xworm | hxxps://gofile[.]io/d/ijrhzN

Analysis

max time kernel
210s
max time network
211s
platform
windows11-21h2_x64
resource
win11-20250217-en
resource tags

arch:x64arch:x86image:win11-20250217-enlocale:en-usos:windows11-21h2-x64system
submitted
28/02/2025, 22:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/ijrhzN

Score

10^/10

xworm defense_evasion discovery execution ransomware rat trojan

Malware Config

Extracted

Family

xworm

194.59.30.29:7000

Attributes

install_file
USB.exe
telegram
https://api.telegram.org/bot7536152436:AAGG2hVlR16lwWms-OeRk5OXZ6BXJtq73lM/sendMessage?chat_id=7773294550

Signatures

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001900000002aeb4-122.dat	family_xworm
behavioral1/memory/2816-132-0x0000000000110000-0x0000000000126000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
756	powershell.exe
5676	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
18	2076	msedge.exe

Executes dropped EXE 5 IoCs

pid	Process
2324	Output.exe
1500	AnyDesk.exe
2816	XClient.exe
4600	AnyDesk.exe
4344	AnyDesk.exe

Loads dropped DLL 2 IoCs

pid	Process
4344	AnyDesk.exe
4600	AnyDesk.exe

Drops desktop.ini file(s) 16 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Favorites\Links\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Pictures\Saved Pictures\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Saved Games\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Documents\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Favorites\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Pictures\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Pictures\Camera Roll\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	XClient.exe
File opened for modification	F:\$RECYCLE.BIN\S-1-5-21-2250935964-4080446702-2776729278-1000\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Downloads\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\OneDrive\desktop.ini	XClient.exe
File opened for modification	C:\Users\Admin\Searches\desktop.ini	XClient.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2250935964-4080446702-2776729278-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\XBackground.bmp"	XClient.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Output.exe:Zone.Identifier	msedge.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AnyDesk.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	AnyDesk.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AnyDesk.exe

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 265633.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Output.exe:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2076	msedge.exe
2076	msedge.exe
412	msedge.exe
412	msedge.exe
400	msedge.exe
400	msedge.exe
1148	identity_helper.exe
1148	identity_helper.exe
1568	msedge.exe
1568	msedge.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
756	powershell.exe
5676	powershell.exe
5676	powershell.exe
5676	powershell.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
2796	msedge.exe
3052	chrome.exe
3052	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 13 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	XClient.exe
Token: SeDebugPrivilege	756	powershell.exe
Token: SeDebugPrivilege	5676	powershell.exe
Token: SeDebugPrivilege	2816	XClient.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe
Token: SeShutdownPrivilege	3052	chrome.exe
Token: SeCreatePagefilePrivilege	3052	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of SendNotifyMessage 31 IoCs

pid	Process
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
412	msedge.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
4344	AnyDesk.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe
3052	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 412 wrote to memory of 4232	412	msedge.exe	81
PID 412 wrote to memory of 4232	412	msedge.exe	81
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 4684	412	msedge.exe	82
PID 412 wrote to memory of 2076	412	msedge.exe	83
PID 412 wrote to memory of 2076	412	msedge.exe	83
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84
PID 412 wrote to memory of 3732	412	msedge.exe	84

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/ijrhzN
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3f313cb8,0x7ffb3f313cc8,0x7ffb3f313cd8
  2⤵
  PID:4232
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1944 /prefetch:2
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:2076
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2624 /prefetch:8
  2⤵
  PID:3732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:3632
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4472 /prefetch:1
  2⤵
  PID:568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5396 /prefetch:1
  2⤵
  PID:4720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5772 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  PID:3928
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6116 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6248 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:1568
- C:\Users\Admin\Downloads\Output.exe
  "C:\Users\Admin\Downloads\Output.exe"
  2⤵
  - Executes dropped EXE
  PID:2324
- - C:\Users\Admin\AppData\Local\AnyDesk.exe
    "C:\Users\Admin\AppData\Local\AnyDesk.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1500
  - - C:\Users\Admin\AppData\Local\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\AnyDesk.exe" --local-service
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:4600
  - - C:\Users\Admin\AppData\Local\AnyDesk.exe
      "C:\Users\Admin\AppData\Local\AnyDesk.exe" --local-control
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Checks processor information in registry
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      PID:4344
- - C:\Users\Admin\AppData\Local\XClient.exe
    "C:\Users\Admin\AppData\Local\XClient.exe"
    3⤵
    - Executes dropped EXE
    - Drops desktop.ini file(s)
    - Sets desktop wallpaper using registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:756
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'XClient.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5676
  - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\Desktop\How To Decrypt My Files.html
      4⤵
      PID:5296
    - - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x120,0x124,0x128,0xfc,0x12c,0x7ffb3f313cb8,0x7ffb3f313cc8,0x7ffb3f313cd8
        5⤵
        
        PID:5304
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5708 /prefetch:1
  2⤵
  PID:5256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1920,2526782755119662392,17018093574655451581,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1120 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2796

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\WriteUnblock.cmd" "
1⤵
PID:4460

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004D4
1⤵
PID:5580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7ffb4796cc40,0x7ffb4796cc4c,0x7ffb4796cc58
  2⤵
  PID:3404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1928,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=1916 /prefetch:2
  2⤵
  PID:5536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1796,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2068 /prefetch:3
  2⤵
  PID:2316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2212,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=2228 /prefetch:8
  2⤵
  PID:5700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3088,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3228 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3200,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:4676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4384,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=3652 /prefetch:1
  2⤵
  PID:576
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4556,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4380 /prefetch:8
  2⤵
  PID:2448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4548,i,1433039596633909685,17612484180388098952,262144 --variations-seed-version=20250216-180425.389000 --mojo-platform-channel-handle=4676 /prefetch:8
  2⤵
  PID:4924

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:5856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AnyDesk.exe

Filesize
5.4MB

MD5
375458b10e0675af170867c24f8919a6

SHA1
ce09a075c397ab3c0a3f77edf193067912c98c98

SHA256
d491cba96d705dc81d5fdf190d83c1b7409337e12c81a611339b5a0276b14528

SHA512
e0266e8f82eeae0c9d2bffd9b17c1f3977c7557b16f5a86a69757863faa1798a80045a76efb224bf03a0cd34c6631751da04d844d71fc5653743007333ae0435

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
124KB

MD5
a6ef8459f4fbe3ce04abc5845f403fae

SHA1
ab952ef22406e9c69a3bdd3e92ec589a4fb29f35

SHA256
e95ad00da92d37778761e82191ff4fc2a3f7cba349b8d62e3b6a41bff025a3be

SHA512
7989c867dc14a4ab98f612f0c02be5146724b281e241e254585448f7da7db40d52f62634107fbbff589988be6ca301b4c52a54df11b71befc73189c7780432e6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fe68444a298dfe7ce3afb15e1e04dc2d

SHA1
ce8500b8bc9f8033bf5f6b28174d04852e996cde

SHA256
4fa17fcbb66e9306869abf881cf02c7b890bd34c34852c8a8f0e276bab375ba0

SHA512
ed3aec46de266977a45e00363f3e258e53e9763fd5304861d2a7582344f6364f9dba20d5a13e6c2eee42e6bb875eec2f3e900f45cc64bf911e7055008c2374c4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
648295913e8e74a91d84a0bd6dfa0efe

SHA1
e42c17ec7e237fa16204bd204ba0d47c2e7aa057

SHA256
3f46ccf49be312c1e7b3cd94ff1d27970975d6a80e052769daf31c772adb260c

SHA512
6e3f03fade65388ad14c2443300f79d028986a7863d32ad731a3b1aef4bc4937e7cb150c814947befdf4d2a8510f70368ad35621ae854b9037e46488df7423e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
53a564bed5677e302559be711903f1e1

SHA1
2dbde535c8974f38bbf25e9f6bf833224e8d47a7

SHA256
5ff954e8388a2ff060daf7fe966fd8e52591af6d4c40af00b43845275df1ed13

SHA512
f58bd746e6c422bf1386abe898f07b44db9e6be8e3e825ca34a99ffb61077957ae691357fecad50e819179df87da6f95552544dfc3aa1fd1cbe04d364d36813c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
392B

MD5
71b25a6d5973ba42f1aa3c505d982948

SHA1
edff6d43f424a68d6b404f5699c9c7c28f2c1c3a

SHA256
2c848762cb1b13e77a6bdf806b1bbdb1844ee7e5cc60074235789a1803b04988

SHA512
973bc19a0bb2291075229b14b8057fdfbf058bbe4a1d0fb33bf139c2c2b55360e834b5f4c359d51b5937bed81898280b988fb95684da5a95fee8e3e2b95366e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7b7f4f91e2c0fc81eb0d16fc07275bff

SHA1
b447895002f65015c2c55043e0cbd1d3cc1f9b78

SHA256
c3089b093752475be7a019ac07b31b024e003d593dae2f991ee3a4bc6fbc81ac

SHA512
426b2ef94ab29908d4020d8e6f46766f0d6da47f6f721c883d53e144fb4a9b8ee65812176dafca7443d6c365e47eed33c30dbc88d05fcb8fcc543ffbfa37a03d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
cf0bd1fef8a0b0478337617fcb4fa4f4

SHA1
b5537d1bfd8f90494bdab8d0868bc5ea1100ec81

SHA256
c94bbe6877444c382ded2594ff9d44241f4398873970054a1048f315219dcb69

SHA512
1e7aaca374c1598fbab5189c98e4c8a82a294a9aa1060a3ee3c650e9164b3751a32e0b4b3d0abb50e5d6c7a45ae5ac60adbd390f53cbeb64aa0b991b331bcc2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
82926e12c0ec1821b2409ccfcbe5f193

SHA1
f488249da106a2eafba4019d982e22afd60bf97a

SHA256
7a3106ad67df866d6f46bf849091cde6cc8089a0c7d126d65a0c117255576ac9

SHA512
20507f7adac1ca059b89c117f28d496d12d53e062fefee334485e319245f6f5c04ac901fabd37102f71d93ab0362ec3da1b48d14103e920de610d28449f307b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68fbbf5e8a23420917f48c2424bd56d2

SHA1
08e3e8990094b57dbd834c8c0a889f496e63370c

SHA256
00615dee8a4a729ade2bbc0022625efdde9ab9d137d4cfd5cd2c36ac29bffdbc

SHA512
c0f8c778b9541be7ac21775899dc28996625c5c7b2080549e4d35cf7bc0cc6d9034dab549b28937366067a1d203791dddafb3415bd9b171647630776b003db20

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
c83c36eb1ce1f668b162723e8d1c71ed

SHA1
262d2d2d5bd8aec6bc920ebdcc16d7874634053f

SHA256
098f5a442f1e997892c7900344073532f319abf380e24cfc4d265bb812420d43

SHA512
8109398b76f9d0987e13faf209b0a9353ecc4eeff4b4b47a28535ac80da9194b6e7501a5079e3efb5796715f255f5553cc7fb557bcd9bfe6dc5ebc22740f3493

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
b76c7b9b83bb8aba6f6e1132c56560ed

SHA1
d5655d9f32bb2fcc19739820ee369848ebf6f2ee

SHA256
99a9d7889e6b325af892703b3d0567efed48e858928c90bd75c3a5b728b4bd93

SHA512
87cb30ddcd7f77e806a3882cb9778be185f85aab2798d0c2d06938c636e4de694ab49fb8e417b714f77ea0b7409bc7224b566bd259f7fab71d371a74571e64c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
1a9fa92a4f2e2ec9e244d43a6a4f8fb9

SHA1
9910190edfaccece1dfcc1d92e357772f5dae8f7

SHA256
0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

SHA512
5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_c1vyglpy.n1z.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\XClient.exe

Filesize
61KB

MD5
71e29295d79a4eec97d0b1cd825174e2

SHA1
8a66754607bc4aab68a16f0c21d8b2c1f30758fb

SHA256
72208cd4f4a002d9c091ec3133e170798b75dca13aa8410f656bc48f0e76f4e3

SHA512
1ff548a0372ad5a31aafb84c3a582fe757c8d20112a4c38668945d6d8692ca7b9569bce1d6c858d3eef77cbc2f5abad22b591a389e5fb5fe4e053940f580ea74

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
6KB

MD5
b7d53a249ad67a86be03222db3eaec94

SHA1
4843f9110e4e58cd290567442bb3ba56d88e00d4

SHA256
2243c0fde819704af1f62e944d90f1ce14cedd0af7896186a2f1200675e18e8a

SHA512
6f262301d2e0a55054f957471eba45f06056cd6e9aa9d81ef217c3546d02e7a9597f21cc44e5e3832e382033693fb058e0414ab314027c58ded4d0fbf438ffca

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

Filesize
9KB

MD5
aab49830b85b7c63bc95e8b5b1a95476

SHA1
6a958ddb5b70d00e4b6c4bb155f6c9e3c792cb04

SHA256
589e9c8296f93a37204441d66ff97a09ef3443233042bc6a4b8275de0087b334

SHA512
9b4534b89f82f9663098bfa6b035a151e14650a84ee02a6e757b00d5724113499a1cc64121e758fdd723f80b44fb37d46c202b83c9f3ece86421137b51eb58df

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

Filesize
2KB

MD5
84ec7da61770138cc99962b4ea7b30aa

SHA1
de4e691dc5db5578c0ad722252918d8cbd93e588

SHA256
44b158c2dacaac042db63222f6f68a3e490561497076463b9472310f99bc77af

SHA512
8f04123480b1023f55e7c56f6035c450cccba8e3a45f9c66cdc043b3f766b1879af943b0ca4e5a0bc36719c211aaf974f22814fb11cfa674291477c987694076

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
312B

MD5
0c04ad1083dc5c7c45e3ee2cd344ae38

SHA1
f1cf190f8ca93000e56d49732e9e827e2554c46f

SHA256
6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

SHA512
6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
f17f3780eb5a7501aabf11e921ee0699

SHA1
b1994e10b09585d03e67dd2475de0aef555c3b34

SHA256
b3ba30798b27c1c12c07aea67a8f886669ba62fad073b05d3220dab98907ea35

SHA512
b7d7b4158fdb9b8d5dfc2fd0fc4fa1bbe7186e2f1ee5689d483463d4389c90a4e09db81556d0cc93e745f92ba2bcb0712e05b753bb4bdb133c3c256fb015e0bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
cec4bad20faa0ba8160fea645db7ed6d

SHA1
bf18eb9bad325d803587393430f17ef5e52fce5c

SHA256
7eadf850c91fc70d3ec9d8b04e2ad7e2668b97058fce80dc0be778143c1f1bac

SHA512
01a437900c4446e8a420b07ae046c870ab62175abb508cebe5c393084a6ee6d04919ea23340c69d88a1a5f93b03d4e9488de58ef71a7b32a73e33697f6d925d2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
5698eaabab70c9575c00c07ba30d299c

SHA1
50107b9f2d0bf8b0bbfd0dbd053eb6fa65a0a9a8

SHA256
bfbae4361bbeac453186c13e5a570ca695f93ddc3aa2c4fc2ef732c12a7fed7f

SHA512
18caf2d3c7f60d6d3e4a56b980fabdb3358cfb95784f355ea6a2b2468fb7d94be968b2f6fd85a09e49b28194210256fc955ffa8d6168421018374d25e31a2d09

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
745B

MD5
77d3ee092ebf10df911b32dbb5be90f3

SHA1
52467cb0fa0e33aaba0719e35464eb50ce12279d

SHA256
6089d55c18a37c4543e7252d72cf00b3262e8ff4e37cb36f99bf5923624e56be

SHA512
bed398f82c6a1d38e17605809ffba7fa13e53b1c6c4a60fc4e353af85ddbadec55ffd3adaa2102c73ca8b65c0681a96856b4dccf9d1709c59219193df604f26f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
832B

MD5
b83ce3540e6d50c1d2e3e388b8952383

SHA1
41ed10d59457b53d8d511eaec2090821a33b60b2

SHA256
5aae64ee8317fc0cc2ed2650e083daf18be2092939acf7fcb43d05a0ce2d6cdb

SHA512
921f282350514ff3340193471a28c5172ce356acc02c6d7fa0a9c7c9e402b2cc78921a4b7d4b022ac6b044e9d80c515662193e800b76d675a30ac94f1255e583

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
556B

MD5
ee7f8d3e59f8f6ebbe2b3d796c6369b2

SHA1
3157dd13ddb71620e6dc4a0ccbbce65bab5cec0b

SHA256
4354c580aa6523c6557b49cca20e53bc3005389e9f7632d8a2b7195b2dc153bd

SHA512
e27c5881bc609541a40c598e39432a8e3cfc908c0da5a718f368d43bc7dac3280d9f4488cc31a6bf8ba8ee0400e4a094ee72b287d0eaf4356734069ede02d440

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
573B

MD5
5bc523cd96b22411b66ec2e3b9937286

SHA1
1c1784f08c4de8a310a5d8fbfde81147698a8691

SHA256
ac513e4f5f9e2e347d5949f75fb7dbd3670ccb0f96182fad205c0d334713c025

SHA512
9b62182f437434c63fdfa9e9567eb1b0f2ff8caee7a298dce15caf7e3ef666dd3f1b75abc5ea720cad475a6a8d7cc3d4278d64674429da2151142c7ab53c03bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
468B

MD5
08545ddb8c8d17b2bf64cd3bdabb53ae

SHA1
33dc87aaea58e8a2ad8ad63092bac355af28cc24

SHA256
46395699eed9dd8031680b4fb6456680ce63bec221c1904e3c43330cd614d276

SHA512
8af83b67829933aa3f626b6d78c8dc65bda401ba0a9440239758ac692beeeef09a6f35319d4186a650248c714b904517393571524ef929541156f994e38344dc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
622B

MD5
e6e8e0805aadd993fcac42777bb3b7ae

SHA1
3d8ed49e36e2df2f6aafd8c173dc4f4eb41b7e4d

SHA256
8351bb4dfbe3ab560cb21ce3497f42b842c902a2a6433006fc3c9df5698a9d1b

SHA512
2c39a4079fb4c2ae0696db12f63c809aef0f89c488bfd7e024a1a4ee86d6b3f9e56c3af839d610293a4f9f1d4494eff3161c308a2420873114f41c18f50896a5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
676B

MD5
4a8cabb19c0c0a8328423a12cbb5d7ca

SHA1
668ddfb6e402e90ec0992ce221583df47bf96857

SHA256
046c1034a759b5283f0ab6e5a729cbbe58597d3bde172e3728a46dd7179424f9

SHA512
35378d7bda2e07aba05c74baeb30557b40ebc91ebd4d4cd5b5f1df049650a901ef8d2aebddbbab71d375e5b64ab306b2de3c79c9f79c8e2880272412e6faf8eb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
532B

MD5
69d9a79996d32d8368edab7399f00e8b

SHA1
6be34d5d91c52d3319b07e3b562b0d5a90fa1998

SHA256
96d9f96c4af613c6f4744efdcef146d485253aafa527fb73a4969cc3a392dc05

SHA512
f4c2140e13cb223edf3ac57130d13cfaf5ca928828a5cba6986969151a564a7ae8f9109a807acc33fbf5f986bcf269550b3539ac56b5a3d77b87345e4353a2cf

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
823B

MD5
c3e6d8f1c0b758045fdab6e73cf1f4b5

SHA1
b2e84d26415450c89656420d0a6f4383baef974a

SHA256
5afd27dd386b1f773eb1c5ea9c0d24513f144ec9d51893cc9690789a33d1dd77

SHA512
4ad227b3eb1a3b694cf9d752206d368f93098737658c8a9155816e43afcea1a156b039de137d750d586485f40eee820c467863630f2c5da9e7343f1e9f6c3da4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
642B

MD5
0262bfd39d2c0c9e5706719ff6444585

SHA1
c7e89f6373842785b92a321f29589fccad7eb582

SHA256
e8fe089a1864d6b407a8ba6b0ccc13c6681735040130f724fd6566169750178b

SHA512
a8447f52fadd7663920ee340f4ba80f7d65a375d8cf3675a353679c0ed6b01d87cd28665b0dbec8db66b0d637c92a1e77a529f6b855468cf5ab86c8fed3e8736

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

Filesize
766B

MD5
f2fa876520bfff5712586208f53ee9d2

SHA1
967f1937390ab1f8a01cc5654db1c6597db8f71d

SHA256
40c7ae7685cd829b5dd1dbc9a82d44feb5a8e310ab550bbb1d9658fb87f32d87

SHA512
38de74d8fe38eaf625e48b1b13e29e522429f477150128157ebcf619915918f5fc94a7d6c4b7e5f8b4c266b8b7dfb7a1377c123b594dd0f0aa10c6eb11480dfa

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
55B

MD5
c8a841061294ea55fdecc38bf146d3eb

SHA1
04d399d1dbb5abc75fe30c51620073d1d5488e95

SHA256
092a32d6b155ab8b5aaac22079646a7614f0c71643256f93d5c5fd1f2c73a36d

SHA512
a1a0c5072de41be3f95bd8c9e5ec0162e490b7ea07b191fa9a4936b8a47d08e13788991a05a2b5ebc54cf3b39db79aba9ce1e2a74d89b444cc2b183f4be53d94

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
b34fc2e511d5713c7db1b42431454662

SHA1
3bc3385b107a96223a70fc56c904a4c4dba76057

SHA256
f3768176917c0d1f26f2ae1dd0f3af7130689e93492419a0dde171e2a21defe9

SHA512
caaac13ab7ddc9f8dd27a5cff046acaf8970ffcfadc5ecf83d7507deb94bf6ce5a583c43997276f5a8cce5243e48bab497182180ec5eda5f9c5c7709e165537e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
82fcb22a74dabfd5d74166e71a441d36

SHA1
d411f26a550858a2b911d07f422082f295c8f8d4

SHA256
7fb47ba32efa512b2eb6baa9a4c45b550a9a6bca572b23ab4544c51263526727

SHA512
d21bf1423c0bbf1b9933d0ee195123d048257adc557dc4aa4044de7c2c23740b3aa1e635fc846e97a5f0f6030219734efc7ff31003fd42c616c937e39df04923

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3e26618e1d5e6aa271ec5bdf669bc430

SHA1
1d3f8b94322ae60481ba55332055bb5afce7f4a6

SHA256
e3286975bb3f382568fe0e8933e5322d8270bab03c0437c5703865e1f2cd75aa

SHA512
c08121be22a199b933e6bce9823d5983d119dd3733d8f9a5bb45f282d9b2f067c85430dc84b84f9fa2488539f9af746aeb80c3f97463ff965839972f1a7b8bd5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
db08464691a4cb93e0cd61be5d24ad6c

SHA1
1aa3431a849f09a949d3e7246b402b518d9db51d

SHA256
0a4e306633e489df74b1a19a938e8c75775238a0d47195ec621a16ba4186c0ea

SHA512
fce9ffb682d30740e2723a8968df762258bd66a5fb33aa961e40e79fde1ea4652b6db96a57f4ff9ad8e3a1c4c4934ab2f529e156507c3d7560b630a4fcb90254

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
e6dc54c756ea3ceaa1365b8e73580373

SHA1
a7174f4f3f897ab70b805a02447dacd848b9d78c

SHA256
8c0b3bb83ed04120e0de6dd5e9485f7fbfc8cd12246f5ee38f25ec112038e115

SHA512
f92f8568fe8943f135f53bbddf5a2cd3af4992e5095feb36bbedf6ec35fa7a0f9462fcefecf83894a862e272518149a2f4c50f198c796b340670174f69717f78

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9689146cfbdf89b36380fbaab1595fab

SHA1
3256fc5d5f6f29935bf296b916d3d77f90ba7991

SHA256
efb6a020a19e709ff306b438af56412b3436a7f2df0ff5be2a5a5fd26ee2ea90

SHA512
2ef9915b2921ca3dbf3f4a207fb559a4480549fc655b4d1163ae2d1f0eb5f953baf585f45e5916cbda802de919a644f6867c9c16615ece3fcf061039605e1fd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
504756fac7d8c183ef882191b409b908

SHA1
56d93e30aee33a2453c7926cd89a5b3c3c04bfce

SHA256
74947db39e6b96b2d2c310bb3e458dc144117824d2a9de52eedab8068f161eb7

SHA512
1da9cfdfac990122a1c510cbd1f6500a9600611e282ff431b373b7f6f683346e2096dee6623967c66fd76d16ff8a9900aa0dc6096ee58294494c568b7b0c8785

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
d98795c336f0a7a9d2eac731deddea1d

SHA1
89df22998b47d2a735b2c1451ea1c2a668ffd23c

SHA256
c71aa40dd708935aeb5dd655feb386e4606a94189ac6fa1a5ff9f186ae908733

SHA512
6aa937025b24377b55bc8119be52910995f0da91097c28f7e58da4d5517491d7349a22a14099733cea136001ff31a46080b2981129798804519101dc7bce67f1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ddb16037a4038ca82be64f923d193b5b

SHA1
4015086d1de9368a4b76a2b0c8538d72ea1dc604

SHA256
8fb02acce908366f9177b440e6900694de1e8deb52695ef85ea93122044a36bd

SHA512
ac37fdf4c19035b932a4905415feabd16cbf78f3e9e6779112c80e8fab96d0253cb5fa5da024d0979129b4117c20d66ae8439620e6c1087ef243371d4e76d5e4

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
cdc060d613c02eccfeea8bd6aacb873a

SHA1
3ab518529fc421a1ffe27c7ef99463e82a7253c0

SHA256
00c83dc03f1a18d276bee68f83f178d1148d7467a5401f38e4a501a7d9bed7f0

SHA512
5195cf08cf3daa135ca16d7ff90ebb70ffc311ddc6f0aec58429e0fe8c24e8b7d6422782b82e3aac533f1d082f9dbe0c3caa597267bc14d1fb54ed237ef25dc6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1e11d65a64c037ae024d51b373718c4b

SHA1
ab02e0f6a2868adfdafdad41b2c02c4b461f92d8

SHA256
2a7eddef4faa4e9d9a0cdb93a8f46bcd509d411d889fac4c84ba965ef0c4f410

SHA512
b2088df2469742350da37e7ca67351924b43d33e4f5c0042a8c0b360f4b1c1707815c7e353b8dc33b8c1a6890f179411723c8f75c0bc22b8fdbc991831301812

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
59d0b9000b6a05f48cafc3e4677387ae

SHA1
27366fc24611b7d2cc597ebd2e05484d9ad25ad1

SHA256
cdaec956dafe7c1759bd5fae1ce3d8d0fe7ebc264dfc81f130db7f7acbfe6984

SHA512
3d0626006ec6304ee59814db8e7ef5bc347f19ca2a491a783d3fdcc40f52c2677d2eaea263c8e8a50590762554917f848ec9a1499427ed839ad062cb7b323c87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9d2017ae91a93eb1c8aafa7a20ab7bf4

SHA1
a74af2bd3367fb76899ca057b39a3f689993b05e

SHA256
5ffd76a190d48fae916a666b5e5da9aabbadab6b41f54aa0cddd1006f7ea4a56

SHA512
017f02edb5cbcd072563e029540f158cf433c744dbe7a72637b13eef9772c827a55a86524117a6af4d36985f6bed5a2b9c725f4f9f35a8530c6cbdeb697cde3c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
f4d814b97b77c53caa2debc36d75c61e

SHA1
6bc1ae390c6d64c00ea387432b484e09b51a6b6a

SHA256
a870687a7c3fac77fbd6553be0081cf77b56e25999400f7a5df841ed0439fe77

SHA512
3e88e9b6d5510459f6e1addb115b99a3c6e1c146977d62656d28d2aab3b8c3ebf1961f99d292b56c5d681abaaed3506c3f0bbff3462181df9628332f99d73b38

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
055552bb1737459cf422f7518c6a75bf

SHA1
b9fe4e8c2bd718f435b95eda571b04311a516a59

SHA256
0d7505be061a78b403a8ad84c1fcee64af0235f56ed1aab8ecc9685e5f79f7ac

SHA512
34c9263627f8ee3641703da94486136e3efd112cbc5bd9aafc9181e8a7da09903be0fef7dadb494f8f268392e4f517a37d43e5a70cd8975ba922cecad01b6556

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
0eadd9e7f68e777b93d80336aa100e1f

SHA1
bb30656ec967dabe81978af44242287675894d79

SHA256
dfa14080e2fcebb3107de8116025af3685e54321dcd039d10bb40084b136a1fe

SHA512
398fb6b62d836ba74432c604357d9d3f06e6178cbf7132e5927b63f3526465b517288dbfc4bb6912bd90f7ac174fd11a30443f3ca44089f2ba97e21261bd0cd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
41B

MD5
a787c308bd30d6d844e711d7579be552

SHA1
473520be4ea56333d11a7a3ff339ddcadfe77791

SHA256
8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

SHA512
da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
e932dbab8b5d00952d95794e0acf9c24

SHA1
c79e23551801dbc9d45c820ceb32310ccfda92be

SHA256
4bc8f3a6fa54a86f2213e5459a32c854ca7775dd9800ede71c728d41263d5aec

SHA512
12b4b2b676c6d9f47edf6875660c60f72a03c4eff85c005b1cbcc6a5c318148fdc03dabc60975aa8f19a05cda7980fd2de6642b891f179754ce230d52f959cf6

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
9c556eb5e26a330c6886a6678c9975f6

SHA1
9b441a2e0deb94811330b361386efc75b4c26cd9

SHA256
1c7746a2e90523a23eacd0b72e99699586e78ab75d9f7624cd79cf16a0843903

SHA512
4e75d27943bf0545f06983f0fb8e8fe925b39e9fc25ad185b1119d75036744372cd69b9029e082e8d0a41e6e0dd48a303b59143a8773b24029f669bbc679d843

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
1eab80dc01dae552cac02a0e7bab0fca

SHA1
00320150a6acb5a2af775849d8cf04d33e236fa0

SHA256
0fafe2dca67c7f869e55555eecb110a1d68d29c3792cf68b719f171794268818

SHA512
b830217fde29b5f132ae072aa8888f285712dd02cb331ee3d39299184bee2d020bb6d9026974d4721ad9c544a350cd4bb0823c5ca12c7816dc6bb272566137f9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
3f99d89603c8790736351aac4d3b21c1

SHA1
87e0b9a1488dc11cc386260becf5428a820c3221

SHA256
0d0ba0ad2013e13e4df60b86318b7a9969502e3a038b98753374ba462c843908

SHA512
b157a8b68da065fc7651858b538760ee680a3a299e1ca3b3ae2a2212e69ece16ad528ca63068997c31a03a37fd5184c56159a198ac71aeacd0332b6057c3f6d8

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
418179b0fe58bc508b62d2674d7404cb

SHA1
55d69ea9c502270b4ca44537fd539bd6029cbc69

SHA256
c3d7d59496d266e26c7fffcb250294bba8a93ec030079bae701beedf24e20335

SHA512
2ae2c209c1112c96d914116d92382752a7bcdeb5b3af5b167d01d171c1d5b7e47b3f4b9a2202f30a7546e1538cb59fc6ae9080073581b80f111724a2cd6c908c

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
35799132ae9e485f2517cd419640ce85

SHA1
9b3dc98cde321e5fdc5178b37806d5667b80c0cf

SHA256
5b3d3e40aa7f2f8c86213ab983c882a9f419b1ff62fdf3665dfbb0402c149a7c

SHA512
544dad7ed1fa62241ff738d41b564a341a6c00f915a866fc83ea5785d0e966ce812347286c861ec89f0b9e6705a2569591c118001c0f3a817096448cb3508c0b

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
79d40630eddd2629dca2c7e35942ab69

SHA1
37cbd89b7130024b89a7d15a59cb9520212558d3

SHA256
fb45db10c2169f62b628fade29169d41d51fccb5343fea642691b731657e191b

SHA512
d4c440be3c1551f702a2cc81ff29452f6047c7e3cdcaef6d9114a2aa117657a04f2a0d22b56beaa03ccb68b09fe9bf29bec083ecdb7b6eaedfd4224cf900c43d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
712579acc4c69ef0eb1750389b480063

SHA1
b38cd5c44ad19595d08172cfaea1826cf05d7955

SHA256
d2f7817060f1d6d4d04e549bcd899f232139f1302bc33cafaa66b57a3cd3c70c

SHA512
28a40a1f5a723066a180e193ce456a85c69f376f13fd95b4286e1ebc6412d3969f8a8ba4f87b5e8367d7c5bcc1bec3f4fa173b42c45cd7b6bd60d6679e0256a9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
787fd6bebea7a2c9647f09b76b26ac8e

SHA1
b6be33d790a7f85f96dafbf4b8082f30e6dcc887

SHA256
19ff14b38cfd16394d6e1bbbd7419b9d30ea123d8a2c3cfae34e481d860c2ec9

SHA512
3d0c5a3f59e75d618ca71b87129ce1c03ac5d7bd1da415a1bd14cf2bef3fdd33479bba9fb46aace33d8bd5356548f2f4de7d753049a702da5c5ab82329f794c5

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
35fafa0d35e2fb6cd8a209e94e40fa8a

SHA1
f56f4f7a54fe0e1701d473bc2e9eb682fa531385

SHA256
6537a51d45e1d49b244be004d9876c1221131d4c4d8cfaff04ecebbb119961b3

SHA512
34c92bae1ab9783aa6ebe1d2e55ac608753184483e092366591b239a261350e776b296f6fd812f6027631554e5c33b4acfc105785d4d3d2f3d6d3cb551d978bc

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
4c10404eb906fb08b31084da4275f171

SHA1
29a7f6e836b9f69cb8ecfad73e43d91f329e71f0

SHA256
ce8501799db103255a6089a8be5dd9551cf57939d162d9648394ef7b7bd90225

SHA512
66fa6a79f5ee9990e555a82c9213960e9890d4129d81ad0b524b64d660633d102e89ee9887733ac68ab7898eefa23c85a10914b001de2a07ace472dfb350dcd0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
ec913bec5c85289e4c7feb4b6f82a29e

SHA1
f6fed35b5eb824529e319594f6cdf077b0c8ef9d

SHA256
b1fb391a00d2cd1520106bd21e38c987919b4e14f120fe928a11815425f1aebd

SHA512
274ed8e64414e9031fbd33b5d6eae7c09ea0e5f56fdd702b8caac8159e6fa9cec62f1ebe29743290b6a4a14b7e9a7c591470c8a35619e5737d65a5065483188d

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
28b897e4a0837e2c4818abf202d46386

SHA1
da20ec66c6d2c961cab21adc607f80de2fcd0afb

SHA256
bf8f510b02de0c815237f6b237d459456be42e0da30a0d176388580718e6a82f

SHA512
e8e3de2c7b30dd885d56b20872fcc22a83462afd2273919a4ad74bd768f7ba1db5fb490f7f87e84a88c4dbc75a594f222aa9578439176df8378d4f5669cce805

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
9ab5f49d75f58fe77e4f71a0809ee4b0

SHA1
f41a946b6885f2f7f1c69763f116de365cbba63d

SHA256
fade3ea580e114a79844d73e37b815def1944685e0fbcbc5be688114865865bf

SHA512
114b02609f7ef0c0fb8726c5f475bb1beee2b763dea5acdc80f208c0b23791ef262f4a97e5052b83d3fbb367074dccd98382854fed6ba0c403ceaf8be6c84446

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
2KB

MD5
3d7a432e9cfee8a1da84f31a0a932c9d

SHA1
52ad24434a93d500b6b8fc11e6b9f40ac59d27b7

SHA256
eaf4cd2bfa3728061d030405dec1b89d7b6f7f46a4107577c1a9e2b014afa985

SHA512
51bf4b4058833ab43bacc94b7ecb57572519b4c5b9fb5fd025df0f5a855682a92ed3daf03be2d41155cc069f420ee611c23f83f418f13861534162aaaf3c7967

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

Filesize
1KB

MD5
325fa7bb7b538f9c31c880babdcb8dd5

SHA1
89acdaf4f8c8f9600bd63cebf1c2af4291aff9cf

SHA256
a8dc4cbc5f1c433d447bfedfa78515677a0a8d9923762d43e2bddc0c53f106fc

SHA512
6d28041077af51fd7733363ae199fe8c8472f11b1576b6a54a5f64bdb9f4787a617cca7fc24e1e99b6519c586555ba286b1db63fd4d2228a4e691df45901f9c5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
1d76dcb4b4eb8775faf9a0c39cccd72a

SHA1
502a549341702909185a6decf70d2777c83e666c

SHA256
69a1eef964b2488a8ab599990dce7b07b81b62eb9a1c84332c15c6c4a4a625d7

SHA512
1c5e0d14466bee62abe0f2bf0fcded9faf3be3c385dea429187193780f8bebcbd14dc18fce36f6bdea647f4b0af862520d680b829c3cdf310c595c262d377b38

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\75fdacd8330bac18.customDestinations-ms

Filesize
3KB

MD5
a97f5b8825ad01144cfbb844803023c1

SHA1
8f0d9e17d1805215acf2cde4f713068f7f9f5654

SHA256
28e29cc982bf42a8447faf2d827e21ca091a401e29bbb69298b4c20451172836

SHA512
bdebf1c8b98e94c511ef5c988c87d660e1071c0227f1a6cef54d6c542b6089e2cd9274d8b9034897ce8b4ccc66937098025a2312987b6a59982a0cf4836b4a3e

Download Submit
C:\Users\Admin\Desktop\How To Decrypt My Files.html

Filesize
642B

MD5
0478b49da134fdf63176ef4afe6b97f2

SHA1
4bbb29b39362f0dab6182566521b9966caf58761

SHA256
9b26dec2676022880c5211d0ab50ed9efa631ad1aa759d1c301571b9e459bcb0

SHA512
a0a42ba60bcc3ede984b68eb850cf4c96ecacd6ff34c44753a2fca1b55e64645824e39e24ff61a8498208e73f5e54d158dc7f3d362302d8d2e3295ac1d6d5f0f

Download Submit
C:\Users\Admin\Downloads\Output.exe:Zone.Identifier

Filesize
26B

MD5
fbccf14d504b7b2dbcb5a5bda75bd93b

SHA1
d59fc84cdd5217c6cf74785703655f78da6b582b

SHA256
eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

SHA512
aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 265633.crdownload

Filesize
5.4MB

MD5
e0c6d0482b2aa593871ae243df94d9c8

SHA1
d51ba08a36a37b0c56176af74b9385f91df58e7c

SHA256
b565460cdf396bf5dfdcebdfdaabb8736207c3a623230b71137d56fc777f6139

SHA512
67027880406163002e6f4402ee86147c98ffbc0a0d80fe7e2f5c88b931b84f45ed3da47930cb31dc08f60aada2c02b53289abf5c82431380860ad9a0afa1b0ad

Download Submit
C:\Users\Admin\NTUSER.DAT{2fa72cf3-34ca-11ed-acae-cbf1edc82a99}.TMContainer00000000000000000001.regtrans-ms.ENC

Filesize
16B

MD5
9bfefe6c4176b743f893687c430612c1

SHA1
a2628af7b8abc719a8bc2a9339ad2f77312f08db

SHA256
a83d8b03494f87c9207d7a039fe362b82bfebcfb9d7a8dccdbdf6c976926b5f1

SHA512
f81515ef635583efe7fa67a71f242a4378593f0f8ae5792d5007764a8547886c64d858f05332a826bbbd5128db6a9dbfb21f7a9b13d103e525379d2dc777cacd

Download Submit
memory/756-504-0x00000229A7390000-0x00000229A73B2000-memory.dmp

Filesize
136KB

Download
memory/1500-1257-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/1500-1580-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/1500-133-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/2324-108-0x0000000000A20000-0x0000000000F98000-memory.dmp

Filesize
5.5MB

Download
memory/2816-132-0x0000000000110000-0x0000000000126000-memory.dmp

Filesize
88KB

Download
memory/2816-1622-0x000000001CB00000-0x000000001CB0C000-memory.dmp

Filesize
48KB

Download
memory/2816-1652-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2816-1649-0x000000001C490000-0x000000001C4A2000-memory.dmp

Filesize
72KB

Download
memory/2816-1263-0x000000001AFC0000-0x000000001AFCC000-memory.dmp

Filesize
48KB

Download
memory/2816-1646-0x000000001D0A0000-0x000000001D25A000-memory.dmp

Filesize
1.7MB

Download
memory/4344-1621-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4344-183-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4344-1259-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4600-174-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4600-1618-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4600-321-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download
memory/4600-1258-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4600-1596-0x00000000001A0000-0x00000000018C0000-memory.dmp

Filesize
23.1MB

Download
memory/4600-324-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download
memory/4600-325-0x00000000058C0000-0x00000000058DB000-memory.dmp

Filesize
108KB

Download