xworm | hxxps://gofile[.]io/d/yvFqFc

Analysis

max time kernel
89s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
28/02/2025, 22:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/yvFqFc

Score

10^/10

xworm discovery rat trojan

Malware Config

Extracted

Family

xworm

194.59.30.29:7000

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7536152436:AAGG2hVlR16lwWms-OeRk5OXZ6BXJtq73lM/sendMessage?chat_id=7773294550

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023d43-121.dat	family_xworm
behavioral1/memory/5692-130-0x00000000005C0000-0x00000000005D6000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Downloads MZ/PE file 1 IoCs

flow	pid	Process
38	4836	msedge.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	Output.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	AnyDesk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1874072718-2205492803-118941907-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

Executes dropped EXE 7 IoCs

pid	Process
5484	Output.exe
5648	AnyDesk.exe
5692	XClient.exe
5784	Output.exe
5852	AnyDesk.exe
3520	AnyDesk.exe
2424	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
2424	AnyDesk.exe
3520	AnyDesk.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
49	ip-api.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 936396.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
4836	msedge.exe
4836	msedge.exe
5044	msedge.exe
5044	msedge.exe
1416	identity_helper.exe
1416	identity_helper.exe
5356	msedge.exe
5356	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5692	XClient.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
5648	AnyDesk.exe

Suspicious use of SendNotifyMessage 29 IoCs

pid	Process
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
5044	msedge.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe
2424	AnyDesk.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5044 wrote to memory of 3904	5044	msedge.exe	87
PID 5044 wrote to memory of 3904	5044	msedge.exe	87
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4104	5044	msedge.exe	88
PID 5044 wrote to memory of 4836	5044	msedge.exe	89
PID 5044 wrote to memory of 4836	5044	msedge.exe	89
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90
PID 5044 wrote to memory of 5016	5044	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/yvFqFc
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff32aa46f8,0x7fff32aa4708,0x7fff32aa4718
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2112 /prefetch:2
  2⤵
  PID:4104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2368 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:5016
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3352 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4648 /prefetch:1
  2⤵
  PID:3008
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5228 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1416
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5284 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5116 /prefetch:8
  2⤵
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:3984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6032 /prefetch:8
  2⤵
  PID:2532
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4704 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:5064
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:4360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2096,12610054344562398146,16771214864262433423,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6408 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5356
- C:\Users\Admin\Downloads\Output.exe
  "C:\Users\Admin\Downloads\Output.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5484
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:5648
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-service
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:3520
  - - C:\Users\Admin\Downloads\AnyDesk.exe
      "C:\Users\Admin\Downloads\AnyDesk.exe" --local-control
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:2424
- - C:\Users\Admin\Downloads\XClient.exe
    "C:\Users\Admin\Downloads\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:5692
- C:\Users\Admin\Downloads\Output.exe
  "C:\Users\Admin\Downloads\Output.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:5784
- - C:\Users\Admin\Downloads\AnyDesk.exe
    "C:\Users\Admin\Downloads\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:5852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:776

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1108

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Output.exe.log

Filesize
654B

MD5
2ff39f6c7249774be85fd60a8f9a245e

SHA1
684ff36b31aedc1e587c8496c02722c6698c1c4e

SHA256
e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

SHA512
1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
395082c6d7ec10a326236e60b79602f2

SHA1
203db9756fc9f65a0181ac49bca7f0e7e4edfb5b

SHA256
b9ea226a0a67039df83a9652b42bb7b0cc2e6fa827d55d043bc36dd9d8e4cd25

SHA512
7095c260b87a0e31ddfc5ddf5730848433dcede2672ca71091efb8c6b1b0fc3333d0540c3ce41087702c99bca22a4548f12692234188e6f457c2f75ab12316bd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e27df0383d108b2d6cd975d1b42b1afe

SHA1
c216daa71094da3ffa15c787c41b0bc7b32ed40b

SHA256
812f547f1e22a4bd045b73ff548025fabd59c6cba0da6991fdd8cfcb32653855

SHA512
471935e26a55d26449e48d4c38933ab8c369a92d8f24fd6077131247e8d116d95aa110dd424fa6095176a6c763a6271e978766e74d8022e9cdcc11e6355408ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
90a5264136be2716c1259a8d5ad3439f

SHA1
cc430378f65a82c67e9629344fa86e871d0c50e6

SHA256
3a0373b142bb81d5155113f90b1ce9fd3beda07a576bf5b1b03abe2ff5e0bc53

SHA512
58fd5afcd662e476a3d4b5be7fd2ae14d8fecc20b979d8b7b3bd5cb29f7ce6b71017bc16397d7f0503b532ea43a9beab6be32e4da9356035a94b59f04a6e340d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
27c00224a77e306ce49a20e99985c978

SHA1
47d93728c7abe9c2089c97907c16e6630d295b4f

SHA256
9c0990f25fc5b472a032dc0b9c54ef2018ec9bc3cc04f7048ab34196f2b9343f

SHA512
c1a84f8279195b5a42dee43f83440512741135626db3c7bd87bd4506a766639c15d0cf6b4bb873adc4b912c1d45f544f36b1e4c0475f444829ef251433461b54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1265c9e3a1ce2b8ca005a594c5b59f71

SHA1
b0dce0bdbe346f22b60eb759071dbfc4d0506509

SHA256
469a2f3bc212aeec46640378b74a5b1ff5092d28ee88551cbac48daed460754a

SHA512
f5ef0ada9b9897103ee1662145cf53526fc4bc046be7b6f9a29445599092388b560501db64c247d3afb020553495956721314a16ca3623627df1322c236e5479

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3d7f6abf937b2f088fcd5a1384d57ca4

SHA1
975f1407c07cfe998ee77ed55efd8ab39d723deb

SHA256
3d10c04ec8e6dd746169e13e6f19d0dfbb6674c97547affea5d31bc795c5c74f

SHA512
1057083ca091b464b5746a4c283b4f915e4636234ed02606d1e66fe872d5cc7fc83a13bcbe2386322e066ad33205edad0aa3528200f105ee68bd43684ea01e6e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
491b48f08215e1da3c629f4302411c65

SHA1
d83d622b1fb077481bcd9e7f8323a76aa5806286

SHA256
27ef03072379c2acc619e5dae00c146c74c5b7e935f87377cef0b89072fcd8b5

SHA512
ab34c059bc925b918dccec9ea42b712e3114c46423a210f877d5d37828a268452bac261972f030ae4b5ce0df4ec7aa4e846b0fa3e52fd48ed91a86976521ad51

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
a771c0591da839f2f050d51ced65766d

SHA1
b35241553176252f3dda996903fca3df14e383d0

SHA256
9e7e636bd0aa99caaeaa220c6d845a091e3129a1880e9fdfa3822bed1b25b5c7

SHA512
94e8a0dff0b33780a4571e3db5070c3a3ca777fbe21413577ede2e93182547b6041b59599d5b8a03c84b6e147f0ba9c383f2144eba8639ddf06494259b2ccd99

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll

Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
3KB

MD5
f0ba7d4b371caec6c278559e6c593a21

SHA1
6aa4ccb365c110f0af0bff404bf8fe557a4de0cd

SHA256
2f9dd99043b041342bf06db95c28d7f538ad849fa2be389f70bccbadb60e1131

SHA512
d8eab2242301f4ea57f17c093ccb2fb3847f7694260474d2cd59f471d4b241ca8477bbb5783328098c9b5a4667bd20af5ace8b2cffd16d1ab8009ffdf8d84825

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
7KB

MD5
9010182a5c40ea839b0a58a2dfa46d6f

SHA1
93cd14eadd9c7c621ed9b2fb95fc0c7c47033cca

SHA256
0ed27da9a86746ec0e07b6baae5eaa73121a093e5a9fa855ee2d079a52a658e8

SHA512
ef2cb71a1fceb0ba5808a371df737a1e7d80f987eb1a613ce096ee47ec67e61f59ef7a38be2dc735d03981c3e61a848536dec64fb490765c38d54afac53b9235

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
13KB

MD5
77b9e7ea73e7fce3d64709fc83e55712

SHA1
2e019b51f6fc2fa2df741b8a3b677053fb97e22a

SHA256
8a79c76767cfb7ac5b8df505b0525c469763e36c0d3b55825d0a9215d45d4bd9

SHA512
a431d9dae9aeac92e5cbbb80f3a66af3572b3c759a4fd5b3ba44c084db3e6b1f05e0357b6f0d1ad6af7fea252b2ffcac245b5078a25ca3c6f14f31a14001a384

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
7beda655e02a292b9236089d3e75a1ab

SHA1
7ea33a03820438ceaae750a357fe48953bf5da71

SHA256
f803e0de956f6df2887eecb017ce89db43bfd50a99b03240717351b02de5df1a

SHA512
d2ef1842a18d560598b6eaf33e36502c8fbcbe3a160a2854a684150d9aad437e343fb759712a6fe509056736fa0897a075ef1032dd8cd61d84a7ee8ddc354ac6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
bb3497172eed45eff047be12f644b6ae

SHA1
fce8354f25f0a956a791b1455116ce3623075980

SHA256
b302b340ef8ada16bfeea18f34fdd2751f1778764a0f92751a77b57ba745bbac

SHA512
7adbd8fdd712f36b01016e32aad99c885fef7bff01e9d4a6111f3fab654ae1a60de667d92d75fa559b902419b0f211c26f8a2ba689e33dbb2fdddada1a6295a4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
89b02440e0b49245745c0e2090d3516a

SHA1
d0f6045b0c21f8c5320ee43976c88ccd553f7178

SHA256
bcae4db5d650a8ee63d19ce11a4775cb40d5e3a7bcaca5633317b746e64e0025

SHA512
578f72720248250eea225340f01f3c83ce7260b7c155e2b908425e5d3de5b3d9e5d440c2897bd01438f9b8fcf0f5011cc8ad19bb223f1c30c8fe2622f7258464

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
b44311411302fa9c49bff35e0a942c5a

SHA1
abfef16b27715f329b137faca08b163f2ef8ed82

SHA256
b9877bb2a8c185f77f33cdd52097c4eefb5444bd895a769fb72b3c0fec8beeed

SHA512
2cb6e36a9275840338e9e7a5668c38328b738c9447d6a59850bc0a5d31b8e8723c0520a858cc97dfb12e9320753a0c582392cb8fb315de1c15a10feedfaf2e1d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
642B

MD5
566fe52e5a25f5da1e68817c281f6c1f

SHA1
9c10dd1e1829023a68ddc906aebb82deff77696a

SHA256
66743cbfd72a6ccb5a0f3241818f4b289e3322d42827551d9964e0fc12d0c92b

SHA512
a40e91eeabfa14901e60aea08db28b33f756395dc04ffbcbd04a854190af7ddbd1932ec6ae66dab3eef815ed5099ce856a43dcbdf45f288a7f26b4bc4ddf95de

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
db25f992de0c94da11822d54f5cc46f8

SHA1
1ca58196ae8220533c4b3de58ff843e27d05e07b

SHA256
02626320db43fcbd4d1b1d6a7db94df9641dde8ac27e7556e4c0407604d67fbd

SHA512
1e2cffa378f3a180c92eba85e83e166b7d1abf32bb56cb1a5e261b2a69455f5807cf98e268a1547a0a262ebca5f91de88f7e824f3c81c87f340953bd7c057ed3

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
2a722af18f9575ebba8381cfbdfdacf7

SHA1
016c1bc2da7ce64ad3f5bb23b18c5e7325546b1f

SHA256
6bb500753566ff1f9ea84697f64ce73344cc05d79daa46e6abe044b282958ff5

SHA512
ca06c1644b9a1c6c5469eab42e515551e65196bdb73ab0fb757e1732fab862275a31d11f53683eeab1e70c7c595a0a7b1996afc0dcae51dc3114169d93d81c8a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
db5179fb10a0f87a774893fe8da6bb19

SHA1
51cd035451c993d1efc9b49e4a8f89247a516b0b

SHA256
2df54d4d7edf40a7e8a2a40ad46d65c86f5abffc0802eae7ca1209fdd3c2b764

SHA512
d75f479398b4df72370c100f24e56a221f537109e6004ccd5b768d710b5499802a4d9be7c9d4d68a8c22be3088d9f5630436e79630720aa76e1e150eb00d6918

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
556B

MD5
f94dc1c06ed48edf52310cf81ce12f97

SHA1
b9cbedc399b851fa036dfab19f525b928d5130e6

SHA256
9b9e0f854837ff7d640955017a4d1ae355717106bb5c2fe9e0404bfc4a66297a

SHA512
0c321810aa210b78aeb13cc8c96673e28ebfffe3e60607cb1b9dd478fb14c7235679a587078ee7e707c517563d5bd6dc0390655e7009b6ba3e2a7e182733eed7

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
573B

MD5
336dbea3aa1465a9057a630e689a6232

SHA1
9dbd6baed9045c8061a7167a20723ed2efda41af

SHA256
f9afe9448f71795fd98a42aa978fe471110b316ef2789572f76f596581d44ada

SHA512
431fe5e7a14b099f2953888b95de2f8e146e176a818844098119671d8314a24dcaa2c1c8216696d34ba6f866ac5e20e80604eb94851877cc9d569f34c1a0b7c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
5e72e9c6de267e2b20512f42d4735a4b

SHA1
72469cf18434ba0e989dec545d9bee44164da475

SHA256
a8649e12f5f2884dc5cf3f05a364d01ff19680324243efa29566b9aff7b27683

SHA512
e92b518a93d3de2393f83e2336c221978326ca17aab0ec15dbe7b5bd04887784b85d6c383bcf77c3d6c6e6dc31e448a895ca2e6ecd87471d5b3296ea21f8fe28

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
622B

MD5
d51ce10e7c0d886d3c90199dba4749ac

SHA1
dd004f2508ff5d363a8cb1b6d15aa5ac7a5efc97

SHA256
578d928b13125df9252e538d841895f2ce79659af4b0f34bad318aaec5c298b9

SHA512
8b5ab140f2722b1a212c1dd43a534564a28a14a352b4475b14fb4beb57e4bf4ea7416a5ab6bf994855662d30db390fb81dab8fdfbe51331a04ff61588a64e9d0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
b1361dc6402349df0a713d228ff06179

SHA1
07fd5a02b0c9282545af3424f8972f56688dd6e8

SHA256
da78bc394bfc27ec73ae1b6765fe65a8e74f2ff1f77677039a192b1c0ae817e6

SHA512
cb47b7f9036fa0b93a2d3f7e20f301a271c3932a0f1b9f53ea3a92ecb464a1684b0cf9e2e38d194bb708a3cb54a9de633e3c3a09347fa89e22cbd7d540424718

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
91c73f6a32786dc68251c96ac1214d75

SHA1
a51c4604ae587092c32d80943e3097106e2f9511

SHA256
7aa310d5430c4f6eb2e33aae4537c800d0dd51eafd41abd5c98ecce61d215b98

SHA512
9bf84149309b92dd5ab8b09e904d4f8cb859ae735a37877fd3393b324f0facae217113190929614954605569ddcc89b324baa3cb65c3a50cd08f8e2c2209d4bb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
367B

MD5
979892f765c0026a7e5accf40c187abb

SHA1
6cae956ee169f3d3c42acdcf188e89ad0d25a987

SHA256
65f403dd877a6afbd4bbf2c6f81ab7d92118b81a1ccb084ed8805cfc5ef4d328

SHA512
45deeda5490b4aec7d4f99216ae1bdc27280462ef5ba8bee0070873bd4a43ba5b785e633e56d4ca9c4c8453bb0b254592808f202a5667713350b2329b64c3736

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
41B

MD5
a787c308bd30d6d844e711d7579be552

SHA1
473520be4ea56333d11a7a3ff339ddcadfe77791

SHA256
8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

SHA512
da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
55B

MD5
c8a841061294ea55fdecc38bf146d3eb

SHA1
04d399d1dbb5abc75fe30c51620073d1d5488e95

SHA256
092a32d6b155ab8b5aaac22079646a7614f0c71643256f93d5c5fd1f2c73a36d

SHA512
a1a0c5072de41be3f95bd8c9e5ec0162e490b7ea07b191fa9a4936b8a47d08e13788991a05a2b5ebc54cf3b39db79aba9ce1e2a74d89b444cc2b183f4be53d94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
0c2ab34c1813fe5a6e960ab149bf13ad

SHA1
0838e9c65b959a0fdb22a764e05df0d64048c507

SHA256
5bce6f27a2eac9898d18852f843ad33b72d2d6fd36a902eebe569449d21ebeb4

SHA512
122cacee7eba829541aa87fad02c1d5c64d03b8536d670d90fadf50dd430d36564b3100a68770131d1bf79338dcefc00f4aa7a21333619c1829685d3a780f7e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
c795992c1da94b41015fc39bee403334

SHA1
ef5995c4f1b6a79faf12401a16155988e8ab48c3

SHA256
645e9101e0d186bd2d55cd7ff5dc0cd151b31a7c42b847feaeb4abf2b4148132

SHA512
88161e25aa07db885b64c3dc57beeba4c29427b7402185e00a6dfe784377b1a8aaf5e57698a0a3fb3b997f599daf469ed29757a1898d34d7baa0489cbec94cf2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d5e2ec6649edb91d27d197f7e57a4360

SHA1
9e391a71362348678de3d6c33896fe84e7a0eae3

SHA256
2ecee81561081d4611fd9381557f9fa4389f15f7abd400de9207131dac850eb5

SHA512
ebdfd82c9916541f49d3e753b80505e738c5cd7754102583da7b946c484b5d6377700e5d46afef7967022a088ec0de66567404f8407b08612143d97a95831333

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
17363795ed96aca282bea2ada1f747bf

SHA1
d5300dad8d420f41f81f2468845c5b90fc1c59ed

SHA256
47ba1ee40bffa1db6b48843ea792ea2f77e98fa12697a925236b604714b78089

SHA512
96ecb8efccda1728cd5788518f8cd786b1ac258ab8c2a14ab26b50706b6c08d318e5bd40c1bdd0069199d6e27e5cf29e7f6c4c5fc8b40b3baaaee0d22f99e350

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b253d6c731d12132eda97614a19d280b

SHA1
d0405ab26dc2a45f0a8d96588c694b05168e5b12

SHA256
d80d70c053098e5f49287f424b2411d449b1b877cd03cbc3ed6b51373f396ec2

SHA512
e822c019757c1a2b6722cce847703606d4ed899f8db3705dd39fcbdc72aff3a4c49fc741040207b898ed9178cd7e3f80af713e53288c4051717052a691098b0a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3d186ffca79cec1fc8c1ce58193f860e

SHA1
37b57e0367e38ef9d042d8cf9033935e18f8db0e

SHA256
884099b97a8a7d3f51e572264fd6570f906b4623395afd3d9951bc5bd25ffbfe

SHA512
2599ded8b63b5fba166090dc5334ebc31f084ba829dc3c80b283aa3e9c25d71e063827d7179b19ce592448bbe25ff4bd53d59cf3660c9b92621d85a09aaf4af0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ee5184d21c58a3bf8e42983154d3e41e

SHA1
581113907613936892d16325bb379b0a1b8f6103

SHA256
f157a6c7b7738f4642749f9432547b6c347d109ed79a96ebd2504833369559af

SHA512
13c72862d29c6cbe36ce1ada90acdebcb4e275abd9101f7068a6f2b2a565d16d10224873b0a5be1cdb8a0d17c03af32d217a8e213ade973f1c0cff4b080a073f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6adc900387ee18af5c934f267371aa96

SHA1
8154bb8cd1d7511b09dfa40ae4851f35fc5fc847

SHA256
1c08896248119658573b88b99522669e4724134f7c0e78b970dbeb12f2fa9e6b

SHA512
6754251ade2e494d718d975f0e4a3d8542b57b442face2136929c22f8e3c72733c44be775197e0c76f41334b2e4e155b47bd771d05013b0c24f00c674885b452

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4ab9077b28a38043de03b234fdac136e

SHA1
39b6587ceef9382cf3d7108791deceab48be993f

SHA256
e0173c9ec8d32a4653cfd0f9239e2483113849e4c31884429c9e1f63c1589f11

SHA512
cafea033fba461cd454368ce51f5d4c08563f2a909080d253b23766d7a9a65b492a888646187f79330dcd0d5c8a972dc43a802b9d4fba82be05935eef4acf4e2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
a9e5339266a0089d61ee9bd12afc795e

SHA1
4f3029f628b56f82afbd449652118a2fef7f61bc

SHA256
29a97efe9bf612931e0498e3e1f4b37a259278a8313380963baa4d616ff092d5

SHA512
70ead2b660a3ab1deb25884d211962318b3c225087130d6fb07473fa6578c35683851a608b0fd2135b665ad71f1c2a7f4b317dd4d980641a10c813465ad858ea

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
ac53502dcc84c422f4a5db655243b1ce

SHA1
ed59f62ef4a280df9a8f791b4fca27ed7b428c49

SHA256
4fd726eb60408fc40b54e2ff2b6e9dd7c4790f5c0b7585434989e7fc440cba5f

SHA512
d6487c06b74e486da1ff0d029f4f04fbc2d76f22d28b32b43de6931adad9b6fddecb0f267388ecb9a3b1cdf21632ee5b07340ebd6ce92b53de75199836d68b44

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
87d82437a8337e36daeb6bd09505ff14

SHA1
e9cc1050d416e0dd33118f21a8b584f4e764d454

SHA256
c119db03e951673012cedf6b5c9db362b14bf32422babf349852e201eae06c25

SHA512
a1cc19069c8828b68ceece8283d72617b2b8a3daf85a7354681ec67feea70f199f88b7f731ff4f742ecd961f8ea4799507696f6d97e86816a5a70c076349902e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
40c70f975df78194cef084cd7db17d7d

SHA1
49f60fac57834968e10afa86550f137d6f2077a5

SHA256
9348e09f5df2c2607066378317bf24d4ededf8ecae20a1d4211a69d6584cb073

SHA512
98a075c31afdf80a897a84ee167bfc6fbcf5bd6fd3f213acc93ea9e05adbc597c9f514f48d449c373654d965ecffc0e2d10d56602b20ed3d7a7bcdea912aa3dd

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
6785981833c870d0f1d24654d22debcd

SHA1
41eefa2d1cea9f1b68b380b2b387e70bc3afe8b1

SHA256
6dd7b0aa75f629fd84db4f05f1fbff724db38ebab4c0052ddd0905e4b7fe69f0

SHA512
399f400c96a8daff6867c8fcd79620f2f339849ea1130947895dc732fac030da6b51cec0bd3d99d27a01e2178437ab32fced168a9d60400a980bef89fd777b0d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
5KB

MD5
446c623fdf0b7984057eaeff66bb355c

SHA1
3e77cff39f0d158c7d612159ca00cfe83f1fbc27

SHA256
6c64bb5103eb595a728df79474a0f225bd3f808cb49ef88ccb32001206021941

SHA512
11ec9ea534aed52af3a050503419ddc27f95f94f29d2801d0da738164252a1f05c4a3dbeb774297052972023949d6685c26d5c23b950a38b4941231a23ebc2cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf.new

Filesize
5KB

MD5
2d81bfd7f83184342eef24ca69762e53

SHA1
508e8df37e781ef7e1fd46af8074292aa97d720f

SHA256
6a132bf03a1cc0917b38d379eb3760650e324f4fe6035e558b61ee309ada485a

SHA512
090d698c8a4afb72744965c8d4c8b0ef9cc681dee43422b91b97ef8c367a0b9bf400109ed37f18b5726202df3c15276591f8055f1090a4e58e440b978826ddc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf.new

Filesize
1KB

MD5
4e26538344ff4872b34cf9db583d45cc

SHA1
b8502040b5e06f828276114e0230268503b5adb1

SHA256
0c7bd6e2216261314cc4bd49c8d27a865f6f003ddf2717cda3691d3bae776bb2

SHA512
f27fa4c366798dbec229ee60f0e7a64e97113b760380ec7c82d273d09917c6f7165fddaa3276c4d76a9ef7bd4402bbd2c1e7405f05e5927a724b0b4a498f9603

Download Submit
C:\Users\Admin\Downloads\AnyDesk.exe

Filesize
5.4MB

MD5
375458b10e0675af170867c24f8919a6

SHA1
ce09a075c397ab3c0a3f77edf193067912c98c98

SHA256
d491cba96d705dc81d5fdf190d83c1b7409337e12c81a611339b5a0276b14528

SHA512
e0266e8f82eeae0c9d2bffd9b17c1f3977c7557b16f5a86a69757863faa1798a80045a76efb224bf03a0cd34c6631751da04d844d71fc5653743007333ae0435

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 936396.crdownload

Filesize
5.4MB

MD5
dab1fb4881d585c451aed304deedf80f

SHA1
ebb485757200281688e18b1c8fa7580cf2ca6744

SHA256
57d79e849cb9a983e68aab9f9205f0139c4dad9693aab802a6d543bd587b154b

SHA512
ad77c6e8b251359aaa7b70f611d485fdca2de85eef2c13f5e405d6900af7f3bae1933ef1a3afd77f3e8e76bebb66858aa69fc735d22dea7e7ca6716a0e05d26d

Download Submit
C:\Users\Admin\Downloads\XClient.exe

Filesize
61KB

MD5
339b67a7a15cd124777ed0697f7f934f

SHA1
0b4a63a61e95c1846a53cf165036369db1d132fa

SHA256
669a40943e33924ac23639f4855e8c81d9bb9db29ce6b1525c0eeedb75a3c997

SHA512
e2649fb8ec5212752d06f98e5e5907b12b2ee28fcbd2a5f643b35c0bd5567323eb04d77414d29b4f4b82d9478b4cd55b42691e3a11e6f243af2bdb573377bc0a

Download Submit
memory/2424-223-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/2424-1450-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/2424-1595-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/3520-369-0x0000000005A60000-0x0000000005A7B000-memory.dmp

Filesize
108KB

Download
memory/3520-1594-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/3520-221-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/3520-373-0x0000000005A60000-0x0000000005A7B000-memory.dmp

Filesize
108KB

Download
memory/3520-372-0x0000000005A60000-0x0000000005A7B000-memory.dmp

Filesize
108KB

Download
memory/3520-1449-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5484-107-0x0000000000340000-0x00000000008B8000-memory.dmp

Filesize
5.5MB

Download
memory/5648-1592-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5648-1453-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5648-1052-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5648-144-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5692-130-0x00000000005C0000-0x00000000005D6000-memory.dmp

Filesize
88KB

Download
memory/5852-1428-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5852-1593-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download
memory/5852-151-0x0000000000550000-0x0000000001C70000-memory.dmp

Filesize
23.1MB

Download