Analysis Overview
SHA256
4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886
Threat Level: Known bad
The file 4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886 was found to be: Known bad.
Malicious Activity Summary
Healer
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
SectopRAT payload
Amadey
SectopRAT
Detects Healer an antivirus disabler dropper
Downloads MZ/PE file
Executes dropped EXE
Checks computer location settings
Windows security modification
Loads dropped DLL
Reads user/profile data of web browsers
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Suspicious use of SetThreadContext
Launches sc.exe
Enumerates physical storage devices
Unsigned PE
Program crash
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Creates scheduled task(s)
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious behavior: EnumeratesProcesses
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 02:17
Reported
2023-10-03 02:20
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
SectopRAT
SectopRAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Downloads MZ/PE file
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Reads user/profile data of web browsers
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe | N/A |
Checks installed software on the system
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3364 set thread context of 4084 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2876 set thread context of 3612 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1128 set thread context of 6036 | N/A | C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe | C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe
"C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3364 -ip 3364
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 4084
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 192
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 616
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2876 -ip 2876
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FE84.tmp\FE85.tmp\FE86.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6cd146f8,0x7ffe6cd14708,0x7ffe6cd14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6cd146f8,0x7ffe6cd14708,0x7ffe6cd14718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,13746839404032895602,359278513639732450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,13746839404032895602,359278513639732450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
"C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ldmIbjiKkLblz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp"
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
"{path}"
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\system32\sc.exe
C:\Windows\system32\sc.exe start wuauserv
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4720 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | transfer.sh | udp |
| DE | 144.76.136.153:443 | transfer.sh | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 153.136.76.144.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | 147.174.42.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.201.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| CA | 4.229.227.81:33222 | 4.229.227.81 | tcp |
| US | 8.8.8.8:53 | 81.227.229.4.in-addr.arpa | udp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | api.ip.sb | udp |
| US | 104.26.12.31:443 | api.ip.sb | tcp |
| US | 8.8.8.8:53 | 31.12.26.104.in-addr.arpa | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
| MD5 | 78b9591f1f30e44357195807f2c37dbf |
| SHA1 | c44bd7663c1e1be4c28061664b0f9e00a7236de0 |
| SHA256 | c7f6390a8f3880bc4215a6862d5deaff5b84dc8b2affb575fa2d0ed24b6df8df |
| SHA512 | 56dbdf17bdf57c1b2a74e091a0915977563451cdf51e72c0b5d872ccccb98acd160036a980ff6a3239382f11b7f620ef2fb6ec2550219ab309fe0f16aeba9b60 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
| MD5 | 78b9591f1f30e44357195807f2c37dbf |
| SHA1 | c44bd7663c1e1be4c28061664b0f9e00a7236de0 |
| SHA256 | c7f6390a8f3880bc4215a6862d5deaff5b84dc8b2affb575fa2d0ed24b6df8df |
| SHA512 | 56dbdf17bdf57c1b2a74e091a0915977563451cdf51e72c0b5d872ccccb98acd160036a980ff6a3239382f11b7f620ef2fb6ec2550219ab309fe0f16aeba9b60 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
| MD5 | 084f36a19c955ad631a1e5e698ea9801 |
| SHA1 | f09519dcc21d84e03d23c116067a79a060c4f5ef |
| SHA256 | 77446e9736d15a1f34b674e82c4f0a11b1d5cdf8b65db3590e4fd0044be9faa2 |
| SHA512 | 98aa6e792853e7152ed321bfd205ae80be285d87aad06649fd4d6fa0eaed1d6bce5fa6b6f49f24828656852ec4a08f8d412f716e0d2735547d27739bfa0a5f3f |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
| MD5 | 084f36a19c955ad631a1e5e698ea9801 |
| SHA1 | f09519dcc21d84e03d23c116067a79a060c4f5ef |
| SHA256 | 77446e9736d15a1f34b674e82c4f0a11b1d5cdf8b65db3590e4fd0044be9faa2 |
| SHA512 | 98aa6e792853e7152ed321bfd205ae80be285d87aad06649fd4d6fa0eaed1d6bce5fa6b6f49f24828656852ec4a08f8d412f716e0d2735547d27739bfa0a5f3f |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
| MD5 | 201b6584e9c90e7a3b4283f6834647ba |
| SHA1 | 9731d5c3cfff2e0d6b34f488eb7b8ef744734373 |
| SHA256 | 9ee13a058eb7503de2bb9e65190c80874c1b10d9a09d97be07d7a49405aca5cd |
| SHA512 | 859039e782122f6c16a5692ce80bb0669ea65624d267229536ffa65326aec69256d1d731151a66d08bc67041aa60a8658db7e6a32668abe8e8deeca25f506e0b |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
| MD5 | 201b6584e9c90e7a3b4283f6834647ba |
| SHA1 | 9731d5c3cfff2e0d6b34f488eb7b8ef744734373 |
| SHA256 | 9ee13a058eb7503de2bb9e65190c80874c1b10d9a09d97be07d7a49405aca5cd |
| SHA512 | 859039e782122f6c16a5692ce80bb0669ea65624d267229536ffa65326aec69256d1d731151a66d08bc67041aa60a8658db7e6a32668abe8e8deeca25f506e0b |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
| MD5 | e50d7cd9ca87d8dc4401b239b9ab6cf9 |
| SHA1 | 0cd235b2791eabdf716d861df3803c35af8b8884 |
| SHA256 | 3ecd55d044c626dda2af28e85e657a6f31555c199cfbf473d39e2f2f08440e02 |
| SHA512 | 63191ed48cd6327150e381fa3d7de1a586a334115b20f864e0fff9f6399de6f323f8d469b7f9ea502865721eb63467ae822a1805e587843460bbc4f96b1d4bd0 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
| MD5 | e50d7cd9ca87d8dc4401b239b9ab6cf9 |
| SHA1 | 0cd235b2791eabdf716d861df3803c35af8b8884 |
| SHA256 | 3ecd55d044c626dda2af28e85e657a6f31555c199cfbf473d39e2f2f08440e02 |
| SHA512 | 63191ed48cd6327150e381fa3d7de1a586a334115b20f864e0fff9f6399de6f323f8d469b7f9ea502865721eb63467ae822a1805e587843460bbc4f96b1d4bd0 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
| MD5 | edda3a52a0351bb90621e50108c3f29f |
| SHA1 | 73ff944942a8b94ca7df9165949c5bc0ad62bb50 |
| SHA256 | 9cd0d230aa3ede2dc2413386bae8a86bd289bf58517679efaf4d00bceb62708f |
| SHA512 | 50edb3f2aac3848f4d366a1fa3293ff6092e5355fc20275699086e7c871518f9880e2c32ee2183a449486b4eb4c841b1b59cf07be360fe74bd0e15ff69f79a58 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
| MD5 | edda3a52a0351bb90621e50108c3f29f |
| SHA1 | 73ff944942a8b94ca7df9165949c5bc0ad62bb50 |
| SHA256 | 9cd0d230aa3ede2dc2413386bae8a86bd289bf58517679efaf4d00bceb62708f |
| SHA512 | 50edb3f2aac3848f4d366a1fa3293ff6092e5355fc20275699086e7c871518f9880e2c32ee2183a449486b4eb4c841b1b59cf07be360fe74bd0e15ff69f79a58 |
memory/632-35-0x0000000000D30000-0x0000000000D3A000-memory.dmp
memory/632-36-0x00007FFE5D530000-0x00007FFE5DFF1000-memory.dmp
memory/632-38-0x00007FFE5D530000-0x00007FFE5DFF1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
| MD5 | 16bbf333f7902a7a2772f63e44d3a9b8 |
| SHA1 | 0df19eac77d0a85ec4f613b926e2b7caa598ff5e |
| SHA256 | 1fb80900d9492766675992def8a112daa99c2282d1ffb2fe2bb679f1c08c4f43 |
| SHA512 | d3fed70d38f0941c80fa722f3ff4cd15c47795772786eb7bd557a9a11aab427edb13643aea9d47fbbeeeb28ab282423948de996ed0462c72bcc0e8108cb2820f |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
| MD5 | 16bbf333f7902a7a2772f63e44d3a9b8 |
| SHA1 | 0df19eac77d0a85ec4f613b926e2b7caa598ff5e |
| SHA256 | 1fb80900d9492766675992def8a112daa99c2282d1ffb2fe2bb679f1c08c4f43 |
| SHA512 | d3fed70d38f0941c80fa722f3ff4cd15c47795772786eb7bd557a9a11aab427edb13643aea9d47fbbeeeb28ab282423948de996ed0462c72bcc0e8108cb2820f |
memory/4084-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4084-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4084-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4084-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
| MD5 | 00d896ed14af2f4f45c2ed4b1ee59f8e |
| SHA1 | 3c286e9d7b611864d372096c3a5ae102b411ba25 |
| SHA256 | fb97ea6bfc4bae8e90782ba2e287caa512438eb4916c0c751a01cc6957b5692d |
| SHA512 | a9d748e0ab3942587ae8bc673c0d104f8c204708cd0bde376d26c5b645747060fe30be086538a8980a7975600428faf1ffa6e82ca5d2726c743c1a8299c7d2a5 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
| MD5 | 00d896ed14af2f4f45c2ed4b1ee59f8e |
| SHA1 | 3c286e9d7b611864d372096c3a5ae102b411ba25 |
| SHA256 | fb97ea6bfc4bae8e90782ba2e287caa512438eb4916c0c751a01cc6957b5692d |
| SHA512 | a9d748e0ab3942587ae8bc673c0d104f8c204708cd0bde376d26c5b645747060fe30be086538a8980a7975600428faf1ffa6e82ca5d2726c743c1a8299c7d2a5 |
memory/3612-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/3612-51-0x00000000740F0000-0x00000000748A0000-memory.dmp
memory/3612-52-0x0000000007C60000-0x0000000008204000-memory.dmp
memory/3612-53-0x0000000007750000-0x00000000077E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3612-59-0x0000000007730000-0x0000000007740000-memory.dmp
memory/3612-60-0x00000000076E0000-0x00000000076EA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/3612-68-0x0000000008830000-0x0000000008E48000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/3612-70-0x0000000007AB0000-0x0000000007BBA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/3612-75-0x0000000007860000-0x0000000007872000-memory.dmp
memory/3612-76-0x00000000079E0000-0x0000000007A1C000-memory.dmp
memory/3612-77-0x0000000007A20000-0x0000000007A6C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe
| MD5 | cf3a6d7f156a56141c3f4f08bdb6d626 |
| SHA1 | 156c24a7afd8c6d21f3a55054b9d25217dbd5264 |
| SHA256 | f8a9069f9a37702a76a3c9b2d1a7e69c6702163b9a7c8f881e2cba6c3354ec5c |
| SHA512 | 2a23b5ee02440ea41910e4ba15cf5d2e357222d9929322bf4678671911944179cccdc4a67a67de2e6cd0ae1ba2f3620b829a10fa08230a9e9742e96ce56c0445 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe
| MD5 | cf3a6d7f156a56141c3f4f08bdb6d626 |
| SHA1 | 156c24a7afd8c6d21f3a55054b9d25217dbd5264 |
| SHA256 | f8a9069f9a37702a76a3c9b2d1a7e69c6702163b9a7c8f881e2cba6c3354ec5c |
| SHA512 | 2a23b5ee02440ea41910e4ba15cf5d2e357222d9929322bf4678671911944179cccdc4a67a67de2e6cd0ae1ba2f3620b829a10fa08230a9e9742e96ce56c0445 |
C:\Users\Admin\AppData\Local\Temp\FE84.tmp\FE85.tmp\FE86.bat
| MD5 | 5a115a88ca30a9f57fdbb545490c2043 |
| SHA1 | 67e90f37fc4c1ada2745052c612818588a5595f4 |
| SHA256 | 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d |
| SHA512 | 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 3478c18dc45d5448e5beefe152c81321 |
| SHA1 | a00c4c477bbd5117dec462cd6d1899ec7a676c07 |
| SHA256 | d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23 |
| SHA512 | 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
\??\pipe\LOCAL\crashpad_4264_HRCDSGVANTXIUEFL
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_4368_ZTURBFOHGCRRNXMQ
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4d25fc6e43a16159ebfd161f28e16ef7 |
| SHA1 | 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4 |
| SHA256 | cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5 |
| SHA512 | ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ca80f434d7dbd3ce1528400f24b35057 |
| SHA1 | 51c2296e1eb3ede31068b89453eca64435ed90f2 |
| SHA256 | a5e022c6b62fd64750d286cbf20c3f1938fa503ac30f169ba8577e0df2812ff2 |
| SHA512 | 33812e84769a5332fceda73a08f055cb8bbfd4eca59548a8f38f7a996a263ae22d1051ac264d29b12a229d68d864b537bb2404e6d142c7bdfe026301f29be7dc |
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
| MD5 | 920a089d7d8a61118bb3841a3baa3693 |
| SHA1 | 2de4ce86a9f91d3e0dd122ccd4897d6149562288 |
| SHA256 | 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf |
| SHA512 | 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | c92ae002da963a047f35444c77ce08a9 |
| SHA1 | aaa388316e957bd69314e57892e5fb8b788b2498 |
| SHA256 | cc173cc7ba9eaf425b788d4b8f30a764df86e2a855f7c768e9f335c8c2dc22a4 |
| SHA512 | f7e9acde07325a3c4426d0df402c40af1c32fe0b3f0cfe2a662a4a70604243437aee073b51e2c146830cec80a9e3bc17d9f54df34721663f4366276982981d20 |
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
| MD5 | 920a089d7d8a61118bb3841a3baa3693 |
| SHA1 | 2de4ce86a9f91d3e0dd122ccd4897d6149562288 |
| SHA256 | 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf |
| SHA512 | 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8 |
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
| MD5 | 920a089d7d8a61118bb3841a3baa3693 |
| SHA1 | 2de4ce86a9f91d3e0dd122ccd4897d6149562288 |
| SHA256 | 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf |
| SHA512 | 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8 |
memory/1128-171-0x0000000000C80000-0x0000000000D06000-memory.dmp
memory/1128-172-0x00000000740F0000-0x00000000748A0000-memory.dmp
memory/1128-173-0x00000000055D0000-0x000000000566C000-memory.dmp
memory/1128-179-0x0000000005930000-0x0000000005940000-memory.dmp
memory/1128-180-0x00000000058A0000-0x00000000058F6000-memory.dmp
memory/1128-241-0x0000000008400000-0x000000000840C000-memory.dmp
memory/3612-254-0x00000000740F0000-0x00000000748A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/3612-264-0x0000000007730000-0x0000000007740000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | d1bef07ad9a82f5479619041deb3c22f |
| SHA1 | 98cda7d85167d721e3b6dccc05232d1812434a21 |
| SHA256 | 91806ee9215cb8678c865a5cd23746520830db9e6e8104aafa55d9eeee359285 |
| SHA512 | 78987d9af653bcb4d0db7402897f8fcf34ef79c5a967cd2bd154cc709506f08801c21cc4d7604c55f772eea70e1166de20b8db0f0dc0a5f80f683e08f1dbdf9d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | ca80f434d7dbd3ce1528400f24b35057 |
| SHA1 | 51c2296e1eb3ede31068b89453eca64435ed90f2 |
| SHA256 | a5e022c6b62fd64750d286cbf20c3f1938fa503ac30f169ba8577e0df2812ff2 |
| SHA512 | 33812e84769a5332fceda73a08f055cb8bbfd4eca59548a8f38f7a996a263ae22d1051ac264d29b12a229d68d864b537bb2404e6d142c7bdfe026301f29be7dc |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | d821a382b9979561fd2149a7a69d9e31 |
| SHA1 | 95835dd8ed11b98e02f54da5ed0a168420434e24 |
| SHA256 | 0ced14fd599cfb6c4ca48926444a17565b367397278fb3801ed47131fb0bc6ba |
| SHA512 | 6bbae6e660ca470c90778c05e9fc7d72e55df6a716b19d005ae1265878838d5a1531ca1c9ea24d83c3c2bb948b34e973dc67f20728b43408ed09223515b8a446 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | d555d038867542dfb2fb0575a0d3174e |
| SHA1 | 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0 |
| SHA256 | 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e |
| SHA512 | d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f |
memory/1128-297-0x00000000740F0000-0x00000000748A0000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/1128-304-0x0000000005930000-0x0000000005940000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4ef032d4d72bf46213db716f116a7f01 |
| SHA1 | ca3f8a5a73a2a1a04c93f3eada8a38ed857759f9 |
| SHA256 | 3ce906880e45234c859b01a8933446d3df1b78850f1cc95adeed29c8bbb68da8 |
| SHA512 | 8f0355f5905c9da4e8953397f2ee8e7f0ac9da956ba9a9983622f7f0ba61f7686e7efa5f91a0814e2a3f2d9c3e47cd88cc6a2cd666fdcca606caf2e60786e507 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585cd1.TMP
| MD5 | 02191ea4cd6c238282d1ca4b04698d1e |
| SHA1 | 82bce6dfd12daae3193c54fa87f206b2fd8419ad |
| SHA256 | a19961a1fa3af935f4f75bd37ac8497d27caf7b2d27e6d52f93ec3138a12898f |
| SHA512 | 2c0b04d255026ebd37b8662f68b431018e594c42be0e7e4aa0f1fa45c5343e4884bee1aa877bcffd3c341b29f933cba6470bed7b7323cf682d253a8b76a9bef3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 32596975448253ed5f0305a0d8835d13 |
| SHA1 | 7bed99d65bfbf219cf6f26f8ca848b8b9ceb740e |
| SHA256 | a7259eeca7a31b65bcf0483c66572d8e4e87154dbc1f45c1387c0c9f51ff907a |
| SHA512 | c2896dc7d1eaca028bf631984a57d9fc98f87bad1e7614f87d2969a4506cbfcd3b90b72dd802a4a047002f49d522e9e8eeefbf05844fd5156f423d1521f6bf67 |
memory/1128-329-0x00000000069F0000-0x0000000006A5C000-memory.dmp
memory/1128-330-0x0000000006940000-0x000000000695E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp
| MD5 | ea6b2c97c7ee85df960c4f3b0dc31e93 |
| SHA1 | 292887de5103f58be662e9f5ef277a6de055a31e |
| SHA256 | 026ee03358bedce0189df5205dcbf2b917736b2629cd05a4bec4ffe144dd8568 |
| SHA512 | 3c20f707453dc3fa924252691bde0bb501de2b0b0660893ec29b720ee1f94b1061ae86e9d94394a9b7ae957c0dce92c183c96436045731ac50d6b98397f5dd5c |
memory/6036-334-0x0000000000400000-0x000000000041E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe
| MD5 | 920a089d7d8a61118bb3841a3baa3693 |
| SHA1 | 2de4ce86a9f91d3e0dd122ccd4897d6149562288 |
| SHA256 | 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf |
| SHA512 | 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aYWnghBSFXyK0uq.exe.log
| MD5 | 17573558c4e714f606f997e5157afaac |
| SHA1 | 13e16e9415ceef429aaf124139671ebeca09ed23 |
| SHA256 | c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553 |
| SHA512 | f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc |
memory/1128-337-0x00000000740F0000-0x00000000748A0000-memory.dmp
memory/6036-339-0x00000000740F0000-0x00000000748A0000-memory.dmp
memory/6036-340-0x0000000002630000-0x0000000002640000-memory.dmp
memory/6036-341-0x0000000006310000-0x00000000064D2000-memory.dmp
memory/6036-342-0x00000000740F0000-0x00000000748A0000-memory.dmp
memory/6036-343-0x0000000006A10000-0x0000000006F3C000-memory.dmp
memory/6036-344-0x00000000064E0000-0x0000000006546000-memory.dmp
memory/6036-354-0x0000000002630000-0x0000000002640000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7dbd0eb2f1355f3d39bc516b3ad78bbf |
| SHA1 | f9ea243197ecd0517c2577a17a193e5bdb14516b |
| SHA256 | 0948ffc058369597a5edcefed78abfad66b414b517214be47f7cb41db90321ca |
| SHA512 | d23478674e1e74cbe2322465769c59e5bb4995b7636ee4ae4ee3d0486bddacabd5ae5498dcfb47ec6d7a583b01f599fead85ae99d3c5b90de63211c9ac9b542b |
C:\Users\Admin\AppData\Local\Temp\tmpB00E.tmp
| MD5 | bfbc1a403197ac8cfc95638c2da2cf0e |
| SHA1 | 634658f4dd9747e87fa540f5ba47e218acfc8af2 |
| SHA256 | 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6 |
| SHA512 | b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1 |
C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp
| MD5 | 4a8fbd593a733fc669169d614021185b |
| SHA1 | 166e66575715d4c52bcb471c09bdbc5a9bb2f615 |
| SHA256 | 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42 |
| SHA512 | 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b |
C:\Users\Admin\AppData\Local\Temp\tmpB00C.tmp
| MD5 | a33e5b189842c5867f46566bdbf7a095 |
| SHA1 | e1c06359f6a76da90d19e8fd95e79c832edb3196 |
| SHA256 | 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454 |
| SHA512 | f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b |
C:\Users\Admin\AppData\Local\Temp\tmpB01E.tmp
| MD5 | 3b068f508d40eb8258ff0b0592ca1f9c |
| SHA1 | 59ac025c3256e9c6c86165082974fe791ff9833a |
| SHA256 | 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7 |
| SHA512 | e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32 |
C:\Users\Admin\AppData\Local\Temp\tmpB02F.tmp
| MD5 | 87cbab2a743fb7e0625cc332c9aac537 |
| SHA1 | 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7 |
| SHA256 | 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023 |
| SHA512 | 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa |
memory/6036-409-0x0000000006820000-0x0000000006896000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0adc13b924e4aa6d26ec3b46f1e18424 |
| SHA1 | 519271fd937303477b11fa2714c32c8224fb4068 |
| SHA256 | 7a63b71a6954ae19c4443c9ef0db20c63fc308dbbfdfacf322aab32858fa99b8 |
| SHA512 | 44b0a27c730ce1a6f922abd6f535343c580ee519ddd8162fd445fd4bdfcf71c6480a338da095345e48bab0d73f0a32d4968df13b3055918960682a69c2edf9ed |
memory/6036-419-0x0000000007040000-0x000000000705E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB3BB.tmp
| MD5 | 02d2c46697e3714e49f46b680b9a6b83 |
| SHA1 | 84f98b56d49f01e9b6b76a4e21accf64fd319140 |
| SHA256 | 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9 |
| SHA512 | 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac |
C:\Users\Admin\AppData\Local\Temp\tmpB400.tmp
| MD5 | 8395952fd7f884ddb74e81045da7a35e |
| SHA1 | f0f7f233824600f49147252374bc4cdfab3594b9 |
| SHA256 | 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58 |
| SHA512 | ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 0adc13b924e4aa6d26ec3b46f1e18424 |
| SHA1 | 519271fd937303477b11fa2714c32c8224fb4068 |
| SHA256 | 7a63b71a6954ae19c4443c9ef0db20c63fc308dbbfdfacf322aab32858fa99b8 |
| SHA512 | 44b0a27c730ce1a6f922abd6f535343c580ee519ddd8162fd445fd4bdfcf71c6480a338da095345e48bab0d73f0a32d4968df13b3055918960682a69c2edf9ed |
C:\Users\Admin\AppData\Local\Temp\tmpB449.tmp
| MD5 | 349e6eb110e34a08924d92f6b334801d |
| SHA1 | bdfb289daff51890cc71697b6322aa4b35ec9169 |
| SHA256 | c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a |
| SHA512 | 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574 |
C:\Users\Admin\AppData\Local\Temp\tmpB460.tmp
| MD5 | 7e0a4476fa92f54a7afa4ee31081d53c |
| SHA1 | 70fefc4e8cae7f2e9be110467c27d8ebe0760623 |
| SHA256 | ce4275c85321d310646b79b8eb8f83a39995eda4abb9bb106c946f70cd76f774 |
| SHA512 | 338202df96c7f552873c77a0d9d7bcae5aea1bc585730648fb922741bcee9990468e4d8037169cf56f60566c7dd41a4e00c411e36bbae412b68edbd1a23ebe04 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies
| MD5 | 7e0a4476fa92f54a7afa4ee31081d53c |
| SHA1 | 70fefc4e8cae7f2e9be110467c27d8ebe0760623 |
| SHA256 | ce4275c85321d310646b79b8eb8f83a39995eda4abb9bb106c946f70cd76f774 |
| SHA512 | 338202df96c7f552873c77a0d9d7bcae5aea1bc585730648fb922741bcee9990468e4d8037169cf56f60566c7dd41a4e00c411e36bbae412b68edbd1a23ebe04 |
memory/6036-512-0x0000000007440000-0x0000000007490000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpB4BF.tmp
| MD5 | f70aa3fa04f0536280f872ad17973c3d |
| SHA1 | 50a7b889329a92de1b272d0ecf5fce87395d3123 |
| SHA256 | 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8 |
| SHA512 | 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84 |
C:\Users\Admin\AppData\Local\Temp\tmpB4F9.tmp
| MD5 | d367ddfda80fdcf578726bc3b0bc3e3c |
| SHA1 | 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671 |
| SHA256 | 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0 |
| SHA512 | 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77 |
memory/6036-563-0x00000000740F0000-0x00000000748A0000-memory.dmp
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 877fc0a5e62253b4a2ee1f73768d01fa |
| SHA1 | 23f14de846efd96536c8f2d055e518c2e7598dc9 |
| SHA256 | 99765228b1adda7fdbd06a07715df072820c533fa2b80a49a94d091bae133aa5 |
| SHA512 | c93e55e48ac385ff5b60868b752f99d7b2a1843803232c04c8ac28abcaf4683a02c63e4306e1234ce42c380e168416349d27776a1433cb1fe6bd76a9721acb61 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | e0e492a234d168f791b88902be6148f0 |
| SHA1 | 4357e16c3d86e11cf1bb859cda16e60868219ef3 |
| SHA256 | 34974796d70fdeb68ba176c23160002eb91a9fd11f5c208b6984804b680e0055 |
| SHA512 | ecf8232fd45841c7819e8e70ad9f49ebf1a0d95b0d55ca5e44afd4a479abd4a9a2f90582c4fff051502bb13f24786f19d5631b9363d3cad92d1aac26579ed826 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 7f9b38a40096ed6ece4719ac734ee87b |
| SHA1 | 4273ddf4f52b067a10ec9b8e0097210a82d2863b |
| SHA256 | 502cb9be22c2ae092e3c38a5a5309950f7b6c55e93f4bad35d6353ab02d7cedb |
| SHA512 | a4644837d1f1000f85b278b823e482c78a7ec7688562c120ce2f91497896323943491a7a8a4142c99cd7144a314263de1f2484e6c046266e5a278e2c73f9b9c9 |