.TMP
| MD5 | 30abc319c8c4b9d4838943db8e33d0ab |
| SHA1 | 1706ecb7336509a1f45c6c36ac2aee5dce7d739c |
| SHA256 | 7114085eece65345899e860534b86a5823bb8c14ea5ebdd4d0bbb81127667abb |
| SHA512 | 1d314365a276b074a8bb7a8a2a6571ff4f16da3204c6589ed52466971f49475b239a8280f6f2a9846b30819de422bbb3d20893d451c478cc0315aa644554b1f8 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 6c185415bd46eeaa820ee75a2830eeab |
| SHA1 | dee2c6278d9cc1a7de33e0d9fe92fbd02bfc8108 |
| SHA256 | 357ba54a067e91f9c90ecf527cfe25a109318408ea1b6a640ac8c521b368421a |
| SHA512 | 4e9f26cbbf7e353d6f3bf799563aa6f01b6312ea48d44d29cd9bda9779c6f949878f49e17f855b0fca0d8b17796da28f415babdbd0b0bd3762b46254ccaa1d94 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 1e72a7b81030ea9631780e44e062c5be |
| SHA1 | 756bf56df20d13339adcf390d44df0ef434c3bfe |
| SHA256 | ce6f26bb2cad6d5fa9e61bfb27c3885f074910025a2ca833476c892ac35c123c |
| SHA512 | 54e359d851def447c3ee5a08eee013fcd1ad6766d141f28a0979c3947079484f570096ad8db77803f448fa56a14dc2a2262a2056a3b3bb38e14ba2c7e998e64b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 2ec50d1f2d6df1d4b65d043db8b5cce0 |
| SHA1 | 232712098d1d05cce51fa88fdfa6df66cc69b806 |
| SHA256 | 86e0c1d11790825ead5b387441b89f2fd781ec4d9ceb55ff89f28dde099edca4 |
| SHA512 | 6cacd6aa2eea11118bace76cdfd684e57b28b5b5684ad0fe802cd35af10fdb42ebdb6026c2b883686cd72e3e2b5e1b74a195f0801002f42086530670753d25ba |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1
| MD5 | c25a64396b3f7cfa2bf579e8e965da11 |
| SHA1 | 12ffa25bced72389613e17f03896453adeb5c4d4 |
| SHA256 | 1ef737175cfa872efaa6de7e1482cd525596a2149c6972efece77d7b24919abb |
| SHA512 | 161a3ef67a1ab6afa7adfad4e9624a94f41e1a119b063f9d75b5e5adeee5c8ca2e267f566243933f08a17628705c39b83b120a45dd63019eb6eb150f95351d5c |