xworm | 9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7

Analysis

max time kernel
1s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 20:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

AnyDesk.exe
Size

5.6MB
MD5

c655d958dac296c3e6b0667e5f00dada
SHA1

678c76f62274a01a98ddd70082589c4a283c5a5a
SHA256

9d4e6b0fe6db752c0bab9fd0c9d2041f3304880010cfa271486f2288c80fd4f7
SHA512

98c4595eccf9fa67f99e16d36347739932fdbebe29bd95d65e397e60a34002d3724f9221fcf0514631f8cf05808c320cdf4c22eee28e77b06c01993b1079d7a0
SSDEEP

98304:9sNuDeuRqghwVZpsCzTB0saQZ2pT46vyQUiGNcX84I3UjpFU473BJ9kQEuyh2:Qu1ElzTB0saGhkGs84I3U1/JQh2

Score

10^/10

xworm execution rat trojan

Malware Config

Extracted

Family

xworm

allows-welfare.gl.at.ply.gg:49180

Attributes

Install_directory
%AppData%
install_file
System32pdfc.exe

Signatures

Detect Xworm Payload 2 IoCs

Processes:

resource yara_rule

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe family_xworm
behavioral2/memory/700-10-0x0000000000F50000-0x0000000000F68000-memory.dmp family_xworm
Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exepowershell.exepowershell.exe

pid process

4092 powershell.exe
920 powershell.exe
2944 powershell.exe
3456 powershell.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

AnyDesk.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation AnyDesk.exe
Executes dropped EXE 2 IoCs

Processes:

system32transmitter.exeAnyDesk.exe

pid process

700 system32transmitter.exe
3496 AnyDesk.exe
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

21 ip-api.com
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

system32transmitter.exe

description pid process

Token: SeDebugPrivilege 700 system32transmitter.exe

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe	family_xworm
behavioral2/memory/700-10-0x0000000000F50000-0x0000000000F68000-memory.dmp	family_xworm

pid	process
4092	powershell.exe
920	powershell.exe
2944	powershell.exe
3456	powershell.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	AnyDesk.exe

pid	process
700	system32transmitter.exe
3496	AnyDesk.exe

flow	ioc
21	ip-api.com

description	pid	process
Token: SeDebugPrivilege	700	system32transmitter.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

AnyDesk.execmd.exe

description	pid	process	target process
PID 2920 wrote to memory of 1396	2920	AnyDesk.exe	cmd.exe
PID 2920 wrote to memory of 1396	2920	AnyDesk.exe	cmd.exe
PID 2920 wrote to memory of 1396	2920	AnyDesk.exe	cmd.exe
PID 1396 wrote to memory of 700	1396	cmd.exe	system32transmitter.exe
PID 1396 wrote to memory of 700	1396	cmd.exe	system32transmitter.exe
PID 1396 wrote to memory of 3496	1396	cmd.exe	AnyDesk.exe
PID 1396 wrote to memory of 3496	1396	cmd.exe	AnyDesk.exe
PID 1396 wrote to memory of 3496	1396	cmd.exe	AnyDesk.exe

C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\AnyDesk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2920

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /c start "" "system32transmitter.exe" & start "" "AnyDesk.exe"
2⤵
- Suspicious use of WriteProcessMemory
PID:1396

C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
"system32transmitter.exe"
3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:700

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:4092

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'system32transmitter.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:920

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:2944

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System32pdfc.exe'
4⤵
- Command and Scripting Interpreter: PowerShell
PID:3456

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"AnyDesk.exe"
3⤵
- Executes dropped EXE
PID:3496

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-service
4⤵
PID:448

C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
"C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe" --local-control
4⤵
PID:1952

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://anydesk.com/pricing/teams
4⤵
PID:1484

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff80f9946f8,0x7ff80f994708,0x7ff80f994718
5⤵
PID:3800

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2204 /prefetch:2
5⤵
PID:4368

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
5⤵
PID:3436

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
5⤵
PID:212

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
5⤵
PID:4516

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
5⤵
PID:4304

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4600 /prefetch:1
5⤵
PID:2904

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5256 /prefetch:1
5⤵
PID:216

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5148 /prefetch:8
5⤵
PID:4228

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
5⤵
PID:1464

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6108 /prefetch:8
5⤵
PID:5240

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5832 /prefetch:1
5⤵
PID:5268

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4000 /prefetch:1
5⤵
PID:5276

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
5⤵
PID:5540

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6288 /prefetch:1
5⤵
PID:5548

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,17613713791468383495,3495722696336865259,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 /prefetch:2
5⤵
PID:6008

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2856

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3932

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x338 0x4a0
1⤵
PID:1040

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\44676396-8c1b-492f-afd8-31a07f61d597.tmp
Filesize
1KB

MD5
820bc6ea8ced05eee20f46ca7db6afae

SHA1
3c6edfccffd3b98f99aa54c6af26651c3cd59b68

SHA256
ca88f2b0c1247e791972f41bc296611bc9936154602a656fad370e67b7e2f01d

SHA512
1981a702c2fb455ebdef6c406a714c20829c7849e72d1a383ffb224ef36b6ddd372216f11fc9855cdd305c3a0fbb73216382fc9119c7aebf0afb3c84ac06ed45

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000030
Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
720B

MD5
cf52b641ec47c32febc2338d2377cf3e

SHA1
b325a0cba6278c0fc87303221988a5b8530debf8

SHA256
d94f81c446c086062e65d875b815d25ecb0ad7f112f5c5d079496951a3416760

SHA512
7b6185e4efbd75ae8932317ffb46493f3d52acc9f91aa8557278d5a4283db39a62e8f4c42e5fabe70043d3ec193cbc529a226388689b8aa401c5f56989455da7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
2KB

MD5
90e9c3086df44a7bbfe4260098ea2d69

SHA1
56ed8b0c758a2c9aaabfd9a3425b7ddc71749d7c

SHA256
096a7006acde4217be446acb306746be9b57ec0fc3038b268f60076e3889c36d

SHA512
17ffab0af3a2c255947b3028f4538add6d0bddd869f20f0b1fbe1646c970ccd1c4b021f2ce84f0fdc9f31f45ea9e98f62959ed85ba508d3b8a13464147f4d035

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4c91cacdcabc4c50c4e0162816b5172c

SHA1
4f217dd7ccd81de551d16f3bfb3a2e65ce680fc4

SHA256
350bcc3a611238de2562cd0ae3806f77950f6014490a3cfb943633fba32e51e6

SHA512
0c9a16e4251e08493822e730427bfa913df5fb3d7d426a6ed6b5e00f6323c53ce7607ef0c3d6043ab84a2f3804b38648ea15f96af57409e9ac2b326d95c1e172

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
7KB

MD5
89df5f41b489ca97b488381e2af209c4

SHA1
3098c5d0df5569b0d13700cd0af8ffb3b46d56d8

SHA256
c896193578e06ec568237c596697029fcae6f490a08321704f174ee6e0ded244

SHA512
f443e8c6e13f87a9c9cf81d03c63ae81850a5dfbd341b6c1c05c3072bd7ddd7e1c831bfc6c51ae767efbeec751cebfbe35eb8c8300a538339d25b61108523693

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt
Filesize
79B

MD5
51d0dd0fd65ddd6e8e15b29982e934ca

SHA1
4a27501fb432dea2eb7b73c497ba092350998a39

SHA256
757bced78439cccaaa4ee16a5135bffd77956ea71cca8df2019cc6faabc8ed50

SHA512
4360b4f4bbea2e443257a397b803f04c257af29adb3ee9526fe662fdabad19fb8070ae7b484cd724a3079ed3334e1efe83e684edb8f0c17d94998a1e5181bf64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\CacheStorage\ae689a2144e9e24bc49282f4757ca91c0bf7f5f1\index.txt
Filesize
86B

MD5
957f007712fb6fb285113629b367db14

SHA1
13786da9fd625d69793376e007a488a444bc57f8

SHA256
957b80a271598463f73f495af58e9e9d1d9da3e5a7c0e51d5af6b0c35b44a2b9

SHA512
25c14911fc0cb517690708b6f68c6900cae9cf30e43c8dcb3a587f681551fcebbd62515a58c6301e09ebcc861531a7a82f5eba98b72287bf6a550aa3a3a320f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
94dc0994d3af297383f6057cd1300125

SHA1
00657fab9f86812e78f1340b175bf72ee4e675be

SHA256
86a3f5dd385edb0e9819975ab764f54b501dc99e4afd07d318767a7ff19e4114

SHA512
cb5014de45fc16789005c16029e162ab190db55af55ae65fe00099ca4b4120645c72c157920b24119514707a101e0b591511dcfc7f478deab76d6c52920d9e0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
Filesize
1KB

MD5
f7732bd08f8c0e9dcbdf10354fe3ae84

SHA1
7aaaf67204e0949936462dea76addb82819929ed

SHA256
9ca8541e7fea9c0f737cce28aee707428c6af58840770c77fc72929d5ccf19e6

SHA512
4a9b35692840007340325d4f1cee2a7b150fa124d0f6d9435f948be5c5fcefc44f770eee02da539f04143903f574eddd601f7171ca3d1a53e83261f7d29754ec

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57e1b5.TMP
Filesize
1KB

MD5
53fc3dbdab1d739900ef5b31cae2a3c1

SHA1
d72815201f03a4abf62208f21f738095d92c7e56

SHA256
d9424d55ecb42a41024191f459321c50a1530f2e83ee68f7b70cdaae650a7f16

SHA512
83caee130bda82bb7da93d4d4f925f35f27a9bcfc2ddfcfdb4f802796c2c7c8c24a2ca4f3e86fe82d1f54d110dd366b42be04155ab80a804f0db308191a73429

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
10KB

MD5
75ed5055ae4f14803c3642dfc3a43982

SHA1
cd047e5a08fe163e3bc6cd0c208ad5df828c983e

SHA256
3e8322eb862244e87328ee407a0a05234f1edd1f78b7f44acfb8d8e378da56cc

SHA512
47aaf4c48a63fca868ce0e85bbe391f53b3a87210a3a8628c50468d7c4e3ff835c74e885e8c96795aac7bab612fba9e5bdc7cb8b234e3f38e3d9b33f294bea3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
4b47b3ec7560d94bbb75249907b85f24

SHA1
b2b109e8cb7359c26365e8643c5deeda90f5a4e0

SHA256
4ae49cfe74018a198e837a511f68e301af32b415335f165d60db590312a3c1d8

SHA512
7051417355308d6d2351ae25fb55f71d34f759c3ed5707013a98f7a85300d8f1e23df5fd259249154e827bbd80587be6189340e73646a7e310720081d8320585

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
944B

MD5
22310ad6749d8cc38284aa616efcd100

SHA1
440ef4a0a53bfa7c83fe84326a1dff4326dcb515

SHA256
55b1d8021c4eb4c3c0d75e3ed7a4eb30cd0123e3d69f32eeb596fe4ffec05abf

SHA512
2ef08e2ee15bb86695fe0c10533014ffed76ececc6e579d299d3365fafb7627f53e32e600bb6d872b9f58aca94f8cb7e1e94cdfd14777527f7f0aa019d9c6def

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\AnyDesk.exe
Filesize
5.1MB

MD5
aee6801792d67607f228be8cec8291f9

SHA1
bf6ba727ff14ca2fddf619f292d56db9d9088066

SHA256
1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

SHA512
09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\system32transmitter.exe
Filesize
73KB

MD5
864c37423bb1332bb4ae49b13da56cbc

SHA1
6a710197408e7e50e78b529e85499a364447fbd3

SHA256
d61cc856e397eccad395768e0046e54a1b2b32b580c358195206dcf3cd08da3c

SHA512
4dae0ee5c4dc08ca295e557a3aef27187a7b1db9bc9ec27445f83f06937c9c81ddd0974219df34d6556c0646685287997a97ec2702a3eaac433c985c7e976c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uft3kdup.dyp.ps1
Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi.dll
Filesize
385KB

MD5
1ce7d5a1566c8c449d0f6772a8c27900

SHA1
60854185f6338e1bfc7497fd41aa44c5c00d8f85

SHA256
73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

SHA512
7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
Filesize
9KB

MD5
5c8d2081a12c8e1b8032ec0daa7e0b41

SHA1
935994dea61aaff4538bde9385a281c0f491e10e

SHA256
8041cc167fabfe03d47e77833f9c6a2fc699ef266308b06cee590cf2b1ea361d

SHA512
766d927e62ec7689ee132ae0dfd2735e090d2c9cb6c5cef48b059429c75438c4e6183eeb10c7cef9915fbcf10ababf52d974be56231bf6d1f8f3fe7f6599e918

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
fad73b6a7c4489b7091b800400e847bf

SHA1
3e0fbcb54bb0b169de79cb95d147816d5ebd16c8

SHA256
fdd9cfe2bedb0d48ac954437d6e4e869812f53862398851bc247775f1573ccd5

SHA512
4e23a8b0d32fbf920f427391125107eca47a0c943ca07468e049a8b11af179e96029ec29bf5aa18bce87064641f6c6fd6bc3449798bfb36cc91a95192f56eceb

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
Filesize
2KB

MD5
a3b49a0c87c6ca9f550e8a6dd72e218c

SHA1
006b89b6ca0f9974aef5256575cdaa47f84357c4

SHA256
25ee46dcaf18b02014393195c3b10fb3788c331f1abd5ecea00bd646572eb64a

SHA512
ae9c6f6289fa34dfe5163a891a6b95e18d49f4dc58b15396daca013f8c175da151e817406e28e49062edf6f25dc9b2d76b483d3dd54e5b96d374944eb18e2fb2

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
632B

MD5
c502994380c4634cd9a5689d6e075687

SHA1
e916688177e2b9485c8b56c934061e1e4dbaa023

SHA256
8347d218f1b841cb65917906c69d16b636d5b8c9a9ccb59823b59a153a160cc4

SHA512
4881934a02ab7decbc55a5100d61a065b24a80495f4fb47ac036f2a28319aeb0edf1a61d4ebf9d10b0a097f8b329536300a7cf7a7455f2c82f173c820d40b387

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
701B

MD5
11be452bd00fe1644877d96b1cfc4ef7

SHA1
26dcc513caf1b77aa27d97e01f122193a3f6481d

SHA256
c8e51ccf90faf6c230a79ae139d0b5688223e2f32c84ae9c59fcfbf736b486ca

SHA512
7334fbb1a43bf30835878e903815f2f1d5810c7d6c744bd7cf3d2a33381c5e147ded1cb4492099ba455fcb865a2913a6a971011a35f06383c44a4467cc771cd9

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
758B

MD5
2afe9ebc5175fd61a749ca4e24e31bd9

SHA1
124e49f08477dc98e7765199c590b5d77f536d0f

SHA256
edc0b5093c7f3f3e8ed54813ceb4daf5538229b3fab9addd1c96aff59dbcbd3f

SHA512
31be5550e679f1bf415c9e12e379d02710ab05a41d31e9be0e8dfcbda8e1b9e694929deab8f329ddcf6d21d5f376a3a279a87bfa7234da7c4a11560d15d1bb50

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
Filesize
424B

MD5
2af14215bede41ac088abd34a142f796

SHA1
f411a62af4462cefb6ad527c7d5629ca2b0667d7

SHA256
cc51d62026fa3c8e35589bf92728d946e2947e60578ffd9186096f3019062470

SHA512
48d0ab87f2dda01926500714ef29979c2522347c47148eee163ec7681dab571e5134133a4b2448cb726f0975924b92f4bf41617e05915e3494be68f9723ea482

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
2KB

MD5
13c548acc547e361a230e337a1dcbba7

SHA1
12a6ca899e2bce6391360cfa5492f8e55a564f9a

SHA256
59dd3e0773e1027c1aad0e35dc182ca822be33aa3a37f2c2cdb1c8c8478dee15

SHA512
a56eac5ce9e88900ca296f1b55aa2b3a08ec60b71d8975d265005adf4e18e4e64d049ce5a47f289bab93d6d00f9e1b1e819ace3cb44d903c52e9d0a8426d39e1

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
02e9e898e3e26bd465317f4afd7fa4b4

SHA1
cef972bd50d39203fb3b24c8d20232a17d18be60

SHA256
22340682f69fba420b13c030f0a71d2fd6ac4b66cf7d0c9af4a1f2e82a441d8b

SHA512
c1c42271d3a5908ee1d630a1a4335f843dd52c896b789ff22d2d2d371b8d0139cf77df418d1571a26f8ec287a8dde5f51f735ff908743f290fe4929cae30caa0

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
3KB

MD5
f77ad164d48c70569269fb6bc0f8c766

SHA1
c65446b2959474a943bd45f354428e851ca64f1d

SHA256
4f64ecf3793006db28aea692749aa31d10b6400d72198e443f3d2e7146159224

SHA512
7c3c3fdbae37732cbd245316d5fbb64d546d1ec3e22294a84abb271e0148daff14c2091011ef7a6b0f57b23603b6f11a77c56a0db365f84ae53d4b167960355a

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
4169eb3559f6a9b5577b375a1c6ed2a4

SHA1
ccead7ef0b9709dd45e0ab9b4fff2fc00da9f7d8

SHA256
1514655311f0c96d307c76737d725fc47c4f1191f2d095a1b9eb92180e57636e

SHA512
b0e79b170fc1407605b6dad872d8780112de49c8086be0a24ad580cb571f57b4f12831fd6cdc2fc570f4ca61e8be168636a903386be7617c9a0357ea1a4bce87

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
6KB

MD5
62fcc075ab4c6c44dbc57013f73a4e28

SHA1
b099b81068ef1b5acc3753604d8386b332792f44

SHA256
22581658d051369a48c07a8991a8766bcc6606102acf0668694df6e30347c6ce

SHA512
1600b9b8aa145b5b1a4a63b2ca3a77e7d17974bd7f243b265b20da8b25d1fe9ae0746af476cb379e91a2a50fd4f769cde2bab98d3ab801dba79efc4f54f06058

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
87225f11d8bdf8c71d5b8c054e6f211d

SHA1
46b34acf43c32b4bb82c82bee18cfc01445977c0

SHA256
04ca808c59bb9f92450a6d6c742793f526b40a50b5e1988c9c132bbf89e90d64

SHA512
ffdb69b92fcd446a8168860ccaa2414e43e7cafdf333cfdd92b524d3990dcd54ee9d4dbbfdf2b7e85cb39d6d8713c7d946b734edc32ce91b4000c741fd1a942f

Download Submit
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
Filesize
1KB

MD5
24164fc7c32f72d1edb4dabf1316c28f

SHA1
173c4b18fa034336b90e678919636178d6123fd0

SHA256
2c8598b07be2561a37a56f7fea57f6a8b9ac3a9baf15afb56170621075cd488d

SHA512
ab73a46227492f45e780344839a60b8bf84fd5681b3461abd952e613237bd5337bb6ef138121b06234d05635d838e2882b9fafed6311e5dbbfa17dbd803c74e3

Download Submit
memory/448-26-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/448-291-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/700-250-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/700-514-0x00007FF815843000-0x00007FF815845000-memory.dmp

Filesize
8KB

Download
memory/700-523-0x00000000030C0000-0x00000000030D0000-memory.dmp

Filesize
64KB

Download
memory/700-10-0x0000000000F50000-0x0000000000F68000-memory.dmp

Filesize
96KB

Download
memory/700-9-0x00007FF815843000-0x00007FF815845000-memory.dmp

Filesize
8KB

Download
memory/1952-292-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/1952-25-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/3496-515-0x0000000000314000-0x000000000154A000-memory.dmp

Filesize
18.2MB

Download
memory/3496-290-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/3496-15-0x0000000000314000-0x000000000154A000-memory.dmp

Filesize
18.2MB

Download
memory/3496-13-0x0000000000310000-0x0000000001A59000-memory.dmp

Filesize
23.3MB

Download
memory/4092-251-0x000001B9500F0000-0x000001B950112000-memory.dmp

Filesize
136KB

Download