465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e

Resubmissions

20-11-2024 19:44

241120-yft4mssjc1 4

20-11-2024 19:30

241120-x7479a1rev 8

Analysis

max time kernel
477s
max time network
480s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20-11-2024 19:30

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

rustdesk-1.3.2-x86_64.exe
Size

20.8MB
MD5

aa6d18e1405a0be5eff04d419f9c6bbe
SHA1

30ed558a8804b5f826a3ca4a1c2212de58e6030a
SHA256

465e3cc0befa33ef54db3819d224e19cffe684cfe687c76b43352f5bb9c2d87e
SHA512

b4afce979135252b09b363b06461ab943f0f3a35e0f60bcaee49727f133904e8269faa7ddee73026ca28e6412e59bb50d802ebe15415b6bf1e022e177ef22168
SSDEEP

393216:wm5lerU7OybbyfqdBYk+uDJC8PCuNnoUvGtN1PK7Ue+kis+:6rU7jfyCdD+t8PC4oUiJKIe+pB

Score

8^/10

discovery evasion persistence privilege_escalation

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
12520	netsh.exe

Executes dropped EXE 4 IoCs

pid	Process
1532	rustdesk.exe
2324	rustdesk.exe
2232	rustdesk.exe
4108	rustdesk.exe

Loads dropped DLL 56 IoCs

pid	Process
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
1532	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2232	rustdesk.exe
2324	rustdesk.exe
2232	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe
4108	rustdesk.exe

Modifies file permissions 1 TTPs 2 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1468	icacls.exe
2732	icacls.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\RustDesk\log\rustdesk_rCURRENT.log	rustdesk.exe
File opened for modification	C:\Windows\SystemTemp\shared_memory-rs\shmem_D92994365A5EE462	rustdesk.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
5760	taskkill.exe
992	taskkill.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "209"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133766048160403110"	chrome.exe

Modifies registry class 8 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings	OpenWith.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\batch-virus-main.zip:Zone.Identifier	msedge.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1532	rustdesk.exe
2324	rustdesk.exe
2324	rustdesk.exe
4108	rustdesk.exe
6036	chrome.exe
6036	chrome.exe
7676	chrome.exe
7676	chrome.exe
7676	chrome.exe
7676	chrome.exe
3824	msedge.exe
3824	msedge.exe
10584	msedge.exe
10584	msedge.exe
11752	msedge.exe
11752	msedge.exe
12028	identity_helper.exe
12028	identity_helper.exe
13224	msedge.exe
13224	msedge.exe
12080	tskill.exe
12080	tskill.exe
11300	tskill.exe
11300	tskill.exe
12764	tskill.exe
12764	tskill.exe
12744	tskill.exe
12744	tskill.exe
12848	tskill.exe
12848	tskill.exe
12812	tskill.exe
12812	tskill.exe
12872	tskill.exe
12872	tskill.exe
12832	tskill.exe
12832	tskill.exe
12760	tskill.exe
12760	tskill.exe
12828	tskill.exe
12828	tskill.exe
12892	tskill.exe
12892	tskill.exe
12908	tskill.exe
12908	tskill.exe
13000	tskill.exe
13000	tskill.exe
2716	tskill.exe
2716	tskill.exe
10664	tskill.exe
10664	tskill.exe
12704	tskill.exe
12704	tskill.exe
12692	tskill.exe
12692	tskill.exe
6720	tskill.exe
6720	tskill.exe
13196	tskill.exe
13196	tskill.exe
11444	tskill.exe
11444	tskill.exe
11976	tskill.exe
11976	tskill.exe
12128	tskill.exe
12128	tskill.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

pid	Process
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5760	taskkill.exe
Token: SeDebugPrivilege	2324	rustdesk.exe
Token: SeDebugPrivilege	992	taskkill.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe
Token: SeCreatePagefilePrivilege	6036	chrome.exe
Token: SeShutdownPrivilege	6036	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1532	rustdesk.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe

Suspicious use of SendNotifyMessage 36 IoCs

pid	Process
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
6036	chrome.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe
10584	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1532	rustdesk.exe
1532	rustdesk.exe
6784	MiniSearchHost.exe
8804	OpenWith.exe
8856	OpenWith.exe
12788	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 5760	1884	rustdesk-1.3.2-x86_64.exe	79
PID 1884 wrote to memory of 5760	1884	rustdesk-1.3.2-x86_64.exe	79
PID 1884 wrote to memory of 1532	1884	rustdesk-1.3.2-x86_64.exe	82
PID 1884 wrote to memory of 1532	1884	rustdesk-1.3.2-x86_64.exe	82
PID 1532 wrote to memory of 2732	1532	rustdesk.exe	83
PID 1532 wrote to memory of 2732	1532	rustdesk.exe	83
PID 1532 wrote to memory of 1468	1532	rustdesk.exe	84
PID 1532 wrote to memory of 1468	1532	rustdesk.exe	84
PID 1532 wrote to memory of 2324	1532	rustdesk.exe	87
PID 1532 wrote to memory of 2324	1532	rustdesk.exe	87
PID 1532 wrote to memory of 244	1532	rustdesk.exe	88
PID 1532 wrote to memory of 244	1532	rustdesk.exe	88
PID 1532 wrote to memory of 2232	1532	rustdesk.exe	89
PID 1532 wrote to memory of 2232	1532	rustdesk.exe	89
PID 244 wrote to memory of 992	244	cmd.exe	92
PID 244 wrote to memory of 992	244	cmd.exe	92
PID 6036 wrote to memory of 3532	6036	chrome.exe	98
PID 6036 wrote to memory of 3532	6036	chrome.exe	98
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 2172	6036	chrome.exe	99
PID 6036 wrote to memory of 1948	6036	chrome.exe	100
PID 6036 wrote to memory of 1948	6036	chrome.exe	100
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101
PID 6036 wrote to memory of 3632	6036	chrome.exe	101

C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.2-x86_64.exe
"C:\Users\Admin\AppData\Local\Temp\rustdesk-1.3.2-x86_64.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1884
- C:\Windows\system32\taskkill.exe
  "taskkill" /F /IM RuntimeBroker_rustdesk.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5760
- C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
  "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1532
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:2732
- - C:\Windows\system32\icacls.exe
    "icacls" C:\ProgramData\RustDesk\shared_memory_portable_service /grant *S-1-1-0:(OI)(CI)F /T
    3⤵
    - Modifies file permissions
    PID:1468
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --portable-service
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2324
  - - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
      "C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe" --run-as-system
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      PID:4108
- - C:\Windows\system32\cmd.exe
    "cmd" /c "taskkill /F /IM RuntimeBroker_rustdesk.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:244
  - - C:\Windows\system32\taskkill.exe
      taskkill /F /IM RuntimeBroker_rustdesk.exe
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:992
- - C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe
    "C:\Users\Admin\AppData\Local\rustdesk\.\rustdesk.exe" --check-hwcodec-config
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2232

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:5952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:6036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0x80,0x108,0x7ffc2860cc40,0x7ffc2860cc4c,0x7ffc2860cc58
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1836 /prefetch:2
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2056,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2116 /prefetch:3
  2⤵
  PID:1948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2220 /prefetch:8
  2⤵
  PID:3632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3108 /prefetch:1
  2⤵
  PID:5768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3372 /prefetch:1
  2⤵
  PID:4256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4476,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:5380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4648,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4728 /prefetch:8
  2⤵
  PID:2784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4900,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4288,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1108 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:7676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4320,i,11339297340059964055,2670942277478972583,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4760 /prefetch:1
  2⤵
  PID:436

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5716

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:6784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\MeasureSkip.vbs"
1⤵
PID:8612

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8804

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:8856

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004BC
1⤵
PID:9116

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:9732

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:10468

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:10608

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:10584
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc212b3cb8,0x7ffc212b3cc8,0x7ffc212b3cd8
  2⤵
  PID:9136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:9620
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2344 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2552 /prefetch:8
  2⤵
  PID:6304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:5888
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:348
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4064 /prefetch:1
  2⤵
  PID:11580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4880 /prefetch:1
  2⤵
  PID:11588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:11752
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2364 /prefetch:1
  2⤵
  PID:11332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5360 /prefetch:1
  2⤵
  PID:11792
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:5936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3992 /prefetch:1
  2⤵
  PID:11772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4012 /prefetch:1
  2⤵
  PID:11800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4028 /prefetch:1
  2⤵
  PID:11380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
  2⤵
  PID:11456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5956 /prefetch:1
  2⤵
  PID:9784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5828 /prefetch:1
  2⤵
  PID:11824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:13212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1856,11996986464488346225,4233107912415194195,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3568 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:13224

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:9256

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:11348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:12260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_batch-virus-main.zip\batch-virus-main\viruses\virus4.bat" "
1⤵
PID:12668
- C:\Windows\system32\reg.exe
  reg delete HKCR/.exe
  2⤵
  PID:12728
- C:\Windows\system32\reg.exe
  reg delete HKCR/.dll
  2⤵
  PID:12736
- C:\Windows\system32\reg.exe
  reg delete HKCR/*
  2⤵
  PID:12748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_batch-virus-main.zip\batch-virus-main\viruses\virus10.bat" "
1⤵
PID:12144
- C:\Windows\system32\net.exe
  net stop ΓÇ£Security CenterΓÇ¥
  2⤵
  PID:12436
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 stop ΓÇ£Security CenterΓÇ¥
    3⤵
    PID:12504
- C:\Windows\system32\netsh.exe
  netsh firewall set opmode mode=disable
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:12520
- C:\Windows\system32\tskill.exe
  tskill /A av*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12080
- C:\Windows\system32\tskill.exe
  tskill /A fire*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:11300
- C:\Windows\system32\tskill.exe
  tskill /A anti*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12764
- C:\Windows\system32\tskill.exe
  tskill /A spy*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12744
- C:\Windows\system32\tskill.exe
  tskill /A bullguard
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12848
- C:\Windows\system32\tskill.exe
  tskill /A PersFw
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12812
- C:\Windows\system32\tskill.exe
  tskill /A KAV*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12872
- C:\Windows\system32\tskill.exe
  tskill /A ZONEALARM
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12832
- C:\Windows\system32\tskill.exe
  tskill /A SAFEWEB
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12760
- C:\Windows\system32\tskill.exe
  tskill /A OUTPOST
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12828
- C:\Windows\system32\tskill.exe
  tskill /A nv*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12892
- C:\Windows\system32\tskill.exe
  tskill /A nav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12908
- C:\Windows\system32\tskill.exe
  tskill /A F-*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:13000
- C:\Windows\system32\tskill.exe
  tskill /A ESAFE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2716
- C:\Windows\system32\tskill.exe
  tskill /A cle
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:10664
- C:\Windows\system32\tskill.exe
  tskill /A BLACKICE
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12704
- C:\Windows\system32\tskill.exe
  tskill /A def*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12692
- C:\Windows\system32\tskill.exe
  tskill /A kav
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6720
- C:\Windows\system32\tskill.exe
  tskill /A kav*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:13196
- C:\Windows\system32\tskill.exe
  tskill /A avg*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:11444
- C:\Windows\system32\tskill.exe
  tskill /A ash*
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:11976
- C:\Windows\system32\tskill.exe
  tskill /A aswupdsv
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:12128
- C:\Windows\system32\tskill.exe
  tskill /A ewid*
  2⤵
  PID:12052
- C:\Windows\system32\tskill.exe
  tskill /A guard*
  2⤵
  PID:8336
- C:\Windows\system32\tskill.exe
  tskill /A guar*
  2⤵
  PID:12516
- C:\Windows\system32\tskill.exe
  tskill /A gcasDt*
  2⤵
  PID:12436
- C:\Windows\system32\tskill.exe
  tskill /A msmp*
  2⤵
  PID:11716
- C:\Windows\system32\tskill.exe
  tskill /A mcafe*
  2⤵
  PID:12520
- C:\Windows\system32\tskill.exe
  tskill /A mghtml
  2⤵
  PID:12688
- C:\Windows\system32\tskill.exe
  tskill /A msiexec
  2⤵
  PID:12780
- C:\Windows\system32\tskill.exe
  tskill /A outpost
  2⤵
  PID:12784
- C:\Windows\system32\tskill.exe
  tskill /A isafe
  2⤵
  PID:12848
- C:\Windows\system32\tskill.exe
  tskill /A zap*
  2⤵
  PID:12812
- C:\Windows\system32\tskill.exe
  tskill /A zauinst
  2⤵
  PID:12736
- C:\Windows\system32\tskill.exe
  tskill /A upd*
  2⤵
  PID:12832
- C:\Windows\system32\tskill.exe
  tskill /A zlclien*
  2⤵
  PID:12760
- C:\Windows\system32\tskill.exe
  tskill /A minilog
  2⤵
  PID:12828
- C:\Windows\system32\tskill.exe
  tskill /A cc*
  2⤵
  PID:12892
- C:\Windows\system32\tskill.exe
  tskill /A norton*
  2⤵
  PID:12728
- C:\Windows\system32\tskill.exe
  tskill /A norton au*
  2⤵
  PID:13004
- C:\Windows\system32\tskill.exe
  tskill /A ccc*
  2⤵
  PID:9636
- C:\Windows\system32\tskill.exe
  tskill /A npfmn*
  2⤵
  PID:12724
- C:\Windows\system32\tskill.exe
  tskill /A loge*
  2⤵
  PID:12708
- C:\Windows\system32\tskill.exe
  tskill /A nisum*
  2⤵
  PID:12676
- C:\Windows\system32\tskill.exe
  tskill /A issvc
  2⤵
  PID:11412
- C:\Windows\system32\tskill.exe
  tskill /A tmp*
  2⤵
  PID:5808
- C:\Windows\system32\tskill.exe
  tskill /A tmn*
  2⤵
  PID:5904
- C:\Windows\system32\tskill.exe
  tskill /A pcc*
  2⤵
  PID:13224
- C:\Windows\system32\tskill.exe
  tskill /A cpd*
  2⤵
  PID:13248
- C:\Windows\system32\tskill.exe
  tskill /A pop*
  2⤵
  PID:9304
- C:\Windows\system32\tskill.exe
  tskill /A pav*
  2⤵
  PID:7616
- C:\Windows\system32\tskill.exe
  tskill /A padmin
  2⤵
  PID:12460
- C:\Windows\system32\tskill.exe
  tskill /A panda*
  2⤵
  PID:11680
- C:\Windows\system32\tskill.exe
  tskill /A avsch*
  2⤵
  PID:12436
- C:\Windows\system32\tskill.exe
  tskill /A sche*
  2⤵
  PID:11716
- C:\Windows\system32\tskill.exe
  tskill /A syman*
  2⤵
  PID:12520
- C:\Windows\system32\tskill.exe
  tskill /A virus*
  2⤵
  PID:12684
- C:\Windows\system32\tskill.exe
  tskill /A realm*
  2⤵
  PID:12764
- C:\Windows\system32\tskill.exe
  tskill /A sweep*
  2⤵
  PID:12860
- C:\Windows\system32\tskill.exe
  tskill /A scan*
  2⤵
  PID:12804
- C:\Windows\system32\tskill.exe
  tskill /A ad-*
  2⤵
  PID:12872
- C:\Windows\system32\tskill.exe
  tskill /A safe*
  2⤵
  PID:12876
- C:\Windows\system32\tskill.exe
  tskill /A avas*
  2⤵
  PID:12808
- C:\Windows\system32\tskill.exe
  tskill /A norm*
  2⤵
  PID:12904
- C:\Windows\system32\tskill.exe
  tskill /A offg*
  2⤵
  PID:12984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Temp1_batch-virus-main.zip\batch-virus-main\viruses\virus12.bat" "
1⤵
PID:12524
- C:\Windows\system32\shutdown.exe
  shutdown -r -f -t 00
  2⤵
  PID:12536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3987055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:12788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\RustDesk\shared_memory_portable_service

Filesize
23B

MD5
1463478ec02a39183f839b260f3d5443

SHA1
a83098ce884630c820b16187a2425a69926f56b9

SHA256
0391e331a76244300bfc7936a419aafea37939821ac02709086ba214916ffb1f

SHA512
1baa6a8e1639d91f34acc3ad81338183981c7150105d550867aabaa2a6900e1a613d0bd0179a490a28972613c777ef7bcc0cea1a9077bd9fd196e947364da7f6

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx

Filesize
64KB

MD5
b5ad5caaaee00cb8cf445427975ae66c

SHA1
dcde6527290a326e048f9c3a85280d3fa71e1e22

SHA256
b6409b9d55ce242ff022f7a2d86ae8eff873daabf3a0506031712b8baa6197b8

SHA512
92f7fbbcbbea769b1af6dd7e75577be3eb8bb4a4a6f8a9288d6da4014e1ea309ee649a7b089be09ba27866e175ab6f6a912413256d7e13eaf60f6f30e492ce7f

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.lock

Filesize
4B

MD5
f49655f856acb8884cc0ace29216f511

SHA1
cb0f1f87ec0455ec349aaa950c600475ac7b7b6b

SHA256
7852fce59c67ddf1d6b8b997eaa1adfac004a9f3a91c37295de9223674011fba

SHA512
599e93d25b174524495ed29653052b3590133096404873318f05fd68f4c9a5c9a3b30574551141fbb73d7329d6be342699a17f3ae84554bab784776dfda2d5f8

Download Submit
C:\Users\Admin\AppData\Local\D3DSCache\cb00da9ba77862e\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val

Filesize
1008B

MD5
d222b77a61527f2c177b0869e7babc24

SHA1
3f23acb984307a4aeba41ebbb70439c97ad1f268

SHA256
80dc3ffa698e4ff2e916f97983b5eae79470203e91cb684c5ccd4ff1a465d747

SHA512
d17d836ea77aeaff4cd01f9c7523345167a4a6bc62528aac74acde12679f48079d75d159e9cea2e614da50e83c2dcd92c374c899ea6c4fe8e5513d9bf06c01ff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6f69fea8-38db-4fb0-8064-f66e72e48a36.tmp

Filesize
9KB

MD5
672cd1a01fd19ec791b6ce3501bbef96

SHA1
6a5d5eb2bef2fd0cf6b51370cd555f907877fa29

SHA256
69ef3518778bb686fa9e45fafb49e54f83af6f3b08e7ba4144688969bbcd85f0

SHA512
97d544d3ffb7a151ecd9eaac6988c0a0b8ee242fd134d0e59bdb917eb22227d54b673a2c458581f7a08eb93cb35cc4c1d0421490bc8797e34e86c53f8c0705b2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4ee9bada6b3e27b8d003abdc8b73b5bf

SHA1
01fad6bcac207dc28e2fc1acf43ebc48d6ac7604

SHA256
99e4bbb408c29f3d6aeac6d37d94c19da403b0c6480f114bd89ca90eee5fdf35

SHA512
6d64dac8b42b107e14f4ae45e2430b3959dee53e731c853824ec0685e3b4fa80d590e4c2c5f02cd575e0b5cf485af2d371ac5c59f94be4671a3c1c4a15063410

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000005

Filesize
215KB

MD5
e579aca9a74ae76669750d8879e16bf3

SHA1
0b8f462b46ec2b2dbaa728bea79d611411bae752

SHA256
6e51c7866705bf0098febfaf05cf4652f96e69ac806c837bfb1199b6e21e6aaf

SHA512
df22f1dff74631bc14433499d1f61609de71e425410067fd08ec193d100b70d98672228906081c309a06bcba03c097ace885240a3ce71e0da4fdb8a022fc9640

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
192B

MD5
1148f1e8d2f609518a5ec7e5a5ba407c

SHA1
79a76a77021f4e18ee22e1158aff1ac39edd77ff

SHA256
f84a82123a1a4aab7c47493f31f2044e8fe229d7359dad936c4a0f41d9cd83b2

SHA512
b56c7b63eeee8e000462060389767bc6d70f13c1f17e2fd52e042ec59d851cb63b362223f61d7943a0fa2d8d83ef9f833dc003e3c35eeb2fd2b3c046e2d2b6e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
c7ad84d4c852fe3722b65b4d18e0077f

SHA1
813b03abbdb3f41f8fa28106d896fe74900b3df4

SHA256
8d8ae1f4de0598881401991e447cc82c9c7457a047b75a36bd846e74d8e5031c

SHA512
4b6b998a6bdd864f0636e755d7cb6c325a23722f3c50c03983a21b3d8e9457c165426a1b1a6f4b11016151f439b507271f0f6553be61fcb7ae6b462c2eedf794

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
27ea216e5468f7dfe81e0470aedb0233

SHA1
a5194a262042211f448755aa4d8d5fb815b56743

SHA256
ae9e46128f9eb9627648ebaa463d6a2be9e3d956772073d24a4e392c0ee31cd9

SHA512
e4901c699f1f86f348095a38e9a79b7a0f4314d8c4c7f7caf1cf1089d07b6bb58e6a29fa6d77fb26aa4615dfd3255948f4dfa3f5ff8e835a2d4eed60a674c502

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
78a7ff7df1ff447c17eca293df17798e

SHA1
89b70ae15cb37ab61ba599631d863219a7b8dfa0

SHA256
9642ca5f1ccd385264f0824ff2292e8608f20ec926f2e13c27ed571095e64cd3

SHA512
89b16666d24c36bcc2e1d8136915b8165b9007587936c1e7261f3918f47ac43df5837424f027608a44dfc8c16212bf368a736bc449c81b6bfa3f76c2d0f906ef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
354B

MD5
588799804ea0fef11216eef4a84db9ed

SHA1
9c5bcf66d259ed8e8e0c41b4e2ea167cda0cc029

SHA256
40eb9a55828da09e2e2ce22bb79a828ffbe335ef4bdcd19d635fdffb14b64356

SHA512
2c9d6924f5fe7218d71d3d6f894a32fc8c51eabdec0e95757804a732776b4c7fafd514c6044c4637f94a5f16ac8aea5d08432d2b089a7ea9eccf729c07aca8e0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ca542f250f5e9ce0588eb81458eefe9f

SHA1
25967b24f260716aa333942cf12694bb48506296

SHA256
9a1fd70b5eeed9e7ee208f90786572c1168707709229657d376b1dd2671f32d5

SHA512
ea9fc7eccd0d99587bc522949b649632bee52e7b477cc98b58bfeee47617fec8b277762d5e43012b22f16ee2110b4c945b59b6a85365728bc3cdc19ff51c46eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e722412ce56ea4a0e5bba6b93ff9659b

SHA1
03b9dcd746ca9705f301e94e72f7933b21bd3344

SHA256
e9ee12838f57b0efca6805301224945294c6f1999793cc245e4b208483db6867

SHA512
8aaa5db26c1152a134dfa96f3b54adbe6dccddbbf5767d796a619911e0f6a58621688f98879399a510c7f73b9a64f51c1988031a46622f7afa4333bbb011d35e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
80ebc0ac5664ba7f75ad602506373e30

SHA1
14028ba4f1c862f717378ac8c0fbbbf57fc0509d

SHA256
156f3614466e4929032b5dee1a478412d8d2194a0faf4e057641981b07e9a699

SHA512
c8260fb160d2158e94f479dcd932871b9bd9ce69c76e79c72e6d4e8f21188871ea46d7d00a4bdb4b362ce00401cb516f14fad99afd92d79e1e19c2f9fc0d5bf6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0c45a8e16f11361d4a72d1e39d1fe3c4

SHA1
8affeb276d604194a8fd3fbc73e15dbdecc6cd0a

SHA256
0a3a9f4d45515433e2d4d5411afde7fd012f4ea703512baa7bc5aa5e117c2245

SHA512
8210f8a1a22eb4b0a50ee8c136a82c68e4d95815a1c936aca837140aabf1de80a9e6b35fc0a9c6b95875aa838cf52b1df8784ed5f2b77540bd6844542c440186

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
26d81900963b7ad3c71ced9827773323

SHA1
dc457391ed71d8d0f70174c7d9c1fb4c5a5cc047

SHA256
70bf2bbcf3908a2bb21e82f8bde1c96b9de17b304d354c15987d20648360339d

SHA512
21ab02df440641fcd5f671f63f07907f426a7f8b8afdf44497a1964506dbb2824ad8189d31333f603337b9e27f002e04b86d8c0e68c908332dd997eea80a414c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
94621fc103d74152dbcd01bf4901abb2

SHA1
73abcd4e1884e86b0fd273de72e397879e091e6f

SHA256
c13a2883939603cac9f2febe5d5ceb90a150c4ece1bbf53a80b5379a3bb9e0d7

SHA512
1d06a26d54f95a97a9c34a1c7791b0d76d85e9a1a4c4aacf88454bdb595892faa50e2c953a870b78fea84e515d987315ebc2f945d1c1e4a203ef069de77d97f4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8eaba75cf836e164609dbccd118eb29c

SHA1
0cf6ac88a0f994c6c06090233fb5dc428394c375

SHA256
e6b7bed79cd06b206ee572c7bdaee769dec91be582e67af7cc520238701bd2d0

SHA512
eef169ef9fac1213ea7f58d12ac9df7268a10e09986a9e25af24624fceea52198b9e95b43cc6abb09cd62421f92c9bff0d333258054606a09de0faa07a15b7be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9c5572ae6c813c7d429d57c3a7ef7eb3

SHA1
cc057ba284f427a8686d39d9912e60bcd7418b91

SHA256
b2f56a33bfabb927226899106c2fa138a4249a0cb1b4007ab9b35d8d04c6b8db

SHA512
6b24459bfc54831aff50c965e66d1075fd4735b9530d06af1a4f1aaae2ab0497f4763e745f826d252760163af1d3e90bb29241b37766fb02c89ea8fc051bd2da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
953735838c3f0a393fd70ab4c614b303

SHA1
2d2d6119757a84d943899d7b279b5821de914160

SHA256
7171263942b4cc96a42e7bb05b0b265daf256a25d2ce9d594748f3642d8c1c88

SHA512
3c925d13f6861d6b5f4d619bebea4e3be22e36e12e248fd73a4e88b2fe502e025962b91c90496d682c63cedf2d005baac11dc3f6ae01be0817f0a8b5680de4bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6c06a3e6acf01cff594f72841b408de7

SHA1
05ab5ad440b4a2a46d3bdc6599c5058b5f88f06e

SHA256
53a231c9365ceb266274e71f54d68dfde2c95b1c91f935246dbe919c6d337f84

SHA512
cba70acb3ed65b3ae49032430ca55cc86d9cb2a06e3c4107ba58138f56f15a8ec40f1a8e1060daf1e34e6dc31ccbcdb0e915eb58278428ce830873b30ad7141f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24720a979b7ee48ecdc340e01012a6cf

SHA1
f3144273485263f52836d79cdcb2bffec088f4b5

SHA256
3fdd55eedef532080cf8c398eaa997492d6885b3f799192ee95f4a7d95285ab8

SHA512
dd3ac3a3182a9f0726ae30f035352aab3e487515a83250dd829d205f93d4a3d8403b214e59d873a61b36885b9525ce739a4fad6d0b79e822769cabd102e4da50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bddbae34940f7278486566782953f663

SHA1
99cb15edda4f844cfdcc4ad14fc7053330452fff

SHA256
bcdf83169c9e015a0d585fb9c6fdb0ba9cc11f2769252cc7032d0a8cd14eb86e

SHA512
6e4b55b85316bb863c3bc5470b74ccfa1dbaf2e343552c2f5d3e2fc0bbe6ea1b2071c12902f1091585ff55939f3edcdf0af4ee7b68e898c0ebd6d396b3d1dc65

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d3bbb69787c8fecb84b6f1a9aa76625a

SHA1
0486b532417cf0c0a8998a305be2ff47fbdb3b48

SHA256
ffa404cf09b375a351412641dce5e36fdee0afc04a6c31e4729a04c41f8104cc

SHA512
29b41288adeee6f697c67717f23c639fd1c18e0456f83edd87846d7174a37108e845c214ae684b9cda203dfc94520707ab7d9b5316c4960779f517c1f0930798

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f492d09def9f9451f2a13205613a5f19

SHA1
13a0d4250c59bb9e830f554f259078ef0c6be438

SHA256
27b8febc455c0f6433c5f3b35a2f08d9f34523f599b4fd16aa5d7c77e72014e1

SHA512
1fd567619057e4d10dd836b3f7593f3073141f8fa1775fc5ff22ddb82b887d444d85d290f52d4425dbfa6e4ddd2585133a9c01ff7164e28fd1ec354a47167ea2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
6d076cd547ab5e18619f120f76d16a1f

SHA1
22a0b331b12b725f0a8134217619b5fedbf16e4d

SHA256
924ac134b8e9dccb4a5a9305449c1e5159139bfd165a7ae1d0c3f8244d861e3f

SHA512
3daddfa23aebb350a530affbf22f73a5ddde40ebcdf019b8637ef55757002dbdbfcddcf283d3348b14bf02251a29208ad1215f1556323d9905dac74a307b7477

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1892d53562ae81871342c969858f866b

SHA1
9fc23ed4c0987bc00257594699613139c5e646aa

SHA256
4a3aeb746b821b9d09ab28db2624a8045c81d648c9584abe42f4fa5dc8f9db4b

SHA512
dcb29a551b6308eafb7cacfa8a3aa3e49f3ec35c59de0d8c7fbeb4dd9649afca5633c8d8419f3350bcdcbbfc9f3025f74759727f2ffdd4ff655f11de32f3896f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fe4ecb8481143f414b0197c4b8ac2fdc

SHA1
e6834899c2a40e0449eb8bff01fa8b42d887a9a7

SHA256
083fc5950fa0295265410b5848095ff7c9dfe113891bc0bae346241c4d4d0ba2

SHA512
0f883af4338b2edd48713541442d9cbbff67be7d671cb7e22a2084a7e4588b1d4922ff8fa560c19fca8142c93ab7e940e71a809398982dfe5ae5872e076f8774

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0dc0440268454400b4ee7a214214af4d

SHA1
68c4fe45cb4f37cfce386ffcca939b5abe91f8b4

SHA256
478dee474bdd946033e8e23ccb10bc06404262a257fc722f128ac1b7baff4362

SHA512
6ece69a720a0d8e4313325f0e8ec38a35ef9d9d6e2d43000c5e44cf1be2da632647c1ed02046b9dba0e8ffa9fa1f5bab2804ebfafbe840b22fadcb44d6b3001a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3e449b1a2f3e1dfcdb9103bd9021e2c0

SHA1
5b64ea14a9b79db01b07cbc0d927a3b920d440f8

SHA256
1b82c93c9f728010eceb33d95c84ceab2c68506d42a2841eb05b28216119cfb4

SHA512
e473f89ba5f3a817b801f16c8036d9d2b731e7c96f0af1355c790e86f6451883892cf76d57a0bcaf023e5a933e7c86b427475e1ee1c1b5054883e37ae30bbc27

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
119d388c1879de8fda70177ec015f60f

SHA1
429348a9ffbff321265d625255f685034fe09db1

SHA256
8e7f948915544309423fdb8a969f2e9c76ff993db0a76d14c78929eff551286d

SHA512
fcd6c53dcec71872ab12456645629bfef02a42d5b54636d1ac8637d2f09bd28af8dfb08d4d51493612e284f9205321cd733641702eefd17ab073f3c4c3fbd0b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
25f9818614b1f441d998e431fa1f2a41

SHA1
5372475dc38241910273d16fe1fc59e3dc133e9a

SHA256
4d0f54bbe35f5470e1fd2cc115c70f7968d28b8c049d3edc97f0399b63eb6a47

SHA512
03f8d5b2fece04f46e5a85da4923a8222e2d6ee0f00688a183a3f1c1f1cfb35b273fb80940be4c8e5a3a81d3c091892a3106af475f64ffb1797a52e915bce5c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8909df3f7b35e8402f835a3d09fa9756

SHA1
7669c09e40c81bf7d7f7d6f3fd89964a4adbc1db

SHA256
fcc2a0ad074ff5c46643351b596be22302cfda176d3eb91d3eaf243b9c21a1ce

SHA512
207bc111e45cd1d47714a456857a1d0b80d42e9a7d0c702536ddd19c0514eea769cb1cd6d2f43b5e78ace63b813823918e26212b47d05b62158ad0fa33e2608f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
883b2b8f55e236299d0781960375a400

SHA1
231d19dcfcfa45cdd99342fd5fea75cdc6a785a5

SHA256
43124c6a0b7ed38d3df83aefddf14a3f5033a632fd9992ed33bae206fa133acf

SHA512
1a6e583a212e2bd856f53e380412fb42948044f7020096aee4b74e320d9265828cc49ba2addd37ba908de7254eaacb53767c4d33a29d99a80aeda4ad285b5e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da6ddeac0c3d4b92fa225e0644435d89

SHA1
85080bd8601ce98719f51c829ba9e16da88613ba

SHA256
32a24160364b5bb7eac80cd7e095b8fdbfac2f2f87b0a771f28e110060d1f46c

SHA512
c3750edc46546409de412d3869407eded91afdf43e88d185f64845a26edfcf6bc4d2b7ff57b7e19ebb48ef074fb963077275e80c5a82f42b9a894ed4819a0513

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
322f94c52cec36ad08090ca29f8d9021

SHA1
7cf3e2eefd18a94ccaa4ce48af1c03b9ddde8aa7

SHA256
3aa8ad0e84e282c0d55a777f0269c1d4e45cdcd758a301db24bf71fe2d17281a

SHA512
39d4a154f7ad47355108b27a4d1acc2d332f1649f86dc1b588346cdd5d0da257747a5266692a4013705e7bfd92362f8eaabe96ffaec8a6ae2d9fe09c26d57414

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
6882c9fa2de267febf71708d234b94db

SHA1
b9320d39ecafdf903ffc50e15c08ec4890a2b55d

SHA256
3e9f633aa38a76c4fbdaac97c1d25af5746066d23b2b52ed3b1309755d2ae465

SHA512
e97c21acd58c4406ee94e9225ee66260d58a3018ad18ebebede67b877c87a94087eceec223d5e310776c2d8ce251d5c7b213627e9e6baa951e3a2fe707847189

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
412e7bf4a16113f6759cd507a1d50e18

SHA1
50680cc297b4e77f110cc76373a37c59beafa1a8

SHA256
e5fe30020cea322edcc95e016df6c94337766c841adc11eac3e7d213285c7ebf

SHA512
421c79dc46df6d1872f26b4cfb947f917734d3d8754febd1ed1c0bb28ba198aa091843046fa84f0997fedc44d7dfc0d52bd198247a7d7f7b4f929d506db106db

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
501c193321173bc880b4d11c0dd55957

SHA1
c00f2d6358cfd692dd7839a62eed908d82771bb5

SHA256
1bd005fc46a4e6c18c598ec1aeab55c18ee90ff21612e780795d314c051bcd73

SHA512
a174dbbe89c4aa854d0f2378079730c199b731d324879d932bba43cd83d21bd6c356da17d9353fc64e6a85d289fa901eeb6f5349f37fabcd17f3f98566794b82

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
711c2367b0117f75e1117dabace595cb

SHA1
9f936b6e049f516715488bd7245efcc1ef2f0f8f

SHA256
88bc73da1b268abd7a34d0d01410bce64766023725e9e118572840466d3cf32d

SHA512
8d280f1c60b80ac50e0a5997998db8989f8fcab58bb524ff8979b6f91646a312236396e0e5dda40f663ac2476f5bb0122b0075eafb6fc27f4568a1dc965d77f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
1fc959921446fa3ab5813f75ca4d0235

SHA1
0aeef3ba7ba2aa1f725fca09432d384b06995e2a

SHA256
1b1e89d3b2f3da84cc8494d07cf0babc472c426ccb1c4ae13398243360c9d02c

SHA512
899d1e1b0feece25ac97527daddcaaeb069cb428532477849eba43a627502c590261f2c26fef31e4e20efd3d7eb0815336a784c4d2888e05afcf5477af872b06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e9a2c784e6d797d91d4b8612e14d51bd

SHA1
25e2b07c396ee82e4404af09424f747fc05f04c2

SHA256
18ddbb93c981d8006071f9d26924ce3357cad212cbb65f48812d4a474c197ce6

SHA512
fc35688ae3cd448ed6b2069d39ce1219612c54f5bb0dd7b707c9e6f39450fe9fb1338cf5bd0b82a45207fac2fbab1e0eae77e5c9e6488371390eab45f76a5df1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
51899daced41727a8c9c0f8c66b185d0

SHA1
69881c31d7363fb2ae970d02d9b667439c937562

SHA256
43f39cbbb54842f9138ca49320b9d1d3e3215e2480c26849a8389d4f8987e0c7

SHA512
4d0f8f0555a04d8b8fdd27b0fe5a61aac69efc856d6822fb9fa1e0718673f3a5ead856afbfa9a122ae4a31cf6ede2fd0af4b725c11b044651d67ad0721ce36b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a967768b9086df554512d0a934284f0d

SHA1
54bedbf34617f2a6f5937d66d43dc2fe728b3fd0

SHA256
18fdf096a92b782fd554dc103408e7f7bc71899b5e67b75bacef45035ce789fc

SHA512
bef78c7fe0f01f968c3b7701fa12c457bcdc616cfb508c26da51a99bdc1db953729c35b07c3492e394dacde7a1e0ef67e96cce8bb9626047c75671bc8bbcbaae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
ff31a6fa5888c09b2f21bc3efdcea401

SHA1
2f4c9132001e5d315470c52cecbc5e0ea6d12f1d

SHA256
b74b8c3e6c52b3493e6902ef02ec9cc543f70600ef5fbea225315c545f637c3b

SHA512
af343bbf20298c33228c3fa0d5a5c860070868592dfdc934f589598a595691e59816e64c5b74674f5c1969fc741a55de85c3aad36edd46654e0b32787e586ffd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6ab391c7c79b4d9f8fdc596cc4e5a533

SHA1
1a9b98c588f390c7b96802a43f7e05670ef17cea

SHA256
b3dd1dc3f971f1bf0774420f5a866b55338701b2e6af8f542654cdae9640558f

SHA512
3fd648572857ff6d7ca5497e2ba10c1d3b9a89b34e097a1d9bdb6ef5add14cda3e53a747f49d9fcd967d836c363b364f05a33c70a7d00eff60840ccfeea4bd4e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
489fc0d49e6df314b951d63cbc940346

SHA1
d187b56b7128af0359623a4324572204ea1f6a94

SHA256
486d521ab0c4a4889c69ca8b90102529956bd9858cb00512574541896badb305

SHA512
0a9c11435d0b95aa37c3154795cb26d559e87f0850722cfc899f9579f6d2d0a9f84a87b5328153f4506d16395a57e32b691f35f30f58eeecc780acd3946021b2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2c56ee7c7a39d5f8be801af025624a61

SHA1
5ea00d82f92e6e8e33a0a8cf4c5180a273fb7c06

SHA256
a0c6b3e3bc05c7467994c3231a1caf296422bb768b779deb5fabef60231c07e4

SHA512
694759638aaa5f127b9d46b8326b91eaa583a85c8fb658565c45a202c845fc5e24dcd972f42fac2b7c1ac1d840410fe5e05fcf40e3220e484720a2e13aa87d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5e7afa.TMP

Filesize
873B

MD5
14434083ea914c744d5819ac724230d0

SHA1
02a73e30c2fdcc7e9c40aaf8edafcf7c8dbce310

SHA256
0218af002aff15afeb2f9328649c075a1ef0349d40bbc03651dd47d59f715a33

SHA512
923a69120aef60eba93bd14b84bbfa130da0fe54ffae357b2862df9eb076605dbe5f57586b0475062391997d74bac8dbfd4cd38f5f8393b3ec0ab0ecaee5fb52

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
870d593074f299147c8ce7b25202843a

SHA1
2d7e32384dbc6d95a59d0d1ca441d78b94107d38

SHA256
7fc2bac551d24f7edf20075e455386ce9e023c2e3a9c5d3a678db42443d95760

SHA512
bc57e6506d720f25a33d0db6325619a46bd6d77ebe1cac9fd4517dbf1092a228be4023f0337ad005909a7e115f0390e8a60a3ca2d70cd548cf5a4b90d26e69b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
4176f603378b5c350c6e0411a4ba772d

SHA1
d8484bea32adc26295ac62cf47e75c368958d953

SHA256
106af61c33b7f6a42f69a2b1f098a30971b9910ff5c9614280527a2108c1a9f7

SHA512
260b5d7a9da8189e9a1cde8b1cfd86154661214c25f3fae6ed51c0f2c490ab9381a771fd549c6d2aac014e92f2a243b1bf3773828b5b48fc6086f14bb9e0d948

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\22e61013-f0f2-44d0-9d9a-91136f30ce2c.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\app.so

Filesize
11.9MB

MD5
3ecd84e1c815a7b461ffc7208ac770b0

SHA1
20af519336534d91227550715d0cd28aee1f69e2

SHA256
74e669dd1a940da6db4fe181ebad1d918b331f37e7fb816bfbf83e0eaf85377b

SHA512
52003addf2ab7ce813d1d1c643608863c708dcf5357ede63154c8b2c0164983f7e54f7853aff709105bcc80ae52fc88c54a9efc7608ddcf2d34d525acbfacbce

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\AssetManifest.bin

Filesize
3KB

MD5
6fa7b692a74c654acc6e2e11f3687ea0

SHA1
34e2fa2ab4d840f41fdf69027b310f8109a30831

SHA256
36599451f8e358a4e0a3cc5fca7268eef6012e3a70a2053984c0297caa09147a

SHA512
fce46f1c6785e6a3acbf6377a7b31b30b64a4c228ff368a14bfad1cdc0588eedd0498e455dc7355dc847ed13f44b46865f39e31276c307d91e9e38464970932c

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\FontManifest.json

Filesize
356B

MD5
5704c1a50bf74d4e06f17e815ce65203

SHA1
f407c6be26686bba88379d8dc5d52808c0d63da2

SHA256
d0f57ce835a269796759bf62197ea2c44cb5335dfd2ea8724b8ac19cd8fb22ea

SHA512
999a98f29b2add11da63e4b5d3c45438eba2078c7749596a025d55eb977b639bc3537ea00f232c90fb5f612c6e3a9f535bf045c020bce524478deffe17492298

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\assets\address_book.ttf

Filesize
1KB

MD5
612eb0515c3bca0ea7e661cb74c14fcc

SHA1
bfb43b086c2c06933495bdb5f9e6792c6338573c

SHA256
c725b18176aa78151e013222a9fc9c439a9a9106d6c061e8f617162a80a8b4f7

SHA512
e5d3fdf6c9221e4f2203fe542e76a6be80d6d0033994adc12e0a5a843d55c98e923b0142c8e0fb00d83200920bdb5699922d74c2979862a9d686ecb1697e9195

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\assets\checkbox-outline.svg

Filesize
856B

MD5
f0d7b636853657cc21df676e2f473e1f

SHA1
637a00346c25c5609b5b9c73519bb47f5600cdeb

SHA256
b8520bb0397257021199d933bee9e047cf35347fa56fe615cdfba201294f87c0

SHA512
3f0faec87dddd735ef3b4843ecd53e89b557be2ed2ec0407a6b900db623a9547e883239f048d5cc4a43473124efec34d10109a064937b564278a23ee8595f5e2

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\assets\icon.svg

Filesize
1KB

MD5
9673d0a1dd44d81bc31c76a56857d787

SHA1
3803cf698b3285260cdb2289e680739e5002f55b

SHA256
4d6ecc2b45571382576049095435f41576c02e895b8766ef3f300623c35b3488

SHA512
fb49bc912f408a0ae38da6301ccca9352613b54060f260c0ee80480f7c926e96d4716d86fae6197e98d3aa71294e98beac25ccb4f3d117bc65ddfbb7ba480390

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\assets\tabbar.ttf

Filesize
2KB

MD5
593f286bbe900c64016ed23dc8ba91d6

SHA1
b16152371316906967105660a976f5a57207a082

SHA256
a17ca0a8f7d5aa5ea3f6380f3a282b98b3d66135bb0cee5d431082f560030db8

SHA512
babb596ac057075b4c034e0d92e8a23b9bddbc585a42d7fe6178d781f40c0b2e057e98cdf4e3427ccd7868effa8a49230cd18273842330d9eb4387b1b1ac9471

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\flutter_assets\fonts\MaterialIcons-Regular.otf

Filesize
1.6MB

MD5
e7069dfd19b331be16bed984668fe080

SHA1
fc25284ee3d0aaa75ec5fc8e4fd96926157ed8c4

SHA256
d9865b671a09d683d13a863089d8825e0f61a37696ce5d7d448bc8023aa62453

SHA512
27d9662a22c3e9fe66c261c45bf309e81be7a738ae5dc5b07ad90d207d9901785f3f11dc227c75ca683186b4553b0aa5a621f541c039475b0f032b7688aaa484

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\data\icudtl.dat

Filesize
798KB

MD5
da48e432fe61f451154f0715b2a7b174

SHA1
51b6add0bbc4e0b5200b01deca5d009f1daf9f39

SHA256
65ea729083128dfce1c00726ba932b91aaaf5e48736b5644dd37478e5f2875ac

SHA512
5af9c1e43b52536272a575ca400a9eee830a8fcecb83bb1a490515851bef48957d8de669b9f77b8614eb586838af23385e1afce622edb82a90ec7549f882d381

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_drop_plugin.dll

Filesize
316KB

MD5
823b73a4d1b2dc374eaa70a6fbcb6b5b

SHA1
46ba958bbf2129ae75555642de07f47384af8f57

SHA256
f7dd9527704edf5cc41863546caadfe67f48a1c3a1bc103229542b36d8ed9baf

SHA512
4447e441903291eb2270a3ffeb3ebe359ed39bfa579127c1b2354aad38a4a9c7d103105048f89d58dc7e9fdd618d58a4873d2beba956da3844b3628473d8fcab

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\desktop_multi_window_plugin.dll

Filesize
393KB

MD5
70d34eb15657fbc5b9af1ce0b1a9ce34

SHA1
0b28f09ffc644f8173f8fac3820b192c4f886953

SHA256
7fac09857289df417a416f48a520b422707e952f2a8dfffe7c28e5f47a755943

SHA512
69f24aec9ef3c53662b514d2ef34a929935bb772c5c375d4f28d0cc8720204b4432a5da0ff4a1bcbc8cf7bf85d749436a53e53e838496da9e5d8927e225c28f4

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\file_selector_windows_plugin.dll

Filesize
340KB

MD5
7792cd260f3c49f200b9200b83385927

SHA1
c5c7181c7d7e7d007b057265affb62e04189fb76

SHA256
c310576a1a07a9a3ce776fff810c339abf6eae2341440dda3b7a962c12277f5c

SHA512
8f13c09de50fe4987316608e10a7df590ff5267b1874cd01be96539800b2a9967375796e2eb0feba4df89d2dce0024fbbcd444bf5d1b6c9af111841f310c2726

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_custom_cursor_plugin.dll

Filesize
308KB

MD5
b52d55f66bddf10e86133d17885abbfa

SHA1
a724c9dc91c0d9958dfdf4aaf9f79df1e6d87fcc

SHA256
eea74443e302f5f5388f3404eb9544fe8f94d3a503b10a9013954498069e2f76

SHA512
69e4ff68522f2e1c70a1b321054321fe3b8c67ced696fd10cfb569483c408a6a687a75aea7534e55dffd3f84edce70f970617ce892e920e3ce17b2abdd2715a6

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_gpu_texture_renderer_plugin.dll

Filesize
339KB

MD5
99b57e645a7d163a82e3f359b934482f

SHA1
8972d54a4917f74669ceb23d48811c1f2d8a34e3

SHA256
04c941bafc0c9cc8fdb56bebca1744fb0b6b4bcdced905a73cdfd08cbb8d0454

SHA512
62212ad2a9e4d170217bea54ac549a7637f1915d495b6fbdced33cefe0e09c5faf0b976db6a90ce5958b31061be67facda7170d87036159de10d0f53938931c7

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\flutter_windows.dll

Filesize
17.2MB

MD5
92cc98c72a6a442c7ff966de4b8dd633

SHA1
188dfc6a8f252001eb4bed20ce5287ba2cb46516

SHA256
0ccd6003144ca76034a6fe92c4be58039c41f642ee0916cbcdd62fea916808c6

SHA512
d9f8aeb3e37a3d082ea11fdb89d739085691ea88f92cd1c1d42df50e21f1e32dade15f926a691d3227f9b7f27491db90c9aab2ec735fc52014033bb698584e0b

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\librustdesk.dll

Filesize
28.9MB

MD5
c9b60ed38bd118796f3b4da969d8849d

SHA1
663ee477b702b8c97203a9a9512d0e384f9ecb6f

SHA256
a100e96ff8a1921f6ddf8ec54b64de97f2912e56622447fb07022852a1033764

SHA512
49a2afd92df83321799ed52be693ad13f0b0c3ef925a2ad6aa749b8d55259f7bb933df3844f548e8a272f82ba61bb7abe23806ca5573d68373cf4eb2805493bd

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\rustdesk.exe

Filesize
260KB

MD5
646cdff6f58e5c48314e91f9a4b2db53

SHA1
62c7b1b0eba88b8405b6739be872df68ca151318

SHA256
2700477d573a8a81083046b41ff9dd8017b572d540b6d8b35e32eecfcf888598

SHA512
08458de2dd36167a2ad0fd300db6d42b5a5abb361eaece126cae379f271293ff34b53b35f5bb282a42a25b0d3c379a37da59d4657b65d869bffd3561eca8a0cc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\screen_retriever_plugin.dll

Filesize
535KB

MD5
7c6efc7fedaa888870280fcbd186f5f7

SHA1
49e246c262ba22cb0dde32d0c100c12f938f0067

SHA256
0b32c3c19706075389cd8a947c3202e7e24a74d99ef22bd8e5ca4bde2b1f762c

SHA512
a66535296c7d265e9500d60350cd86178383e1e3ba5c897006aba8af85ddda86b94f3bcf8194ac1e89c2f7d5759d8d6dddedf77c86bad78056250f0c729c13cc

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\texture_rgba_renderer_plugin.dll

Filesize
318KB

MD5
54f8ade603e173d003decea3a4fc1270

SHA1
f11fe7cffb672b50b1bdb3e8ea38d6471ea853ad

SHA256
7de3f7ab8bd9765caf3c7754a71b764a0341fa473f9482bbca38de832f69ef51

SHA512
34adea046b8e10d0d72b4547ea3ac2b9bb52de165e2d8241f15bf632980bc153b649ff899bf70c60aea9d02297a6633ccd0e48a6832e327ade3138391f5689f0

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\uni_links_desktop_plugin.dll

Filesize
533KB

MD5
56c2429c80dea2ab759ace2f39b7aeca

SHA1
d8b2f633eb68d139fe405c79b388616d0da8a37c

SHA256
47d84cafaf36e6aacd7b01065bcc8808d1d05f180721de0d4c46b0ee59d46753

SHA512
af837956569e0101320c63c4c1ba9281063ef039703156ed271c788c2e1e01e546acf83e6146fdc16e40ffbebd26bcaff7eaea13aa2be7204ce16d5260aed7ef

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\url_launcher_windows_plugin.dll

Filesize
318KB

MD5
af8874d6d64c607e75d027fe09e286b3

SHA1
01c035c24c8f0721a7afbf620c6175387c17ed4b

SHA256
fa76b4d152b9a37437cc0d019cfce9db2c3ab103c432f65bf2b53283047d6ff7

SHA512
54fc8cce957ce2620379851f5b05d20f77e15b239473c5eb6435a1f556ac3377bb43e948af7df511a152c5e373858da36f2b3f5669dfcac30bad4c386a1bcea2

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_manager_plugin.dll

Filesize
578KB

MD5
200ec72ab28f84dacee8418d0b0641b1

SHA1
c1bb5ff7fac373025cb5636f1f8a855ce6121409

SHA256
8a6f4483bdffcd966d1c5b2d99eeb7e74c09e9620691546cbb9e1d2a61ca05a3

SHA512
7cd1d11453ec02e4e23b4733a2cbe595d10679c93b8033d6d4455945bd193b95d15e18bdb4f547ee196b86108ca8023de42f52bd3a7ccdea547af55deb18d3e2

Download Submit
C:\Users\Admin\AppData\Local\rustdesk\window_size_plugin.dll

Filesize
529KB

MD5
27fe268cdd6d80a3e900df14ef7a9bfc

SHA1
8a905b73aaad226bb5547bcf6513b47ad623b673

SHA256
97d235e714a415ca9a584434bf07d09efc698d467ab4a9d62dc4a9bc886f7fc5

SHA512
bcf84a19d2f6d6990ce9e1af71966419aaa4bec81cba3035dbff69df096334c4eeda08af0f64980e21c7e693c4b6ed11b79cfed9ac50c25cf8c173f59810b21f

Download Submit
C:\Users\Admin\Downloads\batch-virus-main.zip

Filesize
28KB

MD5
cbafef9e4869db15b79329bb4f46b66f

SHA1
8b55fcfd3c965d59f06ad878f6d60def26c12ca4

SHA256
77edd09c8ef0321fd7c39036c6220d3e5e152e3bdb2a2954a06f6943b31a3939

SHA512
72f815ba527cc088fe2116f88173cd6aadffd39fd7e115ab26ca2e0ceea3d1aeca389f38850fd50b5198cf19bd665197bf2b674c08dc04f5a28c40b07058fbb3

Download Submit
memory/1532-140-0x000002336F5E0000-0x00000233701CD000-memory.dmp

Filesize
11.9MB

Download
memory/1532-139-0x000002336D230000-0x000002336D231000-memory.dmp

Filesize
4KB

Download
memory/1532-143-0x000002336D240000-0x000002336D241000-memory.dmp

Filesize
4KB

Download
memory/1532-142-0x000002336F5E0000-0x00000233701CD000-memory.dmp

Filesize
11.9MB

Download
memory/1532-141-0x000002336F5E0000-0x00000233701CD000-memory.dmp

Filesize
11.9MB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads