0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/09/2024, 07:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
Size

158KB
MD5

95408095927f78deffaeb9cb1f4cd44d
SHA1

5e98f7cc5b8bce4dcefddc0313fe1ccc15ffe08c
SHA256

0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456
SHA512

b415f4c6d87a3a609fb554e4ee0af4f27ac8f954e85daada7d3034134a5a24b71401819d702f45e24aece4183059149c56d0936ac25dd4c5a106dc3fd09d1a81
SSDEEP

3072:s3pAiuZ03rXGkMTCyymEUoRBiaQaS/dqG9fvX7ZYl3QamlPx6AkyWx:obuZ6rXRW/HRag/dqs7ZCQ5Z6Ak/

Score

8^/10

defense_evasion upx

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2170637797-568393320-3232933035-1000\Control Panel\International\Geo\Nation	MicrosoftWindowsDefenderCoreService.exe

Executes dropped EXE 33 IoCs

pid	Process
4856	MicrosoftWindowsDefenderCoreService.exe
2252	AnyDeskCrashHandler.exe
224	AnyDeskCrashHandler.exe
4180	MicrosoftWindowsDefenderCoreService.exe
1904	AnyDeskCrashHandler.exe
1392	AnyDeskUpdateService.exe
2760	AnyDeskUpdateService.exe
2336	AnyDeskCrashHandler.exe
3816	AnyDeskUpdateService.exe
4908	AnyDeskUpdateService.exe
2204	AnyDeskUpdateService.exe
4080	AnyDeskUpdateService.exe
416	AnyDeskUpdateService.exe
3108	AnyDeskUpdateService.exe
1248	AnyDeskUpdateService.exe
3816	AnyDeskUpdateService.exe
3208	AnyDeskUpdateService.exe
1452	AnyDeskUpdateService.exe
4848	AnyDeskUpdateService.exe
1396	AnyDeskUpdateService.exe
4552	AnyDeskUpdateService.exe
1596	AnyDeskUpdateService.exe
928	AnyDeskUpdateService.exe
3980	AnyDeskUpdateService.exe
4572	AnyDeskUpdateService.exe
4028	AnyDeskUpdateService.exe
3508	AnyDeskUpdateService.exe
116	AnyDeskUpdateService.exe
2440	AnyDeskUpdateService.exe
3772	AnyDeskUpdateService.exe
3736	AnyDeskUpdateService.exe
1600	AnyDeskUpdateService.exe
3636	AnyDeskUpdateService.exe

Indicator Removal: File Deletion 1 TTPs
Adversaries may delete files left behind by the actions of their intrusion activity.
defense_evasion

File Deletion
T1070.004

Drops file in System32 directory 39 IoCs

description	ioc	Process
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\AnyDeskShellIntegration.dll	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
File created	C:\Windows\System32\oobe\version.txt	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
File created	C:\Windows\System32\oobe\AnyDeskUpdateService.exe	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\AnyDeskShellIntegration_Update.dll	MicrosoftWindowsDefenderCoreService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\WindowsUpdate.txt	AnyDeskUpdateService.exe
File created	C:\Windows\System32\oobe\AnyDeskCrashHandler.exe	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_49536AB5156BDD74EFF881D01C36A419	MicrosoftWindowsDefenderCoreService.exe

UPX packed file 54 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3508-0-0x00007FF7B8E70000-0x00007FF7B8ECE000-memory.dmp	upx
behavioral2/files/0x0007000000023624-13.dat	upx
behavioral2/memory/4856-20-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/files/0x0007000000023622-22.dat	upx
behavioral2/memory/2252-24-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/4856-26-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/224-28-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/3508-29-0x00007FF7B8E70000-0x00007FF7B8ECE000-memory.dmp	upx
behavioral2/memory/1904-32-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/224-34-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/2252-36-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/files/0x000700000002362b-51.dat	upx
behavioral2/memory/1392-53-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/files/0x000700000002362c-56.dat	upx
behavioral2/memory/1392-58-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/2336-64-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/3816-73-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-75-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/2760-78-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/2336-80-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp	upx
behavioral2/memory/4908-89-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/2204-98-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/2204-101-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-103-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/4080-115-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/416-125-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-127-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/3108-139-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/1248-149-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-151-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/3816-163-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-171-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/3208-175-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/1452-187-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-189-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/4848-199-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/1396-211-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-213-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/4552-225-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/1596-235-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-237-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/928-249-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/3980-259-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-261-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/4572-272-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4028-279-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/4180-280-0x00007FF740850000-0x00007FF7408A4000-memory.dmp	upx
behavioral2/memory/3508-289-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/116-298-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/2440-307-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/3772-318-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/3736-325-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/1600-336-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx
behavioral2/memory/3636-343-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp	upx

Launches sc.exe 64 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
3064	sc.exe
640	sc.exe
4536	sc.exe
1360	sc.exe
3436	sc.exe
3300	sc.exe
2596	sc.exe
4856	sc.exe
3816	sc.exe
3252	sc.exe
3076	sc.exe
3560	sc.exe
3604	sc.exe
4396	sc.exe
2244	sc.exe
3736	sc.exe
3956	sc.exe
4476	sc.exe
4952	sc.exe
1100	sc.exe
532	sc.exe
2792	sc.exe
2968	sc.exe
3636	sc.exe
208	sc.exe
3208	sc.exe
1392	sc.exe
3180	sc.exe
3420	sc.exe
5056	sc.exe
1144	sc.exe
2028	sc.exe
756	sc.exe
1212	sc.exe
4856	sc.exe
1968	sc.exe
4532	sc.exe
624	sc.exe
3924	sc.exe
2552	sc.exe
5060	sc.exe
3288	sc.exe
4080	sc.exe
3624	sc.exe
2612	sc.exe
4988	sc.exe
1560	sc.exe
3196	sc.exe
1996	sc.exe
4612	sc.exe
4212	sc.exe
3132	sc.exe
2248	sc.exe
3356	sc.exe
1596	sc.exe
3804	sc.exe
3588	sc.exe
4880	sc.exe
4100	sc.exe
2440	sc.exe
1992	sc.exe
3136	sc.exe
3356	sc.exe
788	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 46 IoCs

evasion

pid	Process
1768	taskkill.exe
996	taskkill.exe
3108	taskkill.exe
2440	taskkill.exe
3360	taskkill.exe
2856	taskkill.exe
3096	taskkill.exe
3456	taskkill.exe
804	taskkill.exe
692	taskkill.exe
4536	taskkill.exe
4848	taskkill.exe
4416	taskkill.exe
2812	taskkill.exe
3136	taskkill.exe
3248	taskkill.exe
860	taskkill.exe
4428	taskkill.exe
5100	taskkill.exe
2184	taskkill.exe
1160	taskkill.exe
3168	taskkill.exe
3984	taskkill.exe
640	taskkill.exe
5008	taskkill.exe
1156	taskkill.exe
3120	taskkill.exe
1392	taskkill.exe
4392	taskkill.exe
2244	taskkill.exe
2776	taskkill.exe
3632	taskkill.exe
4936	taskkill.exe
1256	taskkill.exe
4936	taskkill.exe
3804	taskkill.exe
4504	taskkill.exe
2900	taskkill.exe
5000	taskkill.exe
4092	taskkill.exe
4540	taskkill.exe
1212	taskkill.exe
3412	taskkill.exe
3328	taskkill.exe
2484	taskkill.exe
4480	taskkill.exe

Modifies data under HKEY_USERS 14 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	MicrosoftWindowsDefenderCoreService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftWindowsDefenderCoreService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	AnyDeskUpdateService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	AnyDeskUpdateService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	AnyDeskUpdateService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "1"	MicrosoftWindowsDefenderCoreService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	MicrosoftWindowsDefenderCoreService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\IntranetName = "1"	AnyDeskUpdateService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Content\CachePrefix	MicrosoftWindowsDefenderCoreService.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\History\CachePrefix = "Visited:"	MicrosoftWindowsDefenderCoreService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	AnyDeskUpdateService.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	MicrosoftWindowsDefenderCoreService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass = "1"	MicrosoftWindowsDefenderCoreService.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "0"	MicrosoftWindowsDefenderCoreService.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2760	AnyDeskUpdateService.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeDebugPrivilege	1160	taskkill.exe
Token: SeDebugPrivilege	4092	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	3096	taskkill.exe
Token: SeDebugPrivilege	3456	taskkill.exe
Token: SeDebugPrivilege	2776	taskkill.exe
Token: SeDebugPrivilege	4416	taskkill.exe
Token: SeDebugPrivilege	2812	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	3168	taskkill.exe
Token: SeDebugPrivilege	4504	taskkill.exe
Token: SeDebugPrivilege	2900	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	3136	taskkill.exe
Token: SeDebugPrivilege	3248	taskkill.exe
Token: SeDebugPrivilege	5000	taskkill.exe
Token: SeDebugPrivilege	860	taskkill.exe
Token: SeDebugPrivilege	1768	taskkill.exe
Token: SeDebugPrivilege	2484	taskkill.exe
Token: SeDebugPrivilege	996	taskkill.exe
Token: SeDebugPrivilege	3804	taskkill.exe
Token: SeDebugPrivilege	4936	taskkill.exe
Token: SeDebugPrivilege	4428	taskkill.exe
Token: SeDebugPrivilege	4480	taskkill.exe
Token: SeDebugPrivilege	5100	taskkill.exe
Token: SeDebugPrivilege	1256	taskkill.exe
Token: SeDebugPrivilege	804	taskkill.exe
Token: SeDebugPrivilege	692	taskkill.exe
Token: SeDebugPrivilege	1212	taskkill.exe
Token: SeDebugPrivilege	2184	taskkill.exe
Token: SeDebugPrivilege	3412	taskkill.exe
Token: SeDebugPrivilege	4392	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	2440	taskkill.exe
Token: SeDebugPrivilege	3360	taskkill.exe
Token: SeDebugPrivilege	3984	taskkill.exe
Token: SeDebugPrivilege	3120	taskkill.exe
Token: SeDebugPrivilege	1392	taskkill.exe
Token: SeDebugPrivilege	3328	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	2244	taskkill.exe
Token: SeDebugPrivilege	2856	taskkill.exe
Token: SeDebugPrivilege	4848	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3508 wrote to memory of 4744	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	90
PID 3508 wrote to memory of 4744	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	90
PID 3508 wrote to memory of 4856	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	91
PID 3508 wrote to memory of 4856	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	91
PID 4856 wrote to memory of 2252	4856	MicrosoftWindowsDefenderCoreService.exe	94
PID 4856 wrote to memory of 2252	4856	MicrosoftWindowsDefenderCoreService.exe	94
PID 3508 wrote to memory of 224	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	95
PID 3508 wrote to memory of 224	3508	0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe	95
PID 2252 wrote to memory of 3204	2252	AnyDeskCrashHandler.exe	101
PID 2252 wrote to memory of 3204	2252	AnyDeskCrashHandler.exe	101
PID 3204 wrote to memory of 1212	3204	cmd.exe	103
PID 3204 wrote to memory of 1212	3204	cmd.exe	103
PID 2252 wrote to memory of 4080	2252	AnyDeskCrashHandler.exe	104
PID 2252 wrote to memory of 4080	2252	AnyDeskCrashHandler.exe	104
PID 4080 wrote to memory of 3300	4080	cmd.exe	106
PID 4080 wrote to memory of 3300	4080	cmd.exe	106
PID 224 wrote to memory of 2872	224	AnyDeskCrashHandler.exe	107
PID 224 wrote to memory of 2872	224	AnyDeskCrashHandler.exe	107
PID 2872 wrote to memory of 3132	2872	cmd.exe	110
PID 2872 wrote to memory of 3132	2872	cmd.exe	110
PID 224 wrote to memory of 5056	224	AnyDeskCrashHandler.exe	111
PID 224 wrote to memory of 5056	224	AnyDeskCrashHandler.exe	111
PID 4180 wrote to memory of 1904	4180	MicrosoftWindowsDefenderCoreService.exe	113
PID 4180 wrote to memory of 1904	4180	MicrosoftWindowsDefenderCoreService.exe	113
PID 5056 wrote to memory of 2612	5056	cmd.exe	114
PID 5056 wrote to memory of 2612	5056	cmd.exe	114
PID 4180 wrote to memory of 3668	4180	MicrosoftWindowsDefenderCoreService.exe	115
PID 4180 wrote to memory of 3668	4180	MicrosoftWindowsDefenderCoreService.exe	115
PID 3668 wrote to memory of 1392	3668	cmd.exe	117
PID 3668 wrote to memory of 1392	3668	cmd.exe	117
PID 1392 wrote to memory of 3756	1392	AnyDeskUpdateService.exe	118
PID 1392 wrote to memory of 3756	1392	AnyDeskUpdateService.exe	118
PID 4180 wrote to memory of 4428	4180	MicrosoftWindowsDefenderCoreService.exe	119
PID 4180 wrote to memory of 4428	4180	MicrosoftWindowsDefenderCoreService.exe	119
PID 4180 wrote to memory of 4540	4180	MicrosoftWindowsDefenderCoreService.exe	120
PID 4180 wrote to memory of 4540	4180	MicrosoftWindowsDefenderCoreService.exe	120
PID 4428 wrote to memory of 1560	4428	cmd.exe	123
PID 4428 wrote to memory of 1560	4428	cmd.exe	123
PID 2760 wrote to memory of 2184	2760	AnyDeskUpdateService.exe	125
PID 2760 wrote to memory of 2184	2760	AnyDeskUpdateService.exe	125
PID 2760 wrote to memory of 2336	2760	AnyDeskUpdateService.exe	128
PID 2760 wrote to memory of 2336	2760	AnyDeskUpdateService.exe	128
PID 2760 wrote to memory of 3236	2760	AnyDeskUpdateService.exe	129
PID 2760 wrote to memory of 3236	2760	AnyDeskUpdateService.exe	129
PID 2760 wrote to memory of 3180	2760	AnyDeskUpdateService.exe	131
PID 2760 wrote to memory of 3180	2760	AnyDeskUpdateService.exe	131
PID 3236 wrote to memory of 1160	3236	cmd.exe	133
PID 3236 wrote to memory of 1160	3236	cmd.exe	133
PID 3180 wrote to memory of 2552	3180	cmd.exe	134
PID 3180 wrote to memory of 2552	3180	cmd.exe	134
PID 2760 wrote to memory of 5060	2760	AnyDeskUpdateService.exe	137
PID 2760 wrote to memory of 5060	2760	AnyDeskUpdateService.exe	137
PID 2760 wrote to memory of 636	2760	AnyDeskUpdateService.exe	139
PID 2760 wrote to memory of 636	2760	AnyDeskUpdateService.exe	139
PID 5060 wrote to memory of 4092	5060	cmd.exe	141
PID 5060 wrote to memory of 4092	5060	cmd.exe	141
PID 636 wrote to memory of 3332	636	cmd.exe	142
PID 636 wrote to memory of 3332	636	cmd.exe	142
PID 4180 wrote to memory of 2872	4180	MicrosoftWindowsDefenderCoreService.exe	143
PID 4180 wrote to memory of 2872	4180	MicrosoftWindowsDefenderCoreService.exe	143
PID 2872 wrote to memory of 3816	2872	cmd.exe	145
PID 2872 wrote to memory of 3816	2872	cmd.exe	145
PID 3816 wrote to memory of 3924	3816	AnyDeskUpdateService.exe	146
PID 3816 wrote to memory of 3924	3816	AnyDeskUpdateService.exe	146

C:\Users\Admin\AppData\Local\Temp\0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe
"C:\Users\Admin\AppData\Local\Temp\0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456.exe"
1⤵
- Checks computer location settings
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:3508
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
  2⤵
  PID:4744
- C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
  "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4856
- - C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
    "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 4856
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3204
    - - C:\Windows\system32\sc.exe
        
        sc start AnyDeskUpdateService
        5⤵
        Launches sc.exe
        
        PID:1212
  - - C:\Windows\System32\cmd.exe
      C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4080
    - - C:\Windows\system32\sc.exe
        
        sc start MicrosoftWindowsDefenderCoreService
        5⤵
        Launches sc.exe
        
        PID:3300
- C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
  "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 3508
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:224
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\sc.exe
      sc start AnyDeskUpdateService
      4⤵
      Launches sc.exe
      PID:3132
- - C:\Windows\System32\cmd.exe
    C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\Windows\system32\sc.exe
      sc start MicrosoftWindowsDefenderCoreService
      4⤵
      Launches sc.exe
      PID:2612

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2460,i,15336851255456239337,16379811035920490645,262144 --variations-seed-version --mojo-platform-channel-handle=4452 /prefetch:8
1⤵
PID:996

C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe
"C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious use of WriteProcessMemory
PID:4180
- C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
  "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 4180
  2⤵
  - Executes dropped EXE
  PID:1904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3668
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:1392
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3756
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4428
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:1560
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2872
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Suspicious use of WriteProcessMemory
    PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3272
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3944
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3168
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4908
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:4124
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3332
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:5060
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4528
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:5092
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2204
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:2496
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1992
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:208
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3668
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:4480
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4080
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:2840
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:2792
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:636
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:748
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:416
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:4988
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3356
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:3604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:4128
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3816
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3164
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1628
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1248
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1404
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:5056
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4080
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1820
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3816
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3860
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    PID:2320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3240
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3208
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:8
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1248
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:1144
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:4252
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1452
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:4100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1036
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4396
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4696
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1604
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4848
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1628
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1896
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    PID:4036
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3780
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1864
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3500
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3588
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3332
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4552
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1604
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1492
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4856
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:1320
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:2320
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:800
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:5000
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:3956
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1944
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:2248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:456
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:2028
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:1604
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3500
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:2528
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3656
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4612
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4176
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3268
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4572
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:708
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:8
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:2248
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3136
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:4028
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1092
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:3816
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:1492
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:4988
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3508
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3564
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:672
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:3252
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3128
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1824
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:116
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3432
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1684
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    PID:3456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:4260
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:2440
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:3588
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    PID:4988
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4540
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:8
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1260
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1612
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:4212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3168
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:3608
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3736
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:1092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:2528
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:1392
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:2484
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:1600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:3128
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:4684
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    PID:1828
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:996
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
  2⤵
  PID:1972
- - C:\Windows\System32\oobe\AnyDeskUpdateService.exe
    C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    PID:3636
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
      4⤵
      PID:4036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
  2⤵
  PID:1452
- - C:\Windows\system32\sc.exe
    sc start AnyDeskUpdateService
    3⤵
    - Launches sc.exe
    PID:1100
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
  2⤵
  PID:3700

C:\Windows\System32\oobe\AnyDeskUpdateService.exe
"C:\Windows\System32\oobe\AnyDeskUpdateService.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Modifies data under HKEY_USERS
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:2760
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
  2⤵
  PID:2184
- C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
  "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2760
  2⤵
  - Executes dropped EXE
  PID:2336
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:2552
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4092
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:3332
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3668
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4540
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2268
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:1568
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2056
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3096
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3552
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3180
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:216
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3456
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3536
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3588
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:800
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1396
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3420
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3552
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4416
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2552
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3288
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3456
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:5096
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4880
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:652
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:5092
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3864
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3168
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3452
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4080
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1956
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4504
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2792
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:2968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3756
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:800
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3064
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4220
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3632
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4412
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3196
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4856
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4088
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3248
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3908
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2684
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:652
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2612
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:860
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1684
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3924
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2688
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1768
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4932
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:708
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2484
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4952
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:1992
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2900
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3788
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:3240
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:636
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4556
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:1996
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2084
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4936
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1992
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1260
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4428
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4544
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3208
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3016
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4480
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4208
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3636
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3424
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5100
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1964
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3736
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2352
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1256
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3668
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:1360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4676
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:804
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2776
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:3968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1844
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:692
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4036
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3136
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1392
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1212
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2308
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:1968
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4412
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2184
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:5000
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4476
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3436
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1828
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:2596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:116
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3184
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4156
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3108
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:636
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4532
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3192
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2440
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3560
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:4952
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4428
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3360
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4684
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:748
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3984
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3448
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3816
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4092
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:412
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4060
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1392
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2496
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:1596
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3396
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:3328
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3000
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3076
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:5008
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:4744
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3436
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:1916
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4536
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1996
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:3748
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:2400
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2244
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1664
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3560
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:4988
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2856
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:1036
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:3356
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:3208
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3180
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    PID:1824
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:772
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:3924
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:624
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
  2⤵
  PID:5020
- - C:\Windows\system32\taskkill.exe
    taskkill /f /im MsMpEng.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:640
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
  2⤵
  PID:2676
- - C:\Windows\system32\sc.exe
    sc start MicrosoftWindowsDefenderCoreService
    3⤵
    - Launches sc.exe
    PID:756

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\System32\AnyDeskShellIntegration_Update.dll

Filesize
53KB

MD5
6e948e7425a1693b64951a8eb2a846c7

SHA1
d12b91d1cfa5cefc1efe917f1b893bccd1210896

SHA256
6d7df6c7605316be49804840649d26ff1fbd2f9208a0330ef87247920edb93fe

SHA512
0dcccb38e919a345dabee0f40fcf526239ea6d3f4289fc16f5bf6c2bf73a5b564d643bcc522bb63b97e574f59d732640afd8f20a98bcbdd10f2368e515bf8d3b

Download Submit
C:\Windows\System32\WindowsUpdate.txt

Filesize
18B

MD5
6c821bfde63d9b4473563c6a3cb6e61b

SHA1
3b0ec0c302aa7deae892825de4ced93e4c5b7e55

SHA256
13dca171e02a846b9203e79cbceaf8f7f606ecb3bcdc814ddbe4665186087931

SHA512
cdea2098cffad892642f77b59413844612759d1a65c2d6cf46f0f6c12e1cbcd31ac0d6d542f81671a8329306429d56999c8952f439be4f8d4bc4741c78551ab6

Download Submit
C:\Windows\System32\oobe\AnyDeskCrashHandler.exe

Filesize
59KB

MD5
8eb4565c6c7096c17ac94718b2a3724b

SHA1
1bcec351f712f041e4b23545e9a14c421effcfd3

SHA256
c700dc3bb675fb60dd69d26ed9628616c97b64af7faaeff92f6c65e7f4f2b8fe

SHA512
5ba97ce8b19efa125efb40aae9b1e1c9fb6a7e45b9261bd8327988c8c5474a5e27aace3e0ca77a0767740caeb7bf2060490dc77deba7eee474f6f3a998b1f0a6

Download Submit
C:\Windows\System32\oobe\AnyDeskUpdateService.exe

Filesize
158KB

MD5
95408095927f78deffaeb9cb1f4cd44d

SHA1
5e98f7cc5b8bce4dcefddc0313fe1ccc15ffe08c

SHA256
0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456

SHA512
b415f4c6d87a3a609fb554e4ee0af4f27ac8f954e85daada7d3034134a5a24b71401819d702f45e24aece4183059149c56d0936ac25dd4c5a106dc3fd09d1a81

Download Submit
C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe

Filesize
140KB

MD5
9cebc167ff7c8ae3ccffb718fd7b52d0

SHA1
8f5fa44298e5498d1ca696dc909093e26f4b5661

SHA256
ea5cd105b600e7606de1cbcfe813a7845a3be878b1e85dbc686871356faaac29

SHA512
ced1f79dd967cbbfea8d08768eebd8bd1b319b6ee5726bcf097ae375001dbf86c9a703ce7821468351ccc453c261598c6ac69eb9eb2420e72c3bdd33c3e57c5d

Download Submit
memory/116-298-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/224-34-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/224-28-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/416-125-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/928-249-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1248-149-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1392-58-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1392-53-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1396-211-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1452-187-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1596-235-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1600-336-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/1904-32-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/2204-98-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/2204-101-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/2252-36-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/2252-24-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/2336-64-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/2336-80-0x00007FF7E6050000-0x00007FF7E6075000-memory.dmp

Filesize
148KB

Download
memory/2440-307-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/2760-78-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3108-139-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3208-175-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3508-29-0x00007FF7B8E70000-0x00007FF7B8ECE000-memory.dmp

Filesize
376KB

Download
memory/3508-0-0x00007FF7B8E70000-0x00007FF7B8ECE000-memory.dmp

Filesize
376KB

Download
memory/3508-289-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3636-343-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3736-325-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3772-318-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3816-163-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3816-73-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/3980-259-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4028-279-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4080-115-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4180-280-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-151-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-237-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-75-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-189-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-261-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-213-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-103-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-127-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4180-171-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4552-225-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4572-272-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4848-199-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download
memory/4856-26-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4856-20-0x00007FF740850000-0x00007FF7408A4000-memory.dmp

Filesize
336KB

Download
memory/4908-89-0x00007FF6F7940000-0x00007FF6F799E000-memory.dmp

Filesize
376KB

Download