Windows Analysis Report
SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe

Overview

General Information

Sample name: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Analysis ID: 1521703
MD5: 95408095927f78deffaeb9cb1f4cd44d
SHA1: 5e98f7cc5b8bce4dcefddc0313fe1ccc15ffe08c
SHA256: 0c7b1dafed4420aab551544f4ca8813f1556e19442f75046b00bb0c952215456
Tags: exe
Infos:

Detection

Score: 76
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
AI detected suspicious sample
Creates files in the system32 config directory
Drops executables to the windows directory (C:\Windows) and starts them
Excessive usage of taskkill to terminate processes
Uses taskkill to terminate AV processes
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to query CPU information (cpuid)
Contains functionality to query locales information (e.g. system language)
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Deletes files inside the Windows folder
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found dropped PE file which has not been started or loaded
Found large amount of non-executed APIs
HTTP GET or POST without a user agent
IP address seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Suricata IDS alerts with low severity for network traffic
Too many similar processes found
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes

Classification

AV Detection
barindex
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exe ReversingLabs: Detection: 41%
Source: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exe ReversingLabs: Detection: 28%
Source: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe ReversingLabs: Detection: 31%
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe ReversingLabs: Detection: 28%
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe ReversingLabs: Detection: 31%
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe ReversingLabs: Detection: 41%
Multi AV Scanner detection for submitted file
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe ReversingLabs: Detection: 31%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 100.0% probability
Source: unknown HTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78832B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6C78832B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A9B94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA9590E0 FindFirstFileExW, 7_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB32B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 25_2_00007FF71DDB32B4
HTTP GET or POST without a user agent
Source: global traffic HTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskCrashHandler.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/MicrosoftWindowsDefenderCoreService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskUpdateService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 185.199.110.153 185.199.110.153
Source: Joe Sandbox View IP Address: 185.199.110.153 185.199.110.153
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 37f463bf4616ecd445d4a1937da06e19
Suricata IDS alerts with low severity for network traffic
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49714 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49717 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49735 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49721 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49740 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49710 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49724 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49733 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49742 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49737 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49743 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49725 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49712 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49715 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49734 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49739 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49711 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49726 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49715
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49710
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49717
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49712
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49728 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2001046 - Severity 3 - ET MALWARE UPX compressed file download possible malware : 185.199.110.153:443 -> 192.168.2.6:49711
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49736 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49744 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49729 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49741 -> 185.199.110.153:443
Source: Network traffic Suricata IDS: 2803305 - Severity 3 - ETPRO MALWARE Common Downloader Header Pattern H : 192.168.2.6:49731 -> 185.199.110.153:443
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785CDF0 InternetOpenW,InternetOpenUrlW,CreateFileW,InternetReadFile,WriteFile,InternetReadFile,CloseHandle, 0_2_00007FF6C785CDF0
Source: global traffic HTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskCrashHandler.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/MicrosoftWindowsDefenderCoreService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskUpdateService.exe HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/AnyDeskShellIntegration.dll HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic HTTP traffic detected: GET /file/version.txt HTTP/1.1Host: duy-thanh.github.io
Source: global traffic DNS traffic detected: DNS query: duy-thanh.github.io
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.00000276209D5000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/1
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/=R
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exe String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.execdf-ms
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exedll
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exehttps://duy-thanh.github.io/file/AnyDeskUpda
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exen
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetup
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetup%l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exetupz
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exey
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskCrashHandler.exez
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskS
Source: AnyDeskUpdateService.exe, 00000020.00000002.3385629324.0000009560FAC000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegratL
Source: AnyDeskUpdateService.exe, 00000020.00000002.3386537801.0000009561CFD000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegratP
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exe String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll(l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll8l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllRo-
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllao
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.000002762097C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllges
Source: AnyDeskUpdateService.exe, 00000088.00000002.2580124899.00007FF71DD81000.00000040.00000001.01000000.00000008.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllhttps://duy-thanh.github.io/file/AnyDesk
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllmsml
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskShellIntegration.dllz
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2253907648.000001F7B17A9000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exe3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeC:
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exedf-msMo
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeml
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/AnyDeskUpdateService.exeup
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp, SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmp, AnyDeskUpdateService.exe String found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exep
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A3D000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exev
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txt
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2580698857.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txt%l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txt.dll
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2702146475.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txt8Y
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txt9c4a2f8b514.cdf-msMo
Source: MicrosoftWindowsDefenderCoreService.exe, 00000005.00000002.2169025101.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386441778.00000004C6DF9000.00000004.00000010.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387459125.00007FF76E181000.00000040.00000001.01000000.00000006.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtC:
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452617242.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B178A000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516905564.000001F7B1789000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtD
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2388079438.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452545323.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2642623988.000001F7B17AC000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtX
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/AnyDeskCrashHandler.exe
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381142881.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/version.txt3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2943264967.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2881888934.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtb.io/file/version.txteService.exe3l
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2381038957.000001F7B17DA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txte1
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17AD000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2324213769.000001F7B17B0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtr
Source: MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2762015507.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516843651.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2821679076.000001F7B17E4000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://duy-thanh.github.io/file/version.txtt
Source: unknown Network traffic detected: HTTP traffic on port 49733 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49744
Source: unknown Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49743
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49742
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49741
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49740
Source: unknown Network traffic detected: HTTP traffic on port 49743 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49739
Source: unknown Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49736 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49737
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49736
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49735
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49734
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49733
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49731
Source: unknown Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49724 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49742 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49728 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49721 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49729
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49728
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49726
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49725
Source: unknown Network traffic detected: HTTP traffic on port 49735 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49724
Source: unknown Network traffic detected: HTTP traffic on port 49739 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49721
Source: unknown Network traffic detected: HTTP traffic on port 49731 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49712 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49725 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49741 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown Network traffic detected: HTTP traffic on port 49715 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49715
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49712
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown Network traffic detected: HTTP traffic on port 49734 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49726 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49740 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49744 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49737 -> 443
Source: unknown HTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49710 version: TLS 1.2
Source: unknown HTTPS traffic detected: 185.199.110.153:443 -> 192.168.2.6:49714 version: TLS 1.2
Too many similar processes found
Source: Conhost.exe Process created: 46
Source: sc.exe Process created: 50
Source: conhost.exe Process created: 67
Source: cmd.exe Process created: 118
Creates files inside the system directory
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\WindowsUpdate.txt Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\AnyDeskShellIntegration.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\AnyDeskShellIntegration_Update.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\version.txt Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe File created: C:\Windows\System32\WindowsUpdate.txt
Deletes files inside the Windows folder
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File deleted: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Detected potential crypto function
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7852840 0_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785CDF0 0_2_00007FF6C785CDF0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C788AD68 0_2_00007FF6C788AD68
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7873510 0_2_00007FF6C7873510
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787E95C 0_2_00007FF6C787E95C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786F0F0 0_2_00007FF6C786F0F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786F910 0_2_00007FF6C786F910
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785E130 0_2_00007FF6C785E130
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785D920 0_2_00007FF6C785D920
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7884518 0_2_00007FF6C7884518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787F064 0_2_00007FF6C787F064
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7862860 0_2_00007FF6C7862860
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785D090 0_2_00007FF6C785D090
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787D0A0 0_2_00007FF6C787D0A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787FFBC 0_2_00007FF6C787FFBC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785E010 0_2_00007FF6C785E010
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785CF70 0_2_00007FF6C785CF70
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C788A6CC 0_2_00007FF6C788A6CC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78586D0 0_2_00007FF6C78586D0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78706DC 0_2_00007FF6C78706DC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786F704 0_2_00007FF6C786F704
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7871DCC 0_2_00007FF6C7871DCC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785D600 0_2_00007FF6C785D600
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7871590 0_2_00007FF6C7871590
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786F500 0_2_00007FF6C786F500
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7874D28 0_2_00007FF6C7874D28
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787D534 0_2_00007FF6C787D534
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7884518 0_2_00007FF6C7884518
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78794A0 0_2_00007FF6C78794A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7885410 0_2_00007FF6C7885410
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7888348 0_2_00007FF6C7888348
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785D350 0_2_00007FF6C785D350
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787DBB4 0_2_00007FF6C787DBB4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785E3B0 0_2_00007FF6C785E3B0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786F2F4 0_2_00007FF6C786F2F4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C786FB14 0_2_00007FF6C786FB14
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785D240 0_2_00007FF6C785D240
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7870A74 0_2_00007FF6C7870A74
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7875A90 0_2_00007FF6C7875A90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785DA90 0_2_00007FF6C785DA90
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78832B4 0_2_00007FF6C78832B4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78719C8 0_2_00007FF6C78719C8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C785F9F0 0_2_00007FF6C785F9F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78781D8 0_2_00007FF6C78781D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78821FC 0_2_00007FF6C78821FC
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7876220 0_2_00007FF6C7876220
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7857A20 0_2_00007FF6C7857A20
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7889940 0_2_00007FF6C7889940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7886940 0_2_00007FF6C7886940
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7860190 0_2_00007FF6C7860190
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E182090 5_2_00007FF76E182090
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1831E0 5_2_00007FF76E1831E0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E199744 5_2_00007FF76E199744
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18BF50 5_2_00007FF76E18BF50
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C730 5_2_00007FF76E18C730
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A4F8C 5_2_00007FF76E1A4F8C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E197FD0 5_2_00007FF76E197FD0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18B7D0 5_2_00007FF76E18B7D0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1977B0 5_2_00007FF76E1977B0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1B0FB4 5_2_00007FF76E1B0FB4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19AFA8 5_2_00007FF76E19AFA8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18B810 5_2_00007FF76E18B810
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A5FF0 5_2_00007FF76E1A5FF0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C820 5_2_00007FF76E18C820
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C070 5_2_00007FF76E18C070
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A490C 5_2_00007FF76E1A490C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A58E8 5_2_00007FF76E1A58E8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1ABD60 5_2_00007FF76E1ABD60
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E197DC4 5_2_00007FF76E197DC4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E189DD0 5_2_00007FF76E189DD0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19C598 5_2_00007FF76E19C598
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E198D9C 5_2_00007FF76E198D9C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1AADF8 5_2_00007FF76E1AADF8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18B610 5_2_00007FF76E18B610
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1B1650 5_2_00007FF76E1B1650
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E183E20 5_2_00007FF76E183E20
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19F678 5_2_00007FF76E19F678
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A86B4 5_2_00007FF76E1A86B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18B6E0 5_2_00007FF76E18B6E0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19CB40 5_2_00007FF76E19CB40
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E199B7C 5_2_00007FF76E199B7C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A9B94 5_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E197BC0 5_2_00007FF76E197BC0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C3D0 5_2_00007FF76E18C3D0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C410 5_2_00007FF76E18C410
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18B440 5_2_00007FF76E18B440
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19D420 5_2_00007FF76E19D420
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A4478 5_2_00007FF76E1A4478
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18BC70 5_2_00007FF76E18BC70
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1AEC98 5_2_00007FF76E1AEC98
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C500 5_2_00007FF76E18C500
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A0940 5_2_00007FF76E1A0940
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1AADF8 5_2_00007FF76E1AADF8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A917C 5_2_00007FF76E1A917C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1981D4 5_2_00007FF76E1981D4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1979B4 5_2_00007FF76E1979B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18C230 5_2_00007FF76E18C230
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1B0290 5_2_00007FF76E1B0290
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1AD290 5_2_00007FF76E1AD290
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E18BA70 5_2_00007FF76E18BA70
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA951290 7_2_00007FF7AA951290
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA9590E0 7_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA957894 7_2_00007FF7AA957894
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA952130 7_2_00007FF7AA952130
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA95F688 7_2_00007FF7AA95F688
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDBAD68 25_2_00007FF71DDBAD68
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD82840 25_2_00007FF71DD82840
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD87A20 25_2_00007FF71DD87A20
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDAE95C 25_2_00007FF71DDAE95C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA3510 25_2_00007FF71DDA3510
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9F704 25_2_00007FF71DD9F704
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA06DC 25_2_00007FF71DDA06DC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD886D0 25_2_00007FF71DD886D0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDBA6CC 25_2_00007FF71DDBA6CC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8D600 25_2_00007FF71DD8D600
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8CDF0 25_2_00007FF71DD8CDF0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA1DCC 25_2_00007FF71DDA1DCC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA1590 25_2_00007FF71DDA1590
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB4518 25_2_00007FF71DDB4518
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDAD534 25_2_00007FF71DDAD534
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA4D28 25_2_00007FF71DDA4D28
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9F910 25_2_00007FF71DD9F910
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9F0F0 25_2_00007FF71DD9F0F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDAD0A0 25_2_00007FF71DDAD0A0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8D090 25_2_00007FF71DD8D090
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD92860 25_2_00007FF71DD92860
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDAF064 25_2_00007FF71DDAF064
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB4518 25_2_00007FF71DDB4518
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8E010 25_2_00007FF71DD8E010
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDAFFBC 25_2_00007FF71DDAFFBC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8CF70 25_2_00007FF71DD8CF70
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9FB14 25_2_00007FF71DD9FB14
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9F2F4 25_2_00007FF71DD9F2F4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB32B4 25_2_00007FF71DDB32B4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA5A90 25_2_00007FF71DDA5A90
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8DA90 25_2_00007FF71DD8DA90
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA0A74 25_2_00007FF71DDA0A74
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8D240 25_2_00007FF71DD8D240
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA6220 25_2_00007FF71DDA6220
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB21FC 25_2_00007FF71DDB21FC
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA81D8 25_2_00007FF71DDA81D8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8F9F0 25_2_00007FF71DD8F9F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA19C8 25_2_00007FF71DDA19C8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD90190 25_2_00007FF71DD90190
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB9940 25_2_00007FF71DDB9940
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB6940 25_2_00007FF71DDB6940
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8D920 25_2_00007FF71DD8D920
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8E130 25_2_00007FF71DD8E130
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD9F500 25_2_00007FF71DD9F500
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA94A0 25_2_00007FF71DDA94A0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB5410 25_2_00007FF71DDB5410
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8E3B0 25_2_00007FF71DD8E3B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDADBB4 25_2_00007FF71DDADBB4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD8D350 25_2_00007FF71DD8D350
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB8348 25_2_00007FF71DDB8348
Sample file is different than original file name gathered from version info
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000000.2117381795.00007FF6C78AD000.00000008.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170344849.00007FF6C78AD000.00000004.00000001.01000000.00000003.sdmp Binary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000003.2163868483.0000027620A06000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoftWindowsDefenderCoreService.exeh$ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Binary or memory string: OriginalFilenameAnyDeskUpdateService.exeJ vs SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe
Source: classification engine Classification label: mal76.evad.winEXE@545/20@1/1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: CreateServiceW, 0_2_00007FF6C7890008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus,_invalid_parameter_noinfo_noreturn, 0_2_00007FF6C7857A20
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus,_invalid_parameter_noinfo_noreturn,SetServiceStatus,SetEvent,SetServiceStatus, 5_2_00007FF76E1831E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetModuleFileNameW,GetLastError,OpenSCManagerW,GetLastError,CreateServiceW,GetLastError,CloseServiceHandle,CloseServiceHandle,CloseServiceHandle,RegisterServiceCtrlHandlerW,SetServiceStatus,CreateEventW,SetServiceStatus,CreateThread,GetLastError,SetServiceStatus, 25_2_00007FF71DD87A20
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: CreateServiceW, 25_2_00007FF71DDC0008
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW, 0_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW, 0_2_00007FF6C7852840
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7890030 StartServiceCtrlDispatcherW,RegisterEventSourceW, 0_2_00007FF6C7890030
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E182090 GetCurrentProcessId,ShellExecuteExW,lstrcmpiW,StartServiceCtrlDispatcherW,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn,_invalid_parameter_noinfo_noreturn, 5_2_00007FF76E182090
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1B7030 StartServiceCtrlDispatcherW, 5_2_00007FF76E1B7030
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD82840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW, 25_2_00007FF71DD82840
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDC0030 StartServiceCtrlDispatcherW,OpenSCManagerW, 25_2_00007FF71DDC0030
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dll Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5156:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6904:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5208:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4252:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2852:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5692:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1112:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5320:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4920:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3748:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2828:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1588:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4976:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5648:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1484:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5308:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2404:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2012:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1952:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4600:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5256:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2788:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:4832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6292:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:2832:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5040:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5100:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6820:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6628:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6124:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:1944:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:6192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:3984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \BaseNamedObjects\Local\SM0:5712:120:WilError_03
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\sc.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Windows\System32\Conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "MsMpEng.exe")
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe ReversingLabs: Detection: 31%
Source: unknown Process created: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe "C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: unknown Process created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: unknown Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe "C:\Windows\System32\oobe\AnyDeskUpdateService.exe"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: unknown Process created: C:\Windows\System32\svchost.exe C:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\taskkill.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\sc.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\Conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636 Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\System32\cmd.exe /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: slc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wldp.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: propsys.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: edputil.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: netutils.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: appresolver.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: bcp47langs.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: slc.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: userenv.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: sppc.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: pcacli.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: mpr.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: sfc_os.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: wininet.dll
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanagersvc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: licensemanager.dll
Source: C:\Windows\System32\svchost.exe Section loaded: clipc.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\svchost.exe Section loaded: wldp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{0358b920-0ac7-461f-98f4-58e32cd89148}\InProcServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Static PE information: Image base 0x140000000 > 0x60000000
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7894355 push rsi; ret 0_2_00007FF6C7894356
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1BAF45 push rsi; ret 5_2_00007FF76E1BAF46
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1BC572 push rax; retf 5_2_00007FF76E1BC581
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA96784D push rcx; retf 003Fh 7_2_00007FF7AA96784E
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA95CD54 pushfq ; retf 0000h 7_2_00007FF7AA95CD55
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDC4355 push rsi; ret 25_2_00007FF71DDC4356
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1
Source: initial sample Static PE information: section name: UPX0
Source: initial sample Static PE information: section name: UPX1

Persistence and Installation Behavior
barindex
Creates files in the system32 config directory
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\system32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\version[1].txt Jump to behavior
Drops executables to the windows directory (C:\Windows) and starts them
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Executable created and started: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Executable created and started: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Executable created and started: C:\Windows\System32\oobe\AnyDeskUpdateService.exe
Drops PE files
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\BLNS00AZ\AnyDeskCrashHandler[1].exe Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\AnyDeskShellIntegration_Update.dll Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\AnyDeskShellIntegration.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\6ATIQPJI\MicrosoftWindowsDefenderCoreService[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dll Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\AnyDeskShellIntegration_Update.dll Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskUpdateService[1].exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\AnyDeskShellIntegration.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe File created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe File created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7852840 GetFileAttributesW,GetFileAttributesW,InternetCloseHandle,GetFileAttributesW,MoveFileW,GetFileAttributesW,GetFileAttributesW,ShellExecuteExW,GetLastError,WaitForSingleObject,CloseHandle,lstrcmpiW,GetCurrentProcessId,ShellExecuteExW,GetLastError,StartServiceCtrlDispatcherW, 0_2_00007FF6C7852840
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Window / User API: threadDelayed 7823 Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Window / User API: threadDelayed 2175 Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Window / User API: threadDelayed 372
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Window / User API: threadDelayed 7704
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Window / User API: threadDelayed 2294
Found dropped PE file which has not been started or loaded
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Dropped PE file which has not been started: C:\Windows\System32\AnyDeskShellIntegration_Update.dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Dropped PE file which has not been started: C:\Windows\System32\AnyDeskShellIntegration.dll Jump to dropped file
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Dropped PE file which has not been started: C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\INetCache\IE\AnyDeskShellIntegration[1].dll Jump to dropped file
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\8HXJSKQQ\AnyDeskShellIntegration[1].dll Jump to dropped file
Found large amount of non-executed APIs
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe API coverage: 9.4 %
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe TID: 5064 Thread sleep time: -85000s >= -30000s Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 6564 Thread sleep time: -782300s >= -30000s Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 6564 Thread sleep time: -217500s >= -30000s Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe TID: 3704 Thread sleep count: 372 > 30
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe TID: 3704 Thread sleep time: -1116000s >= -30000s
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448 Thread sleep count: 7704 > 30
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448 Thread sleep time: -770400s >= -30000s
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448 Thread sleep count: 2294 > 30
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe TID: 2448 Thread sleep time: -229400s >= -30000s
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Last function: Thread delayed
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78832B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 0_2_00007FF6C78832B4
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1A9B94 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 5_2_00007FF76E1A9B94
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA9590E0 FindFirstFileExW, 7_2_00007FF7AA9590E0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDB32B4 _invalid_parameter_noinfo,FindFirstFileExW,FindNextFileW,FindClose,FindClose, 25_2_00007FF71DDB32B4
Source: MicrosoftWindowsDefenderCoreService.exe, 00000005.00000002.2168899269.000002466387E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: War&Prod_VMware_SATA_CD0
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.000002762097C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAWp
Source: SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe, 00000000.00000002.2170001507.00000276209F6000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3386691306.000001F7B1727000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000002.3387008885.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.3381908245.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2516905564.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp, MicrosoftWindowsDefenderCoreService.exe, 00000011.00000003.2452617242.000001F7B179E000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6C787478C
Contains functionality which may be used to detect a debugger (GetProcessHeap)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7887C50 GetProcessHeap, 0_2_00007FF6C7887C50
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C787478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6C787478C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C78685D4 SetUnhandledExceptionFilter, 0_2_00007FF6C78685D4
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7868430 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 0_2_00007FF6C7868430
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E19C0F8 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF76E19C0F8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E191484 SetUnhandledExceptionFilter, 5_2_00007FF76E191484
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: 5_2_00007FF76E1912E0 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 5_2_00007FF76E1912E0
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA952FB4 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF7AA952FB4
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA953194 SetUnhandledExceptionFilter, 7_2_00007FF7AA953194
Source: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe Code function: 7_2_00007FF7AA956964 RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 7_2_00007FF7AA956964
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD985D4 SetUnhandledExceptionFilter, 25_2_00007FF71DD985D4
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDA478C RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00007FF71DDA478C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DDC0188 SetUnhandledExceptionFilter, 25_2_00007FF71DDC0188
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: 25_2_00007FF71DD98430 IsProcessorFeaturePresent,RtlCaptureContext,RtlLookupFunctionEntry,RtlVirtualUnwind,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 25_2_00007FF71DD98430

HIPS / PFW / Operating System Protection Evasion
barindex
Excessive usage of taskkill to terminate processes
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Uses taskkill to terminate AV processes
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe "C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe" install Jump to behavior
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2404 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6636 Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 2128 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt" Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService Jump to behavior
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskCrashHandler.exe "C:\Windows\System32\oobe\AnyDeskCrashHandler.exe" --pid 6552
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\oobe\version.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start AnyDeskUpdateService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\System32\cmd.exe" /c taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\oobe\AnyDeskUpdateService.exe C:\Windows\System32\oobe\AnyDeskUpdateService.exe install
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c DEL /F /S /Q "C:\Windows\System32\WindowsUpdate.txt"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start AnyDeskUpdateService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\sc.exe sc start MicrosoftWindowsDefenderCoreService
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\Conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Uses taskkill to terminate processes
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /f /im MsMpEng.exe
Contains functionality to query CPU information (cpuid)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C788D660 cpuid 0_2_00007FF6C788D660
Contains functionality to query locales information (e.g. system language)
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF6C788792C
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW, 0_2_00007FF6C78877F8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 0_2_00007FF6C7887748
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 0_2_00007FF6C7886ED0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW, 0_2_00007FF6C787B6D8
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW, 0_2_00007FF6C78875F0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 0_2_00007FF6C78873A0
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: EnumSystemLocalesW, 0_2_00007FF6C7887308
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: EnumSystemLocalesW, 0_2_00007FF6C7887238
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: EnumSystemLocalesW, 0_2_00007FF6C787B258
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: GetLocaleInfoW, 0_2_00007FF6C78902B0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW, 5_2_00007FF76E1ADF40
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 5_2_00007FF76E1AD820
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 5_2_00007FF76E1AE098
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: EnumSystemLocalesW, 5_2_00007FF76E1ADB88
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: EnumSystemLocalesW, 5_2_00007FF76E1ADC58
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: EnumSystemLocalesW, 5_2_00007FF76E1A24C8
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 5_2_00007FF76E1ADCF0
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW, 5_2_00007FF76E1A2948
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW, 5_2_00007FF76E1AE148
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 5_2_00007FF76E1AE27C
Source: C:\Windows\System32\oobe\MicrosoftWindowsDefenderCoreService.exe Code function: GetLocaleInfoW, 5_2_00007FF76E1B72B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW, 25_2_00007FF71DDAB6D8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: TranslateName,TranslateName,GetACP,IsValidCodePage,GetLocaleInfoW, 25_2_00007FF71DDB6ED0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW, 25_2_00007FF71DDB75F0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW, 25_2_00007FF71DDB77F8
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetACP, 25_2_00007FF71DDB7748
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: EnumSystemLocalesW, 25_2_00007FF71DDB7308
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW, 25_2_00007FF71DDC02B0
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: EnumSystemLocalesW, 25_2_00007FF71DDAB258
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: EnumSystemLocalesW, 25_2_00007FF71DDB7238
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: EnumSystemLocalesW,GetUserDefaultLCID,ProcessCodePage,IsValidCodePage,IsValidLocale,GetLocaleInfoW,GetLocaleInfoW, 25_2_00007FF71DDB792C
Source: C:\Windows\System32\oobe\AnyDeskUpdateService.exe Code function: GetLocaleInfoW,GetLocaleInfoW,GetLocaleInfoW, 25_2_00007FF71DDB73A0
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe Code function: 0_2_00007FF6C7868324 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter, 0_2_00007FF6C7868324
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1521703 Sample: SecuriteInfo.com.Trojan.Win... Startdate: 29/09/2024 Architecture: WINDOWS Score: 76 116 duy-thanh.github.io 2->116 118 Multi AV Scanner detection for dropped file 2->118 120 Multi AV Scanner detection for submitted file 2->120 122 AI detected suspicious sample 2->122 11 AnyDeskUpdateService.exe 2->11         started        14 MicrosoftWindowsDefenderCoreService.exe 56 2->14         started        17 SecuriteInfo.com.Trojan.Win64.Spy.1125.10281.exe 21 2->17         started        20 svchost.exe 2->20         started        signatures3 process4 dnsIp5 130 Uses taskkill to terminate AV processes 11->130 132 Drops executables to the windows directory (C:\Windows) and starts them 11->132 134 Excessive usage of taskkill to terminate processes 11->134 22 cmd.exe 11->22         started        25 cmd.exe 11->25         started        27 cmd.exe 11->27         started        35 23 other processes 11->35 98 C:\Windows\...\AnyDeskUpdateService.exe, PE32+ 14->98 dropped 100 C:\Windows\...\AnyDeskUpdateService[1].exe, PE32+ 14->100 dropped 102 C:\Windows\...\AnyDeskShellIntegration[1].dll, PE32+ 14->102 dropped 104 C:\...\AnyDeskShellIntegration_Update.dll, PE32+ 14->104 dropped 136 Creates files in the system32 config directory 14->136 29 cmd.exe 1 14->29         started        31 cmd.exe 14->31         started        37 17 other processes 14->37 114 duy-thanh.github.io 185.199.110.153, 443, 49710, 49711 FASTLYUS Netherlands 17->114 106 MicrosoftWindowsDefenderCoreService.exe, PE32+ 17->106 dropped 108 C:\Windows\...\AnyDeskCrashHandler.exe, PE32+ 17->108 dropped 110 C:\Windows\...\AnyDeskShellIntegration.dll, PE32+ 17->110 dropped 112 3 other malicious files 17->112 dropped 33 MicrosoftWindowsDefenderCoreService.exe 2 17->33         started        39 3 other processes 17->39 file6 signatures7 process8 signatures9 124 Excessive usage of taskkill to terminate processes 22->124 41 2 other processes 22->41 43 3 other processes 25->43 45 2 other processes 27->45 47 2 other processes 29->47 126 Drops executables to the windows directory (C:\Windows) and starts them 31->126 50 2 other processes 31->50 128 Multi AV Scanner detection for dropped file 33->128 52 2 other processes 33->52 54 50 other processes 35->54 56 28 other processes 37->56 58 2 other processes 39->58 process10 signatures11 64 3 other processes 41->64 60 Conhost.exe 43->60         started        66 2 other processes 45->66 68 2 other processes 47->68 62 cmd.exe 50->62         started        138 Multi AV Scanner detection for dropped file 52->138 70 3 other processes 52->70 72 12 other processes 54->72 74 8 other processes 56->74 76 4 other processes 58->76 process12 process13 78 sc.exe 1 70->78         started        80 sc.exe 1 70->80         started        82 conhost.exe 70->82         started        84 conhost.exe 70->84         started        86 cmd.exe 72->86         started        88 Conhost.exe 72->88         started        90 Conhost.exe 72->90         started        92 Conhost.exe 74->92         started        process14 94 Conhost.exe 78->94         started        96 Conhost.exe 80->96         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
185.199.110.153
 duy-thanh.github.io Netherlands
54113 FASTLYUS false

Contacted Domains

Name IP Active
duy-thanh.github.io 185.199.110.153 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://duy-thanh.github.io/file/AnyDeskCrashHandler.exe false
    		unknown
    https://duy-thanh.github.io/file/AnyDeskUpdateService.exe false
      		unknown
      https://duy-thanh.github.io/file/AnyDeskShellIntegration.dll false
        		unknown
        https://duy-thanh.github.io/file/version.txt false
          		unknown
          https://duy-thanh.github.io/file/MicrosoftWindowsDefenderCoreService.exe false
            		unknown