Analysis Overview
SHA256
a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d
Threat Level: Known bad
The file a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d was found to be: Known bad.
Malicious Activity Summary
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
Amadey
Detects Healer an antivirus disabler dropper
RedLine payload
Loads dropped DLL
Windows security modification
Checks computer location settings
Executes dropped EXE
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 02:09
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 02:09
Reported
2023-10-03 02:12
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2890696111-2332180956-3312704074-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3624 set thread context of 2384 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 740 set thread context of 2352 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe
"C:\Users\Admin\AppData\Local\Temp\a154f87a1fa760d6e33b6e5ca6866b108c8b7bee164e6aee6e888ae2e043553d.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3624 -ip 3624
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 188 -p 2384 -ip 2384
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3624 -s 616
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 740 -ip 740
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 740 -s 152
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\AC00.tmp\AC01.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ff9a72646f8,0x7ff9a7264708,0x7ff9a7264718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ff9a72646f8,0x7ff9a7264708,0x7ff9a7264718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,7382360727829346212,15927825564027678032,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2184 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,7382360727829346212,15927825564027678032,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2572 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2552 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2500 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3224 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3844 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5308 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4124 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2156,9289916496248191918,3311411117803236372,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4900 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.201.86.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| NL | 157.240.201.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 4.173.189.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
| MD5 | cf0cf3fe598de22ece6e6f0e3d2963aa |
| SHA1 | 9f7c2c964b68de908c6f69c350def64d10406c91 |
| SHA256 | 003feb5481bdff1f81b15d7ccfa9a972ccc0e10379cddf86d7011bfcdc3f2143 |
| SHA512 | 0ffce94742dcdb9d1605567eb1c1ff2c04cab7b6c404b146f9b52ebb8f017ec461666f5586bb2d3669a32249da118970394afc0a518b8f817a68b64eea5e2438 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5801298.exe
| MD5 | cf0cf3fe598de22ece6e6f0e3d2963aa |
| SHA1 | 9f7c2c964b68de908c6f69c350def64d10406c91 |
| SHA256 | 003feb5481bdff1f81b15d7ccfa9a972ccc0e10379cddf86d7011bfcdc3f2143 |
| SHA512 | 0ffce94742dcdb9d1605567eb1c1ff2c04cab7b6c404b146f9b52ebb8f017ec461666f5586bb2d3669a32249da118970394afc0a518b8f817a68b64eea5e2438 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
| MD5 | 045ab4cd35098519fe9f8a9ab38ddd8a |
| SHA1 | 84f813a7a27d6bf9ff48b426543255e02c350aa5 |
| SHA256 | 5fc180fae596d1d0f87ef0998955525bc72ec5b3c261da066cd43bacb070de83 |
| SHA512 | f03c787e5c6f585d665e736fbc2338fc2bd03f6dcbbb84480053a3eae03c8d2638baabc25d74e16b963946aaf33d3ffd00439e2cecde7bdf4cc42ddd9c091483 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z3486657.exe
| MD5 | 045ab4cd35098519fe9f8a9ab38ddd8a |
| SHA1 | 84f813a7a27d6bf9ff48b426543255e02c350aa5 |
| SHA256 | 5fc180fae596d1d0f87ef0998955525bc72ec5b3c261da066cd43bacb070de83 |
| SHA512 | f03c787e5c6f585d665e736fbc2338fc2bd03f6dcbbb84480053a3eae03c8d2638baabc25d74e16b963946aaf33d3ffd00439e2cecde7bdf4cc42ddd9c091483 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
| MD5 | 92c52cd44b26165359404b44e68d5d2d |
| SHA1 | 0ac4acbede053b6c660fe218d9fe04fec7f04a5c |
| SHA256 | 10fadf5c37b3c7a9ede4f5e38727061be8eac968dd6592440d171c85a3061c5c |
| SHA512 | 13b7ac0d029384c2d5970960d2f1dc9e4dc08a74adee456e98e04c5e4ed396f9c1c38800833f6ced60a41a5321386bf4ed5af7c2fe21704bfbb6a7d28b47eaa1 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z0249899.exe
| MD5 | 92c52cd44b26165359404b44e68d5d2d |
| SHA1 | 0ac4acbede053b6c660fe218d9fe04fec7f04a5c |
| SHA256 | 10fadf5c37b3c7a9ede4f5e38727061be8eac968dd6592440d171c85a3061c5c |
| SHA512 | 13b7ac0d029384c2d5970960d2f1dc9e4dc08a74adee456e98e04c5e4ed396f9c1c38800833f6ced60a41a5321386bf4ed5af7c2fe21704bfbb6a7d28b47eaa1 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
| MD5 | 90b9abe1d8acd4cfdb6375dfa2f5c712 |
| SHA1 | 56b5862592a4671ab354751f3d31dbda255413a5 |
| SHA256 | ec0f7bf244f819b1767f77782c404ae7b80df0d427a2227bd28d4d8708ea89ac |
| SHA512 | afea7bd7f014ca1a2b8d59c0cd7546ae618166dd9942906b53bb0d5ba2b116ebf6844ff33a536a3e2ded403fc2554e5fb259cc6defb1112d7a837b47ba728f6a |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z0872261.exe
| MD5 | 90b9abe1d8acd4cfdb6375dfa2f5c712 |
| SHA1 | 56b5862592a4671ab354751f3d31dbda255413a5 |
| SHA256 | ec0f7bf244f819b1767f77782c404ae7b80df0d427a2227bd28d4d8708ea89ac |
| SHA512 | afea7bd7f014ca1a2b8d59c0cd7546ae618166dd9942906b53bb0d5ba2b116ebf6844ff33a536a3e2ded403fc2554e5fb259cc6defb1112d7a837b47ba728f6a |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
| MD5 | 24591fa100dd833a8c531be0caeb0ffd |
| SHA1 | 6939a47c91934aeaa94c4cdd9d260280f34611c0 |
| SHA256 | 866c7c4656982d26196df66f794d593368cbbc7815cd5c82213c71d06fa9f67e |
| SHA512 | 281a59cefad73f543975aa764d3e8a96915b3c3cfebae529b468bb230c9f6b6ccb1f5f9c717efc795670448ab759a6905e38df9ce25a3c131da59f158e4e4915 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0970891.exe
| MD5 | 24591fa100dd833a8c531be0caeb0ffd |
| SHA1 | 6939a47c91934aeaa94c4cdd9d260280f34611c0 |
| SHA256 | 866c7c4656982d26196df66f794d593368cbbc7815cd5c82213c71d06fa9f67e |
| SHA512 | 281a59cefad73f543975aa764d3e8a96915b3c3cfebae529b468bb230c9f6b6ccb1f5f9c717efc795670448ab759a6905e38df9ce25a3c131da59f158e4e4915 |
memory/2972-35-0x0000000000D30000-0x0000000000D3A000-memory.dmp
memory/2972-36-0x00007FF9A6A90000-0x00007FF9A7551000-memory.dmp
memory/2972-38-0x00007FF9A6A90000-0x00007FF9A7551000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
| MD5 | f27c15e48f36181b4d16d9188bcd6d65 |
| SHA1 | 3655a14775e7574f8fdefa4ab260b7efb267b5be |
| SHA256 | bc51a7ca6c7de7c274743b0babc5308c6ff75d42b5fa53a6ddfd15e8dd08819d |
| SHA512 | 62a47929d8acc4102b9dd80b63a3c506fe6af7a20d16577113f83b947919651e063054d57f313565bfd36a11a701095a85440ad7c28d8b2ce812ef1593fef71c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r0910138.exe
| MD5 | f27c15e48f36181b4d16d9188bcd6d65 |
| SHA1 | 3655a14775e7574f8fdefa4ab260b7efb267b5be |
| SHA256 | bc51a7ca6c7de7c274743b0babc5308c6ff75d42b5fa53a6ddfd15e8dd08819d |
| SHA512 | 62a47929d8acc4102b9dd80b63a3c506fe6af7a20d16577113f83b947919651e063054d57f313565bfd36a11a701095a85440ad7c28d8b2ce812ef1593fef71c |
memory/2384-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2384-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2384-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2384-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
| MD5 | 603610af9206c572a47a8603db17c9ea |
| SHA1 | a30df84b937036c370b5a6b415778583a41f5870 |
| SHA256 | d61954427b7918e4540fc315516922d34af9414188edd0a0c808d3191659cf38 |
| SHA512 | 043022524bf5f111f54a12f0d4e7d9ab8ec30f3c5701a8d06e1f6732f5890663a877cd1da63b1dfa262e79faf282216b2fbc010c267d6f2725620b1a4efb8051 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s0576227.exe
| MD5 | 603610af9206c572a47a8603db17c9ea |
| SHA1 | a30df84b937036c370b5a6b415778583a41f5870 |
| SHA256 | d61954427b7918e4540fc315516922d34af9414188edd0a0c808d3191659cf38 |
| SHA512 | 043022524bf5f111f54a12f0d4e7d9ab8ec30f3c5701a8d06e1f6732f5890663a877cd1da63b1dfa262e79faf282216b2fbc010c267d6f2725620b1a4efb8051 |
memory/2352-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2352-51-0x0000000072FF0000-0x00000000737A0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0532236.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2352-55-0x0000000007AF0000-0x0000000008094000-memory.dmp
memory/2352-56-0x0000000007540000-0x00000000075D2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2352-59-0x0000000005070000-0x0000000005080000-memory.dmp
memory/2352-61-0x00000000075F0000-0x00000000075FA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3430018.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/2352-79-0x00000000086C0000-0x0000000008CD8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/2352-81-0x0000000007890000-0x000000000799A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
| MD5 | d5a325a2f73a22cae1d7128d77d0cd6b |
| SHA1 | 107ac44ca5e19e7c3610bc893ccc161d8b48379f |
| SHA256 | f831569038447149e773bfaf34d6fa7bf6e987523f61820ffdf4527df1ff10b2 |
| SHA512 | 64cafe7ad74cf5b0ab22ae5288d1e5e873d61a6c656bad98855ad2b55a6e41e9e316b840514e07c4539c0614a5a911f1571b9690a55d3a556ae0335902fa973e |
memory/2352-84-0x00000000077C0000-0x00000000077D2000-memory.dmp
memory/2352-85-0x0000000007820000-0x000000000785C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w2411947.exe
| MD5 | d5a325a2f73a22cae1d7128d77d0cd6b |
| SHA1 | 107ac44ca5e19e7c3610bc893ccc161d8b48379f |
| SHA256 | f831569038447149e773bfaf34d6fa7bf6e987523f61820ffdf4527df1ff10b2 |
| SHA512 | 64cafe7ad74cf5b0ab22ae5288d1e5e873d61a6c656bad98855ad2b55a6e41e9e316b840514e07c4539c0614a5a911f1571b9690a55d3a556ae0335902fa973e |
memory/2352-88-0x00000000079A0000-0x00000000079EC000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\AC00.tmp\AC01.bat
| MD5 | 5a115a88ca30a9f57fdbb545490c2043 |
| SHA1 | 67e90f37fc4c1ada2745052c612818588a5595f4 |
| SHA256 | 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d |
| SHA512 | 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 7a602869e579f44dfa2a249baa8c20fe |
| SHA1 | e0ac4a8508f60cb0408597eb1388b3075e27383f |
| SHA256 | 9ecfb98abb311a853f6b532b8eb6861455ca3f0cc3b4b6b844095ad8fb28dfa5 |
| SHA512 | 1f611034390aaeb815d92514cdeea68c52ceb101ad8ac9f0ae006226bebc15bfa283375b88945f38837c2423d2d397fbf832b85f7db230af6392c565d21f8d10 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3d5af55f794f9a10c5943d2f80dde5c5 |
| SHA1 | 5252adf87d6bd769f2c39b9e8eba77b087a0160d |
| SHA256 | 43e50edafcaaeae9fcd4dce5b99bf14fe79dae1401019443f31aa9ff81347764 |
| SHA512 | 2e2e09a00db732ff934da1e6ab8617fb3c8de482f9667a2c987435d0a5d67550b4bfd66e8b4475012b60908c24e39dff58e2f2ffa55f13ffc55caae1be630c71 |
\??\pipe\LOCAL\crashpad_2900_HABGJQCPKRQUGDVD
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_1496_ZXEYQROCAPEYLJQV
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4446a480a8e9b5fe6efef9e4677d6e42 |
| SHA1 | e2f2184087540389b0ada66401f8c5f99377dc9c |
| SHA256 | 3993de71d892c940fb2d8be2de2dece7f54a6e94d48718f64cfdecba7efb4122 |
| SHA512 | 1067404512ce4c458e7db22c688eb51157cc4068ae222f4ba77bbc4845d4d17a2a3ea06b3a8cb4fc47e9874bf468dd960fa96c4db036f3f99f7d48b63d972f07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | cc601327cdbd829e94eb5290e20c60ff |
| SHA1 | 86bc2092a2b5844c52dc4951d88ff893137aa34e |
| SHA256 | 9e26e9f03e2842c374c939045d6932e96c09a8d733d03331e71ea98b73898e60 |
| SHA512 | 8515162cecd6180ba153e8269fed832be58d174556d4d31ec56bddeeed75554b01572b95240cf73ca8e8c214ea20ce7d6bc1f4d8f5b715bdd5320d4dc0205c03 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/2352-241-0x0000000072FF0000-0x00000000737A0000-memory.dmp
memory/2352-246-0x0000000005070000-0x0000000005080000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 4446a480a8e9b5fe6efef9e4677d6e42 |
| SHA1 | e2f2184087540389b0ada66401f8c5f99377dc9c |
| SHA256 | 3993de71d892c940fb2d8be2de2dece7f54a6e94d48718f64cfdecba7efb4122 |
| SHA512 | 1067404512ce4c458e7db22c688eb51157cc4068ae222f4ba77bbc4845d4d17a2a3ea06b3a8cb4fc47e9874bf468dd960fa96c4db036f3f99f7d48b63d972f07 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\3bfea12c-c3d4-4daf-a560-dc14beb68e4b.tmp
| MD5 | 32b586c1bdcc9de55941948b8a2570c7 |
| SHA1 | 8def6291ae6824a2c5e5538618681d8924c0b125 |
| SHA256 | ad5d285e014f3654859192abdbd27f05842e6799bcf624a3973003738b2a5e35 |
| SHA512 | 1212f133bafc757614791e9b48e1361ba811c8ef1bd6753bcaa74c13bea0c58406358132f243545bce29a2e56e9554da7242ef026aa5fe1d8dffe33307008c99 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 379215fb7a4ca49834652232569b0859 |
| SHA1 | 95dbc147e17b8eb9b5e9ec5f8e774dfee0eb75f3 |
| SHA256 | 9ebc20f340ebc83279809034e95b875adfcb51df34bd57adb5a2402c51ee6676 |
| SHA512 | 8fd8fd9a7ecc3879487669ecf36768a83c1dc96bb7cf14e589d5de8d27afa132f3b518b1294bdd326b8612da02e37c9d7fa433f56142b6af8c2fdaf2b9690252 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 10f5b64000466c1e6da25fb5a0115924 |
| SHA1 | cb253bacf2b087c4040eb3c6a192924234f68639 |
| SHA256 | d818b1cebb2d1e2b269f2e41654702a0df261e63ba2a479f34b75563265ee46b |
| SHA512 | 8a8d230594d6fade63ecd63ba60985a7ccd1353de8d0a119543985bf182fdbb45f38ccc96441c24f0792ea1c449de69563c38348c2bedb2845522a2f83a149db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 1a77a27cb4e203ea7441e30b9fe0e0dd |
| SHA1 | 67d17345512514bb81fe30bfd474c98809bf1cd5 |
| SHA256 | f06d782c6c6fa3922a63d7a2d6ae47b2031f5c8971c0ba4eef5949b92caebfd0 |
| SHA512 | 418e3d85d14c73864c10adce983a7e1098485cd40e34d607ad92c247886bc08b9acffaa977217f7176cf6776146955d90f32807253ec1611abc60ff9178c71db |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4bcbfc3f81ed45b59227ff34c3adb982 |
| SHA1 | 2b7334ef9606ffa9040c33139c66a696b0d6cd7d |
| SHA256 | c15adba65eb11f843cc919ce7e40008cd9c2be967f0414259a4c9a3390f39b37 |
| SHA512 | 3ff384000e8c8ce2ee573a9e190b2cb7164402a7334809a52a54aeff1ebcf8940ad1995382eeb42917f987381cc174ddd3f3b203e5604c9d505f9c291d2a063d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585d7d.TMP
| MD5 | b7647e7c07544aa3c82e1b1ede58b809 |
| SHA1 | 1e5212c18ead3d752c8a9d4c5c025a2eb09539e8 |
| SHA256 | c92c7bdbc1d3158dfb838fd76a9ca3af7c5552cfb90fd16ecdeb874711089431 |
| SHA512 | a886199aadd340084402f0021e1d77b20e0c9da0e82cd7ad5fef644065b349877991a575a0c2f1eccb1779a933d6cc96566fb86cd1855857caf727ac59fc92ef |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\81078522-596a-44df-bc18-0f5392b1138f.tmp
| MD5 | e02a13cfdf7640f1931a8a291a47c7ca |
| SHA1 | 477f174776cf20e2df9e5e4bde300f1de7d0654a |
| SHA256 | 95de271c7a6fefe5d883c4ca70141c121b69258f4e97042e86487c4d83d8e8c6 |
| SHA512 | 88359542796af01eb2dafc9f95ece1f81b226755a2f3c0ba26c059f1004b343b7913eb17dfcfbe94fee9280b42fcd7435c2a897549134fe710e8e6798627de41 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | cc27a872f90e56f93aa1f4acf48fdffa |
| SHA1 | 93c01297d9888bcfb2c7ba347ba783368d6fd1d0 |
| SHA256 | 088b7e1260f751ce440f0f8363b7accb664622fc5da73eccacfc7b58933d2c53 |
| SHA512 | 1308a050ab7f88e7d60c1f09fba525ad28690c901563836c2b2272c50cdb6c83ea325ca7293d3225e5ff28190f4aa64b1bf3387a3fd3b03f881189bb67f370e1 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | d1031a27043b95973abf61b6ea458b7f |
| SHA1 | 80c7888ce0e42f43a4f680af8ad47586a426e52c |
| SHA256 | dcaaa503c139ab78315ddb55b6702a16559ef6e8681f1f6ba71c0e72093a3f78 |
| SHA512 | 38c265c648287be8e4747965d056564688419a9b12ea3e985d0f123e67b0aee980aaea0e437db44faa5484ab7c3f2a5293d8ac372b5370b378375e0fb209f882 |