fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca

Analysis

max time kernel
195s
max time network
196s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 18:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.3MB
MD5

0a269c555e15783351e02629502bf141
SHA1

8fefa361e9b5bce4af0090093f51bcd02892b25d
SHA256

fff4b96876b0c78da96e57cf7ca1b0e0cbee4fde52047a9bde52e25b062d69ca
SHA512

b1784109f01d004f2f618e91695fc4ab9e64989cdedc39941cb1a4e7fed9032e096190269f3baefa590cc98552af5824d0f447a03213e4ae07cf55214758725a
SSDEEP

98304:Uc9HTcGO0ImBimas54Ub5ixTStxZi/l9K0+zLVasSe4JnzMpm+Gq:UcpYGO0IOqs57bUwxG9CVaskJIYE

Score

7^/10

credential_access discovery spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Windows Credential Manager 1 TTPs
Suspicious access to Credentials History.
credential_access stealer

Windows Credential Manager
T1555.004

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db	AnyDesk.exe
File opened for modification	C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
756	AnyDesk.exe
2232	AnyDesk.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	SearchApp.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	SearchApp.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Software\Microsoft\Internet Explorer\GPU	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Internet Explorer\GPU	SearchApp.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1031-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\ja-JP\\VoiceActivation_HW_ja-JP.dat"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search\Total = "0"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "German Phone Converter"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft David"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Locale Handler"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{C6FABB24-E332-46FB-BC91-FF331B2D51F0}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Discrete;Continuous"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\lsr3082.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Ichiro - Japanese (Japan)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "309C 309C 30A1 30A1 30A2 30A2 30A3 30A3 30A4 30A4 30A5 30A5 30A6 30A6 30A7 30A7 30A8 30A8 30A9 30A9 30AA 30AA 30AB 30AB 30AC 30AC 30AD 30AD 30AE 30AE 30AF 30AF 30B0 30B0 30B1 30B1 30B2 30B2 30B3 30B3 30B4 30B4 30B5 30B5 30B6 30B6 30B7 30B7 30B8 30B8 30B9 30B9 30BA 30BA 30BB 30BB 30BC 30BC 30BD 30BD 30BE 30BE 30BF 30BF 30C0 30C0 30C1 30C1 30C2 30C2 30C3 30C3 30C4 30C4 30C5 30C5 30C6 30C6 30C7 30C7 30C8 30C8 30C9 30C9 30CA 30CA 30CB 30CB 30CC 30CC 30CD 30CD 30CE 30CE 30CF 30CF 30D0 30D0 30D1 30D1 30D2 30D2 30D3 30D3 30D4 30D4 30D5 30D5 30D6 30D6 30D7 30D7 30D8 30D8 30D9 30D9 30DA 30DA 30DB 30DB 30DC 30DC 30DD 30DD 30DE 30DE 30DF 30DF 30E0 30E0 30E1 30E1 30E2 30E2 30E3 30E3 30E4 30E4 30E5 30E5 30E6 30E6 30E7 30E7 30E8 30E8 30E9 30E9 30EA 30EA 30EB 30EB 30EC 30EC 30ED 30ED 30EE 30EE 30EF 30EF 30F0 30F0 30F1 30F1 30F2 30F2 30F3 30F3 30F4 30F4 30F5 30F5 30F6 30F6 30F7 30F7 30F8 30F8 30F9 30F9 30FA 30FA 30FB 30FB 30FC 30FC 30FD 30FD 30FE 30FE 0021 0021 0027 0027 002B 002B 002E 002E 003F 003F 005F 005F 007C 007C"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "002D 002D 0021 0021 0026 0026 002C 002C 002E 002E 003F 003F 005F 005F 002B 002B 002A 002A 02C9 02C9 02CA 02CA 02C7 02C7 02CB 02CB 02D9 02D9 3000 3000 3105 3105 3106 3106 3107 3107 3108 3108 3109 3109 310A 310A 310B 310B 310C 310C 310D 310D 310E 310E 310F 310F 3110 3110 3111 3111 3112 3112 3113 3113 3114 3114 3115 3115 3116 3116 3117 3117 3118 3118 3119 3119 3127 3127 3128 3128 3129 3129 311A 311A 311B 311B 311C 311C 311D 311D 311E 311E 311F 311F 3120 3120 3121 3121 3122 3122 3123 3123 3124 3124 3125 3125 3126 3126"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\lsr1031.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR en-US Lts Lexicon"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\VoiceActivation_en-US.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Laura - Spanish (Spain)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "411"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "404"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Katja"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; address=NativeSupported; alphanumeric=NativeSupported; message=NativeSupported; computer=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR ja-JP Lts Lexicon"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\tn3082.bin"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1036-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\r1040sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Anywhere;Trailing"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2013.1022"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\en-US-N\\L1033"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Speech_OneCore\\CortanaVoices\\Tokens\\MSTTS_V110_enUS_EvaM"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\r1031sr.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR Engine (11.0) Text Normalization"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\fr-FR\\M1036Hortense"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\c1040.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - German (Germany)"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\en-US\\sidubm.table"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "MS-1041-110-WINMO-DNN"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\c1041.fe"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{14E74C62-DC97-43B0-8F2F-581496A65D60}"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\de-DE-N\\AI041031"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "spell=NativeSupported; cardinal=GlobalSupported; ordinal=NativeSupported; date=GlobalSupported; time=GlobalSupported; message=NativeSupported; address=NativeSupported; media=NativeSupported; telephone=NativeSupported; currency=NativeSupported; url=NativeSupported; alphanumeric=NativeSupported"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Male"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\es-ES-N\\AI043082"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\es-ES\\M3082Laura"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "410"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{0B3398EA-00F1-418b-AA31-6F2F9BE5809B}"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "1"	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SW"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\lsr1036.lxa"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\ja-JP-N\\AI041041"	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total	SearchApp.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\Total\ = "0"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "436;41c;401;801;c01;1001;1401;1801;1c01;2001;2401;2801;2c01;3001;3401;3801;3c01;4001;42b;42c;82c;42d;423;402;455;403;c04;1004;1404;41a;405;406;465;413;813;809;c09;1009;1409;1809;1c09;2009;2409;2809;2c09;3009;3409;425;438;429;40b;80c;c0c;100c;140c;180c;456;437;807;c07;1007;1407;408;447;40d;439;40e;40f;421;410;810;44b;457;412;812;440;426;427;827;42f;43e;83e;44e;450;414;814;415;416;816;446;418;419;44f;c1a;81a;41b;424;80a;100a;140a;180a;1c0a;200a;240a;280a;2c0a;300a;340a;380a;3c0a;400a;440a;480a;4c0a;500a;430;441;41d;81d;45a;449;444;44a;41e;41f;422;420;820;443;843;42a;540a"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\de-DE\\M1031Stefan"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2016.0129"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\es-ES\\VoiceActivation_es-ES.dat"	SearchApp.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "Microsoft Speech HW Voice Activation - Spanish (Spain)"	SearchApp.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
756	AnyDesk.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2232	AnyDesk.exe
2232	AnyDesk.exe
2232	AnyDesk.exe
2232	AnyDesk.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	2232	AnyDesk.exe
Token: 33	3096	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	3096	AUDIODG.EXE
Token: SeManageVolumePrivilege	4164	svchost.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe
Token: SeDebugPrivilege	1396	SearchApp.exe

Suspicious use of FindShellTrayWindow 11 IoCs

pid	Process
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
2420	AnyDesk.exe
4712	AnyDesk.exe
1396	SearchApp.exe

Suspicious use of SendNotifyMessage 8 IoCs

pid	Process
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe
756	AnyDesk.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
4712	AnyDesk.exe
4712	AnyDesk.exe
1396	SearchApp.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2420 wrote to memory of 2232	2420	AnyDesk.exe	83
PID 2420 wrote to memory of 2232	2420	AnyDesk.exe	83
PID 2420 wrote to memory of 2232	2420	AnyDesk.exe	83
PID 2420 wrote to memory of 756	2420	AnyDesk.exe	84
PID 2420 wrote to memory of 756	2420	AnyDesk.exe	84
PID 2420 wrote to memory of 756	2420	AnyDesk.exe	84

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2420
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-service
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2232
- - C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --backend
    3⤵
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4712
- C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
  "C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe" --local-control
  2⤵
  - Checks computer location settings
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:756

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4dc 0x470
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3096

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.Search_cw5n1h2txyewy
1⤵
PID:2576

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4164

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3948

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:2376

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1396

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy
1⤵
PID:3108

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.AAD.BrokerPlugin_cw5n1h2txyewy
1⤵
PID:4348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\xmrig-6.22.0\pool_mine_example.cmd" "
1⤵
PID:4336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Windows Credential Manager

T1555.004

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\F6M1L8U1\microsoft.windows[1].xml

Filesize
97B

MD5
d9461b9f694dc9eafd80dc60210d096c

SHA1
88407426a9a2133968707378358e6e73df72d8ad

SHA256
15ef814fc4bfb43966f11f78eb0fc64c531fba0f68b1aa2a14c4a303c1fb009c

SHA512
e5e2d0966b75409c83fdeb7c7f2ed6e5d59b75b0f24cd2682caa95f18b8d77bb0d3e9434ca90a916b924d96b68a4308485e618aa44a5f5dd62396acbd92299c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c94eb34-51fd-49a6-8143-c61f4a5e6ea3}\0.0.filtertrie.intermediate.txt

Filesize
1KB

MD5
22426bcd90b7790b6b1cc33543eb0547

SHA1
698f8810cef1aaa0de242384a0fa1404fe47b262

SHA256
5074310bb27ab45e29f3c966ab90984c06d6b46443d99156cf6957f89dfc47f8

SHA512
9b1c52d842bf5b0f97155ef0dd2c302e617384d0cff5f14d799d7a1de2cdb8923dea54a1ad48826b919c24201dcb5e203f463cf9dbaa8ee110e830b3b50720c5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c94eb34-51fd-49a6-8143-c61f4a5e6ea3}\0.1.filtertrie.intermediate.txt

Filesize
5B

MD5
34bd1dfb9f72cf4f86e6df6da0a9e49a

SHA1
5f96d66f33c81c0b10df2128d3860e3cb7e89563

SHA256
8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

SHA512
e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c94eb34-51fd-49a6-8143-c61f4a5e6ea3}\0.2.filtertrie.intermediate.txt

Filesize
5B

MD5
c204e9faaf8565ad333828beff2d786e

SHA1
7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

SHA256
d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

SHA512
e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c94eb34-51fd-49a6-8143-c61f4a5e6ea3}\Apps.ft

Filesize
2KB

MD5
3b22c06fe5c1c065852dc3c5abbf5f36

SHA1
8d6d8f44efa5fff7af3c89d835596808451a7b3e

SHA256
7161458f73a0153c2c0e050eace2742b6821d4e236f76208a753002d9cc4cf82

SHA512
af8d91353fbca9bf1cccc46e5c7705589eb41ca679bc6c1c766f47c7b24959aa3bab607e08cecdbbffd13340ce25c0c40f23f5b5ed8ca02d5eaf0768381a521e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3c94eb34-51fd-49a6-8143-c61f4a5e6ea3}\Apps.index

Filesize
881KB

MD5
4e28e73f33664685ae53c672b39749a7

SHA1
d277723fa01f1c39d5e13454d00cbf188479ff7a

SHA256
38e1ce4edd15d9821d42ab4101fcbff84896b033d622db27428ac88a941ab4eb

SHA512
1c7f7923043525cc4082bd5d0222f2a2a1baec663edb028868cba69735bb139772be16f22b166bc14e0bfbb7408fa5f6fdcb988395c6d29e3e9d8d1bae0ad78e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9d51f8fe-d6ca-4151-8456-815de9d3cc98}\apps.csg

Filesize
444B

MD5
5475132f1c603298967f332dc9ffb864

SHA1
4749174f29f34c7d75979c25f31d79774a49ea46

SHA256
0b0af873ef116a51fc2a2329dc9102817ce923f32a989c7a6846b4329abd62cd

SHA512
54433a284a6b7185c5f2131928b636d6850babebc09acc5ee6a747832f9e37945a60a7192f857a2f6b4dd20433ca38f24b8e438ba1424cc5c73f0aa2d8c946ff

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9d51f8fe-d6ca-4151-8456-815de9d3cc98}\apps.schema

Filesize
150B

MD5
1659677c45c49a78f33551da43494005

SHA1
ae588ef3c9ea7839be032ab4323e04bc260d9387

SHA256
5af0fc2a0b5ccecdc04e54b3c60f28e3ff5c7d4e1809c6d7c8469f0567c090bb

SHA512
740a1b6fd80508f29f0f080a8daddec802aabed467d8c5394468b0cf79d7628c1cb5b93cf69ed785999e8d4e2b0f86776b428d4fa0d1afcdf3cbf305615e5030

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9d51f8fe-d6ca-4151-8456-815de9d3cc98}\appsconversions.txt

Filesize
1.4MB

MD5
2bef0e21ceb249ffb5f123c1e5bd0292

SHA1
86877a464a0739114e45242b9d427e368ebcc02c

SHA256
8b9fae5ea9dd21c2313022e151788b276d995c8b9115ee46832b804a914e6307

SHA512
f5b49f08b44a23f81198b6716195b868e76b2a23a388449356b73f8261107733f05baa027f8cdb8e469086a9869f4a64983c76da0dc978beb4ec1cb257532c6b

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9d51f8fe-d6ca-4151-8456-815de9d3cc98}\appsglobals.txt

Filesize
343KB

MD5
931b27b3ec2c5e9f29439fba87ec0dc9

SHA1
dd5e78f004c55bbebcd1d66786efc5ca4575c9b4

SHA256
541dfa71a3728424420f082023346365cca013af03629fd243b11d8762e3403e

SHA512
4ba517f09d9ad15efd3db5a79747e42db53885d3af7ccc425d52c711a72e15d24648f8a38bc7e001b3b4cc2180996c6cac3949771aa1c278ca3eb7542eae23fd

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Input_{9d51f8fe-d6ca-4151-8456-815de9d3cc98}\appssynonyms.txt

Filesize
237KB

MD5
06a69ad411292eca66697dc17898e653

SHA1
fbdcfa0e1761ddcc43a0fb280bbcd2743ba8820d

SHA256
2aa90f795a65f0e636154def7d84094af2e9a5f71b1b73f168a6ea23e74476d1

SHA512
ceb4b102309dffb65804e3a0d54b8627fd88920f555b334c3eac56b13eeb5075222d794c3cdbc3cda8bf1658325fdecf6495334e2c89b5133c9a967ec0d15693

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133794528786038908.txt

Filesize
3KB

MD5
8b82c011065cf9ed0893e9aca6539595

SHA1
bf077af27d32cae908a1400e71403f548576af52

SHA256
281dfea380b44bec538b91d018a04188757cfe9b904c07169ad11db9e43ff6bc

SHA512
3034a95de074fbb5ad74843e6074eb7a1be8c015e14cc3f449c3427f58b02be9ffadaedc65ca666dc3c2e36006b091bbdde574919577c637dcca86232f0b7445

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\SettingsCache.txt

Filesize
670KB

MD5
9eb5f69e443e7d835e78519e5f3b3ef4

SHA1
5ba40cd4a127359dbd006eb3b0f800809c138659

SHA256
4aa1fa29fd0a2d15b9204426cfee2e348dcf65f5b444b53fc5425a0418a3fdcd

SHA512
b14fd14a1ac0aa59e0b648b64af0fa4848a4601124fe8b37d0c3f7e4066908237eb1c9d01a43aa45444db104c68380a60e1e1625d1f4eda5d501a3c33206cf4f

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ShellFeeds\IDX_CONTENT_TASKBARHEADLINES.json

Filesize
241KB

MD5
c6bb8644ff4edad81b7d1175251acdfd

SHA1
d6b8337cd03a9439643147433477659ae6e83858

SHA256
b98bb02e548ea44e7145f7011256b7ec390ab86a9cff92f44149756102eed05f

SHA512
f10875fda5b858fcda477ad48ec57ec2efa421c51aa8c19d08a3721de6a11813e2bbb3e42d5fb5c37dcc9efadc02692514ce0d0129c16fd59f95542dcdbceae3

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
2KB

MD5
4667875862db80c92e9ed19c4ffb4577

SHA1
3351afbb4becc1ad3e06114877e7d67b3b80218d

SHA256
d4bbbadf3a73396c6f563f40ac3da4230778ec6c152f255da523f2fa05611e77

SHA512
55537b8bca359fee1e7dda4090468af19df6f461946a9895da9d1ee2390006d34b886165524f0b200470ce8f7e12383913fe93da175a35c02371f041ecaf7ae5

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\TempState\CortanaUnifiedTileModelCache.dat

Filesize
2KB

MD5
45f65494db3a313b46edfaddc5ccd764

SHA1
fff0e3ce2a0caf9eac7ca4638289b6175b670dac

SHA256
ec1953987fabbbe1146837feaf5986b5c0319e44fc099e0a52f6235c35b68580

SHA512
d585985ecb6b8b77fe995ff025ad643b934c5682e7648f360822301bce67b6124a4665d0fda888d2002f6d3cd33cfc05fde72c6f11bc71e1068c760805be2857

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
c7083ecb98b50ab189e728db128d133d

SHA1
0360020631f28e72aa52f6d495809e0cd31c067c

SHA256
132129b335373fbe2b61c114a354595837abfe2f34921aab282c6a180a1f23ac

SHA512
46a980a5d3a3741b4541d793b0ccbb106e62d06c1097ef1cd3e98f7e152bd0253ce7b72cb9d6611997cee6213ccd19c7e947b914ccc2b19df1e0ac1683f036d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
41KB

MD5
ae0404fb1e1ed970c063d6b5865a82e7

SHA1
bfa738c32e237c8c6499a7d81969ab46ed39b962

SHA256
8080a97bca3daa10e6c87d8be434a1462992656ef8bcf777d37fbaebb103dcbe

SHA512
295a053e49a11469b6d947d80801791366f134ec85925086b360501ba18b5243c4266ac3ab8ac32c46bfc3e5754331f19e6a59a4d8e1c2219d82a6a2dffc4177

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
91ce3339f1981d14a8a88eeaccfcdd80

SHA1
9a9f41d80713591cb7d73c9f317833f643a375d0

SHA256
9bb6ac4878052083e521e3ae24d55b1decf83fc9069e0329717bce554a95dddc

SHA512
a1239a45179f86675d64b651524217bd50076265198ff70a404b8bf40cf1ab1bd18a42b6296645a2ba251fb4f5dcf920128ceb553bdb5b920da87ac23dab16ac

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
204KB

MD5
0ab3f2bca30242acec1f529a0a4b9b6a

SHA1
01bb0b20374f25c14cf1123e5b155078557d1bb5

SHA256
d92dbb8a74e2b134b54e78a8517ba0bab571fb6b42b4f863151d85611d16828e

SHA512
db594606a7799dc8d64afca3c7880fa7fa70252e8da751b8abe02b9f485a8acfed5ef34959d5446388c6762511b36c0f007fbac8a8b63183f281323d9d73deb0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\connection_trace.txt

Filesize
182B

MD5
6ceafdf4ef6c9d9baec03eff82182644

SHA1
d2e2a1855d8c547a00582c49da2ddc5463d67089

SHA256
f9ae2a11d0077cc78909571596736335a9e1c15252e140a62a2b15b752649335

SHA512
27bbc6f2cecdca8e2731ab9fa1fccac937661fa7585a19b6bcf8647289a05b54821e5c2644d3ed48723fb1dd93b9a6312602aede8e82bc911e19256077073ba7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\global_cache\device-id.cache

Filesize
312B

MD5
c081f136b1147553aac37e7fd63f3887

SHA1
68d82c0cd0e774682f8c52c4de586a9364bc6690

SHA256
d93eb6c5939fc356957431941851d207e5181e77978ffd1d20587a42cdf82998

SHA512
2956a48a84052ce31ae43d27f9fd44ae3f18959cf6e6f8a4d7e53e8bbd3865d6b66a777f3cc1bde3d85baf192045ca0a7e9974e68a7052c8cd18bb50f2fb3ae5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
17e3ddd87f6741da15ae30c4c0dd2e0a

SHA1
5a9e7f98761f008b6b5bac514a33f62d68bc4ed3

SHA256
d6cfbddff4adde5f38bc884088439e7038660ce37bbe1a638acab0f544dad929

SHA512
aab59ba7e362610b723fe33014b8b97bd882c6bd14e67ba5335253909efc9690f0a79bba1241453424a46b9257b657910a2034ea5310a5a0348c147ad610917b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
fd14079ab956c1fbb69ac4d44a59ef1c

SHA1
1c8615195625497a989bd01384c7b961357865e0

SHA256
de468b2c19c7b7cfa783f4d2b83251166bca46ea5871742779bd86dccd686e49

SHA512
3b9523a188042e75256cf22ed0c0a19f55979c61dd07db5d58d29b03d356d4e7b182a8eb676d15f3fd5b1bc244349067abf3dbc4589c490ef431521d78066fd1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
150d7021285603f5e8f5ce3f7f6292b1

SHA1
6ff2d6b41da0a29672218eff32a7c74294158ddb

SHA256
b10203bddb0b540a99d21c0f24b5c4df34ae5494d1dfc4f6572528e1e219c0c7

SHA512
0a455feb64e5f1c2012c113b5f1c516516906f8c0e11b1c0469ef55171455a45e870e8ca7cee1b1d9e05973b5585dc607faf3d872f08bb7e0c2170800d51103f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
07f09a81c7317ac0e934f01e2cbd4ce4

SHA1
abc2fe750849d9aea816ceb3e5e2047ecb13edc0

SHA256
04da7490a16f10721c1c0e785cb9d7e77d85edb7df9e4a8db6a2018d8f4fb770

SHA512
68bd8535e26169d22bce58073b08c1ad9c1a2ed2820521ce4cb3dbad47c3131604ac3e61402b7906763417514e32a849d18c5fc7138de85c08e9a4a9e4eb05fa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
831B

MD5
9e5d206c74c81f4640b4e36b29ac578c

SHA1
c7b87569e9e514a82be947e5a84e7c684cf468a8

SHA256
f1dcb36df9417ac42d675b4a6b3c04d5fb71da8e7983a5085d40768f6ed57042

SHA512
ed9616c2c588d96f89ec2929a612cd996ab6da6dcc3df3dbf7795283881974496b8ab4fe06236250959e7df51eb88c62cc889cfbeb57acaf0c370ea07c14eecf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
77d90430570cf4883855fb7e7a700dd5

SHA1
b1c2680cfaeb96061964b55c51da9b104c3a2107

SHA256
73fa9fb04004c09aa064c1336024cc0e73dcdec5fc2fc0581324c037f3bcd4ac

SHA512
bbd78f82a3b5ca2deaa59bec232aa13111f4eacf1e6ba14daf60d61f3303bca4208726f2c85b6deea8d6c085933af2640f308fe58736e1eef00f69c89c1cf187

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
85831e786e1ba61c5c35a83b314f83e0

SHA1
2102a423e78b164050d27369df8fc43466de4d83

SHA256
4922ea249af3bc18d2c429062b956da8ca88e11ae667252f4dbe85128f513844

SHA512
38149815356d377a45f13048b8c397534c1151fda4def9f1c67414933b72ce7b9c3530cc3df2816f92b838511eb7073231edd313189e21bc38bef9f90785dd02

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
da48a6a337962d6b43a5adfc59c19066

SHA1
b93290a0597631f5d696d77178cc8a56595fad3a

SHA256
e727fb1aa7296c2ee4fa3687aefbcf5eab1f7572cbbfdba21a1bba4f0c4221a8

SHA512
d6b1d2c9cf54e8d18d23148964ecb82c3ccdd2ba243aab40fd8cd7e74d6c075a5d84c2705c114fc346937a6b12dce903615d7fede6234b083ebb7a81a5cd1f0c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9280413ddf48bf746df1233da51db661

SHA1
dd43efc46e6d9333440dc52cf99848812c48ea7b

SHA256
c88add25e9b4248f6583f922641bff2cd99a944ff3c38a1d78d138304508bca9

SHA512
5288eb0a82a2fdcaf56dbdc87e0e19a9c66675c0ac403d982777d8e9e4241d831420c039a0ddd3a042e32aba420cbdc528eba66e8a18c73fd880c8c2c309f1a8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e4a28e4e1699e42c2c76338fad02fc82

SHA1
89a981d91b830c7eaa11635e0827a4d1a6eb6997

SHA256
fca9ab0613ee5792d75cb40377360236eaa6a2c735cd49f8de09e17475ec5d76

SHA512
12d2d25a2b5d3b852d29cd4b25e023d8f31446e2f047de78099260a2011871213a8a5be68e2d93f1188910b6760898cc256eb29efa969b7f63f2578cddc26d51

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
804a807336b047ca5aed925fd3596c91

SHA1
53b28dcf391b5c7dc1c8e43e07ae804350824ffa

SHA256
0852b050a0ad2cfe27a2c9c410871425426454215d500077952d320458140001

SHA512
d8f583c572fee65ef969cac882ccddd459f0f8632a1ea95bcc9b64b14fe0842b6dd5dc1d45b3e1ddb46c7f486e2ca72e8e64ba110021db8a2a52a70d62e5f813

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
62941ad320559315a5a07dba129f9313

SHA1
6af644889b6e0c682cf6041ca94d9fa4c16fda84

SHA256
3ee45d3b6e93336d35a9e568ff38007085d657c5209f1dee4d6ac29de9fb0313

SHA512
1ce2ca9b881407bb54be925d368c951b6ef4ca072adc1cbb025391f9525a453d98fa5a1d0c1a170c78c97b4556e2ba0505c6cdfefd822aa5633c5aaad153c291

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fffc0dd9ff44e5f285c4696cbf6559f9

SHA1
031cd99068e9e01966723280516d4e8af59aab91

SHA256
9b5db42da9e5503e713c86085077e0433b55641f4851a1af6faaf1122957d0ae

SHA512
b4a9c98ff6779db14d60083eb7dc2477b9985ed3b145685ae19330174be0155faf1894d0dcf490de31cab54c0e5704e35ccd56dd074fe2342d9a47f7071c1f8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
bda194ca2bd3e5845446264c1bbecce0

SHA1
fcb90fcabcfea01321a99a8bcb813ae832718126

SHA256
b304c2e6b86d2430ff99b8c2a78186e5f185042b79c85fcdae8161226876f291

SHA512
6240d51ef56fde0f2c38d21ec2ca57bf0e378437cb4be1a67f905fc0a023c3f5422f9848751c9ef26451f39295a96644b5c9638dbea87daeb474c2ffb6349ceb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
61796908292fb9c2276c57604b3cc201

SHA1
38febfe2f0893e473242229ab4b56e76650674ba

SHA256
538538f527b2f1828d1f9c52b53c1fbf550daa2f941cd87d1652009607147740

SHA512
65758b505f6709844b37fc05ff864d8402bdd150490ea065c870ce742770247ce8711a94e1e9ec4f64afa54c61b5f9e2c9bde44b50e55f437577293062908533

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
b060443329088676209c4629be144134

SHA1
e5058eda2743c48843b81ad4049961ed6f3c93bb

SHA256
5847b80561bd98d9241d5f304b860807efb6832b68debe40fe02c2dc35890e63

SHA512
798e684b346ec4711d3a47ff4faae3c6a9f4b540ad9b2e0172858ef23b6f6d848b8c094ee24fda39b18c92db5922eb3c1f4fae92431efacf958a1ffe26fb4b55

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3318c51de1a0f2552134f4239710e31b

SHA1
362dcba7215dcae5131a10587fb53712f6779573

SHA256
a80459be7ba6b7fe9092423842bc79ecd8f17f66dc84b122f35bce8e603f2053

SHA512
3e4cbbbc9d98c36248a47740d02255f19e0de89689833a8fcf9a31c217b2beac95f41146fba67492103e7aa4623afec2b4daad28343d36d762d40afcb9e87457

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e8f16c033f9eaa8bd04f2c5fb2b47d82

SHA1
9e2ef8fea794714ae8bfd303fd4cc67812217c38

SHA256
12d2e8021d4194debd77cf761cc791a7fc51e57f4781ad737d91ee346439bd8b

SHA512
823828d0e9a9dbf278951f120fa89352802673225903f02adc5c048b0cbf54b5f60d3e662e90e8cc2b493765d750f621c8d342254c051b4750015d1f44e1bc78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
87cc3089457331685b344c0919ce918a

SHA1
78dffdd6cb8cd50d16cb26d0af43412cc433a173

SHA256
073b9926b3b84910b1e4cc70577ace7385df04d6b858248c75e91f35871c17ae

SHA512
62b135d424e5708141b58719e5e76555dfc6bf3c4dfce49824b35300cfa2c04cfd58b6b9e685cb687ea8550840716aff39524d096d143cbfaf21b41f3bb2b9af

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
3c41c0c5292fcd747733117c180d7a3b

SHA1
ba7d3426194caaf94070dd4e63bd2d43221f99d5

SHA256
d4032c5485b5b90885392152f6fe9f4f16a4ee2b4808b8f0bc7806885f8bca52

SHA512
2b3fa5bedf27a77b20124e74916d7f88bf72d82a497ff29487d895b48e1f42bb0a8f726a9af52af3369819a4ec81842331a5aaa558d4db462811bf4c6a7f6ff7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
91cbc24310844779077006b52d3db277

SHA1
e9ef213bba5334a6063dc947d20cec8638dfeea8

SHA256
775860d74fcbb09426775b182e5d0e90749d0cd39438a577f83ff9983d16d8a7

SHA512
327f58616d73b577b95a4ba6c7a370e33d283da1b6ed3c031ac60cf0fc3fd87ace674c084059f9fab50096aec61018e40d1536b306b4a6d94036824479c223b0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
3KB

MD5
ca8ee9b2fff67d708a0c3833fc16fabc

SHA1
b211e8c464b541146422bf727e2f408d7140a16d

SHA256
71ad29c50cd00cae8b5737abc81be20107580894cb18f9d1df04ab82d3467f0c

SHA512
fe0500a5185a4af4f9fd5837ffaccbb03ac3f99efc97dbd92f9ad8b459f45177f9a1234cbbcb98ee337301ff403657145c34d310da0c2b309cd5536be569ee1f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
fbf927084a0e814c35239bdf73e8bbcf

SHA1
28b8347b669f3201eb486177e118282ed81cbaa6

SHA256
f993f7d757618b0bb4a3331f52fc993d239a228c2f1ba8e6698ae0ac3a456799

SHA512
8013273a9b60815a9558e3df91e7acad461289a4fa1a36965fbe649657d8c29672cb3f98d56ce736f1794c2b59cfd6ed6a2839541149627c446610c023e57567

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
f5253964209f43f916e8147cee7264dd

SHA1
f02f34a1d9cc4741ae3f49271ac2e3ca14626259

SHA256
29749fd40b3aa5ea005f55d2e44695348a30fbcac1de591cd7bb248ae06af3cb

SHA512
ed034a23f1ece2687d5815f276b16df0754d7d9278e0fe03988c47f469a8e3727e7717cf273efbbf43bab94b4b20c65595df64e216e9c331f81eb0c805e231ce

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
238feab5bf7e45d83a97d7f26c1d77e0

SHA1
bb65d6198916357979936fca4b941438426301fc

SHA256
2f8e6523636e022301dbde3f4fb02a09d675d76fb44dc470f7e556b227d0bd90

SHA512
59ed41f5239ab19715975adf6bac9d209d49b0d8f6b99e03587685d1f3b5743ce63d8edefd33463f8251f6185bf6601bdbe53b78bbe49f3b152327188d09ed39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
cbab78ba43000b028f3c81c611029722

SHA1
e4ce9ffeb650fb4431f61ea90635c3410c9b0d7c

SHA256
684f7b1053c2b9508894a7ce9df15b1a866a1cb3b5d6ce2d0947cf884eaa5239

SHA512
19256cd6db2a5b2bd387773bd6eda47d7a2992d4b683bec5030ec7da7598b1b55c5465b6a36d40d7efbca3a56bc3da4d4e8241832f86f79dfb5dbc3e546424dd

Download Submit
C:\Users\Admin\Desktop\xmrig-6.22.0\pool_mine_example.cmd

Filesize
1KB

MD5
0b8919896ac248e639026ae5df384141

SHA1
cf0bfcb299e93e78fff1cac79da168886533b95b

SHA256
0849a96142db1d260b9e7a304cac13b2e7ae5cecb05e918645b0d22f0ad08ce5

SHA512
32ece900da6a563199e97e1a62ac2890de93751dba2e8eb79e8f90cf4b1edfb36389eef1f12569f5763b3f49eebc197308b7c1d5061b70ccbad097b60c6c1fa8

Download Submit
memory/756-260-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-247-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-362-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-240-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-187-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-10-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/756-358-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-239-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-12-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-357-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-14-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-186-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2232-41-0x0000000005D20000-0x0000000005D3B000-memory.dmp

Filesize
108KB

Download
memory/2232-38-0x0000000005D20000-0x0000000005D3B000-memory.dmp

Filesize
108KB

Download
memory/2232-42-0x0000000005D20000-0x0000000005D3B000-memory.dmp

Filesize
108KB

Download
memory/2232-246-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-355-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-248-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-0-0x0000000000B64000-0x0000000001C66000-memory.dmp

Filesize
17.0MB

Download
memory/2420-181-0x0000000000B64000-0x0000000001C66000-memory.dmp

Filesize
17.0MB

Download
memory/2420-1-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-244-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-7-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-368-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/2420-180-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/4164-386-0x000001D61BA40000-0x000001D61BA50000-memory.dmp

Filesize
64KB

Download
memory/4164-370-0x000001D61B940000-0x000001D61B950000-memory.dmp

Filesize
64KB

Download
memory/4712-360-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/4712-190-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/4712-356-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/4712-249-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download
memory/4712-245-0x0000000000B60000-0x00000000021A2000-memory.dmp

Filesize
22.3MB

Download