Malware Analysis Report

2025-08-11 02:10

Sample ID 231003-cqv8sshe63
Target 4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886
SHA256 4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886
Tags
amadey healer redline sectoprat cashoutgang jordan discovery dropper evasion infostealer persistence rat spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886

Threat Level: Known bad

The file 4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline sectoprat cashoutgang jordan discovery dropper evasion infostealer persistence rat spyware stealer trojan

Healer

Modifies Windows Defender Real-time Protection settings

RedLine

RedLine payload

SectopRAT payload

Amadey

SectopRAT

Detects Healer an antivirus disabler dropper

Downloads MZ/PE file

Executes dropped EXE

Checks computer location settings

Windows security modification

Loads dropped DLL

Reads user/profile data of web browsers

Accesses cryptocurrency files/wallets, possible credential harvesting

Adds Run key to start application

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Enumerates physical storage devices

Unsigned PE

Program crash

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Creates scheduled task(s)

Suspicious use of SendNotifyMessage

Suspicious use of FindShellTrayWindow

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 02:17

Reported

2023-10-03 02:20

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

SectopRAT

trojan rat sectoprat

SectopRAT payload

Description Indicator Process Target
N/A N/A N/A N/A

Downloads MZ/PE file

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1141987721-3945596982-3297311814-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Reads user/profile data of web browsers

spyware stealer

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe N/A

Checks installed software on the system

discovery

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 552 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
PID 552 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
PID 552 wrote to memory of 692 N/A C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe
PID 692 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
PID 692 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
PID 692 wrote to memory of 780 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe
PID 780 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
PID 780 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
PID 780 wrote to memory of 4284 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe
PID 4284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
PID 4284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
PID 4284 wrote to memory of 3748 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe
PID 3748 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
PID 3748 wrote to memory of 632 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe
PID 3748 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
PID 3748 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
PID 3748 wrote to memory of 3364 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe
PID 3364 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4696 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 2820 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3364 wrote to memory of 4084 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
PID 4284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
PID 4284 wrote to memory of 2876 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2876 wrote to memory of 3612 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 780 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
PID 780 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
PID 780 wrote to memory of 4576 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe
PID 4576 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4576 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4576 wrote to memory of 472 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 692 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
PID 692 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
PID 692 wrote to memory of 4580 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe
PID 472 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 472 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 472 wrote to memory of 4720 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 472 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 472 wrote to memory of 216 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4580 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4580 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4580 wrote to memory of 3880 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 216 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 216 wrote to memory of 3740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe

"C:\Users\Admin\AppData\Local\Temp\4e90b87a2434b18ef2366584e829b15104400d7b3401834f2a855e75946e7886.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 3364 -ip 3364

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4084 -ip 4084

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4084 -s 192

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 3364 -s 616

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2876 -ip 2876

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2876 -s 156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FE84.tmp\FE85.tmp\FE86.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe6cd146f8,0x7ffe6cd14708,0x7ffe6cd14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffe6cd146f8,0x7ffe6cd14708,0x7ffe6cd14718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2164,13746839404032895602,359278513639732450,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,13746839404032895602,359278513639732450,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2172 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2936 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3488 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

"C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5304 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5400 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5384 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4148 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4072 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\ldmIbjiKkLblz" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp"

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

"{path}"

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\system32\sc.exe

C:\Windows\system32\sc.exe start wuauserv

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2164,16945149903225444560,4922281664872199912,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4720 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 transfer.sh udp
DE 144.76.136.153:443 transfer.sh tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 153.136.76.144.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
US 8.8.8.8:53 147.174.42.23.in-addr.arpa udp
US 8.8.8.8:53 69.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 www.facebook.com udp
NL 142.250.179.141:443 accounts.google.com tcp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
CA 4.229.227.81:33222 4.229.227.81 tcp
US 8.8.8.8:53 81.227.229.4.in-addr.arpa udp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 api.ip.sb udp
US 104.26.12.31:443 api.ip.sb tcp
US 8.8.8.8:53 31.12.26.104.in-addr.arpa udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe

MD5 78b9591f1f30e44357195807f2c37dbf
SHA1 c44bd7663c1e1be4c28061664b0f9e00a7236de0
SHA256 c7f6390a8f3880bc4215a6862d5deaff5b84dc8b2affb575fa2d0ed24b6df8df
SHA512 56dbdf17bdf57c1b2a74e091a0915977563451cdf51e72c0b5d872ccccb98acd160036a980ff6a3239382f11b7f620ef2fb6ec2550219ab309fe0f16aeba9b60

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z7900144.exe

MD5 78b9591f1f30e44357195807f2c37dbf
SHA1 c44bd7663c1e1be4c28061664b0f9e00a7236de0
SHA256 c7f6390a8f3880bc4215a6862d5deaff5b84dc8b2affb575fa2d0ed24b6df8df
SHA512 56dbdf17bdf57c1b2a74e091a0915977563451cdf51e72c0b5d872ccccb98acd160036a980ff6a3239382f11b7f620ef2fb6ec2550219ab309fe0f16aeba9b60

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe

MD5 084f36a19c955ad631a1e5e698ea9801
SHA1 f09519dcc21d84e03d23c116067a79a060c4f5ef
SHA256 77446e9736d15a1f34b674e82c4f0a11b1d5cdf8b65db3590e4fd0044be9faa2
SHA512 98aa6e792853e7152ed321bfd205ae80be285d87aad06649fd4d6fa0eaed1d6bce5fa6b6f49f24828656852ec4a08f8d412f716e0d2735547d27739bfa0a5f3f

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1099858.exe

MD5 084f36a19c955ad631a1e5e698ea9801
SHA1 f09519dcc21d84e03d23c116067a79a060c4f5ef
SHA256 77446e9736d15a1f34b674e82c4f0a11b1d5cdf8b65db3590e4fd0044be9faa2
SHA512 98aa6e792853e7152ed321bfd205ae80be285d87aad06649fd4d6fa0eaed1d6bce5fa6b6f49f24828656852ec4a08f8d412f716e0d2735547d27739bfa0a5f3f

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe

MD5 201b6584e9c90e7a3b4283f6834647ba
SHA1 9731d5c3cfff2e0d6b34f488eb7b8ef744734373
SHA256 9ee13a058eb7503de2bb9e65190c80874c1b10d9a09d97be07d7a49405aca5cd
SHA512 859039e782122f6c16a5692ce80bb0669ea65624d267229536ffa65326aec69256d1d731151a66d08bc67041aa60a8658db7e6a32668abe8e8deeca25f506e0b

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z9890190.exe

MD5 201b6584e9c90e7a3b4283f6834647ba
SHA1 9731d5c3cfff2e0d6b34f488eb7b8ef744734373
SHA256 9ee13a058eb7503de2bb9e65190c80874c1b10d9a09d97be07d7a49405aca5cd
SHA512 859039e782122f6c16a5692ce80bb0669ea65624d267229536ffa65326aec69256d1d731151a66d08bc67041aa60a8658db7e6a32668abe8e8deeca25f506e0b

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe

MD5 e50d7cd9ca87d8dc4401b239b9ab6cf9
SHA1 0cd235b2791eabdf716d861df3803c35af8b8884
SHA256 3ecd55d044c626dda2af28e85e657a6f31555c199cfbf473d39e2f2f08440e02
SHA512 63191ed48cd6327150e381fa3d7de1a586a334115b20f864e0fff9f6399de6f323f8d469b7f9ea502865721eb63467ae822a1805e587843460bbc4f96b1d4bd0

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z8768033.exe

MD5 e50d7cd9ca87d8dc4401b239b9ab6cf9
SHA1 0cd235b2791eabdf716d861df3803c35af8b8884
SHA256 3ecd55d044c626dda2af28e85e657a6f31555c199cfbf473d39e2f2f08440e02
SHA512 63191ed48cd6327150e381fa3d7de1a586a334115b20f864e0fff9f6399de6f323f8d469b7f9ea502865721eb63467ae822a1805e587843460bbc4f96b1d4bd0

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe

MD5 edda3a52a0351bb90621e50108c3f29f
SHA1 73ff944942a8b94ca7df9165949c5bc0ad62bb50
SHA256 9cd0d230aa3ede2dc2413386bae8a86bd289bf58517679efaf4d00bceb62708f
SHA512 50edb3f2aac3848f4d366a1fa3293ff6092e5355fc20275699086e7c871518f9880e2c32ee2183a449486b4eb4c841b1b59cf07be360fe74bd0e15ff69f79a58

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0552890.exe

MD5 edda3a52a0351bb90621e50108c3f29f
SHA1 73ff944942a8b94ca7df9165949c5bc0ad62bb50
SHA256 9cd0d230aa3ede2dc2413386bae8a86bd289bf58517679efaf4d00bceb62708f
SHA512 50edb3f2aac3848f4d366a1fa3293ff6092e5355fc20275699086e7c871518f9880e2c32ee2183a449486b4eb4c841b1b59cf07be360fe74bd0e15ff69f79a58

memory/632-35-0x0000000000D30000-0x0000000000D3A000-memory.dmp

memory/632-36-0x00007FFE5D530000-0x00007FFE5DFF1000-memory.dmp

memory/632-38-0x00007FFE5D530000-0x00007FFE5DFF1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe

MD5 16bbf333f7902a7a2772f63e44d3a9b8
SHA1 0df19eac77d0a85ec4f613b926e2b7caa598ff5e
SHA256 1fb80900d9492766675992def8a112daa99c2282d1ffb2fe2bb679f1c08c4f43
SHA512 d3fed70d38f0941c80fa722f3ff4cd15c47795772786eb7bd557a9a11aab427edb13643aea9d47fbbeeeb28ab282423948de996ed0462c72bcc0e8108cb2820f

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r7500743.exe

MD5 16bbf333f7902a7a2772f63e44d3a9b8
SHA1 0df19eac77d0a85ec4f613b926e2b7caa598ff5e
SHA256 1fb80900d9492766675992def8a112daa99c2282d1ffb2fe2bb679f1c08c4f43
SHA512 d3fed70d38f0941c80fa722f3ff4cd15c47795772786eb7bd557a9a11aab427edb13643aea9d47fbbeeeb28ab282423948de996ed0462c72bcc0e8108cb2820f

memory/4084-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4084-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4084-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/4084-46-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe

MD5 00d896ed14af2f4f45c2ed4b1ee59f8e
SHA1 3c286e9d7b611864d372096c3a5ae102b411ba25
SHA256 fb97ea6bfc4bae8e90782ba2e287caa512438eb4916c0c751a01cc6957b5692d
SHA512 a9d748e0ab3942587ae8bc673c0d104f8c204708cd0bde376d26c5b645747060fe30be086538a8980a7975600428faf1ffa6e82ca5d2726c743c1a8299c7d2a5

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s1811288.exe

MD5 00d896ed14af2f4f45c2ed4b1ee59f8e
SHA1 3c286e9d7b611864d372096c3a5ae102b411ba25
SHA256 fb97ea6bfc4bae8e90782ba2e287caa512438eb4916c0c751a01cc6957b5692d
SHA512 a9d748e0ab3942587ae8bc673c0d104f8c204708cd0bde376d26c5b645747060fe30be086538a8980a7975600428faf1ffa6e82ca5d2726c743c1a8299c7d2a5

memory/3612-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/3612-51-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/3612-52-0x0000000007C60000-0x0000000008204000-memory.dmp

memory/3612-53-0x0000000007750000-0x00000000077E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0343804.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3612-59-0x0000000007730000-0x0000000007740000-memory.dmp

memory/3612-60-0x00000000076E0000-0x00000000076EA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/3612-68-0x0000000008830000-0x0000000008E48000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/3612-70-0x0000000007AB0000-0x0000000007BBA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u9709629.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/3612-75-0x0000000007860000-0x0000000007872000-memory.dmp

memory/3612-76-0x00000000079E0000-0x0000000007A1C000-memory.dmp

memory/3612-77-0x0000000007A20000-0x0000000007A6C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe

MD5 cf3a6d7f156a56141c3f4f08bdb6d626
SHA1 156c24a7afd8c6d21f3a55054b9d25217dbd5264
SHA256 f8a9069f9a37702a76a3c9b2d1a7e69c6702163b9a7c8f881e2cba6c3354ec5c
SHA512 2a23b5ee02440ea41910e4ba15cf5d2e357222d9929322bf4678671911944179cccdc4a67a67de2e6cd0ae1ba2f3620b829a10fa08230a9e9742e96ce56c0445

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w7960995.exe

MD5 cf3a6d7f156a56141c3f4f08bdb6d626
SHA1 156c24a7afd8c6d21f3a55054b9d25217dbd5264
SHA256 f8a9069f9a37702a76a3c9b2d1a7e69c6702163b9a7c8f881e2cba6c3354ec5c
SHA512 2a23b5ee02440ea41910e4ba15cf5d2e357222d9929322bf4678671911944179cccdc4a67a67de2e6cd0ae1ba2f3620b829a10fa08230a9e9742e96ce56c0445

C:\Users\Admin\AppData\Local\Temp\FE84.tmp\FE85.tmp\FE86.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 3478c18dc45d5448e5beefe152c81321
SHA1 a00c4c477bbd5117dec462cd6d1899ec7a676c07
SHA256 d2191cbeb51c49cbcd6f0ef24c8f93227b56680c95c762843137ac5d5f3f2e23
SHA512 8473bb9429b1baf1ca4ac2f03f2fdecc89313624558cf9d3f58bebb58a8f394c950c34bdc7b606228090477f9c867b0d19a00c0e2f76355c613dafd73d69599c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

\??\pipe\LOCAL\crashpad_4264_HRCDSGVANTXIUEFL

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_4368_ZTURBFOHGCRRNXMQ

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 4d25fc6e43a16159ebfd161f28e16ef7
SHA1 49941a4bc3ed1ef90c7bcf1a8f0731c6a68facb4
SHA256 cee74fad9d775323a5843d9e55c770314e8b58ec08653c7b2ce8e8049df42bb5
SHA512 ea598fb8bfe15c777daeb025da98674fe8652f7341e5d150d188c46744fce11c4d20d1686d185039c5025c9a4252d1585686b1c3a4df4252e69675aaf37edfc1

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ca80f434d7dbd3ce1528400f24b35057
SHA1 51c2296e1eb3ede31068b89453eca64435ed90f2
SHA256 a5e022c6b62fd64750d286cbf20c3f1938fa503ac30f169ba8577e0df2812ff2
SHA512 33812e84769a5332fceda73a08f055cb8bbfd4eca59548a8f38f7a996a263ae22d1051ac264d29b12a229d68d864b537bb2404e6d142c7bdfe026301f29be7dc

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

MD5 920a089d7d8a61118bb3841a3baa3693
SHA1 2de4ce86a9f91d3e0dd122ccd4897d6149562288
SHA256 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf
SHA512 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 c92ae002da963a047f35444c77ce08a9
SHA1 aaa388316e957bd69314e57892e5fb8b788b2498
SHA256 cc173cc7ba9eaf425b788d4b8f30a764df86e2a855f7c768e9f335c8c2dc22a4
SHA512 f7e9acde07325a3c4426d0df402c40af1c32fe0b3f0cfe2a662a4a70604243437aee073b51e2c146830cec80a9e3bc17d9f54df34721663f4366276982981d20

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

MD5 920a089d7d8a61118bb3841a3baa3693
SHA1 2de4ce86a9f91d3e0dd122ccd4897d6149562288
SHA256 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf
SHA512 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

MD5 920a089d7d8a61118bb3841a3baa3693
SHA1 2de4ce86a9f91d3e0dd122ccd4897d6149562288
SHA256 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf
SHA512 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8

memory/1128-171-0x0000000000C80000-0x0000000000D06000-memory.dmp

memory/1128-172-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/1128-173-0x00000000055D0000-0x000000000566C000-memory.dmp

memory/1128-179-0x0000000005930000-0x0000000005940000-memory.dmp

memory/1128-180-0x00000000058A0000-0x00000000058F6000-memory.dmp

memory/1128-241-0x0000000008400000-0x000000000840C000-memory.dmp

memory/3612-254-0x00000000740F0000-0x00000000748A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/3612-264-0x0000000007730000-0x0000000007740000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 d1bef07ad9a82f5479619041deb3c22f
SHA1 98cda7d85167d721e3b6dccc05232d1812434a21
SHA256 91806ee9215cb8678c865a5cd23746520830db9e6e8104aafa55d9eeee359285
SHA512 78987d9af653bcb4d0db7402897f8fcf34ef79c5a967cd2bd154cc709506f08801c21cc4d7604c55f772eea70e1166de20b8db0f0dc0a5f80f683e08f1dbdf9d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 ca80f434d7dbd3ce1528400f24b35057
SHA1 51c2296e1eb3ede31068b89453eca64435ed90f2
SHA256 a5e022c6b62fd64750d286cbf20c3f1938fa503ac30f169ba8577e0df2812ff2
SHA512 33812e84769a5332fceda73a08f055cb8bbfd4eca59548a8f38f7a996a263ae22d1051ac264d29b12a229d68d864b537bb2404e6d142c7bdfe026301f29be7dc

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 d821a382b9979561fd2149a7a69d9e31
SHA1 95835dd8ed11b98e02f54da5ed0a168420434e24
SHA256 0ced14fd599cfb6c4ca48926444a17565b367397278fb3801ed47131fb0bc6ba
SHA512 6bbae6e660ca470c90778c05e9fc7d72e55df6a716b19d005ae1265878838d5a1531ca1c9ea24d83c3c2bb948b34e973dc67f20728b43408ed09223515b8a446

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 d555d038867542dfb2fb0575a0d3174e
SHA1 1a5868d6df0b5de26cf3fc7310b628ce0a3726f0
SHA256 044cac379dddf0c21b8e7ee4079d21c67e28795d14e678dbf3e35900f25a1e2e
SHA512 d8220966fe6c3ae4499bc95ab3aead087a3dd915853320648849d2fc123a4acd157b7dba64af0108802522575a822651ecc005523c731423d9131ee679c2712f

memory/1128-297-0x00000000740F0000-0x00000000748A0000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/1128-304-0x0000000005930000-0x0000000005940000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4ef032d4d72bf46213db716f116a7f01
SHA1 ca3f8a5a73a2a1a04c93f3eada8a38ed857759f9
SHA256 3ce906880e45234c859b01a8933446d3df1b78850f1cc95adeed29c8bbb68da8
SHA512 8f0355f5905c9da4e8953397f2ee8e7f0ac9da956ba9a9983622f7f0ba61f7686e7efa5f91a0814e2a3f2d9c3e47cd88cc6a2cd666fdcca606caf2e60786e507

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe585cd1.TMP

MD5 02191ea4cd6c238282d1ca4b04698d1e
SHA1 82bce6dfd12daae3193c54fa87f206b2fd8419ad
SHA256 a19961a1fa3af935f4f75bd37ac8497d27caf7b2d27e6d52f93ec3138a12898f
SHA512 2c0b04d255026ebd37b8662f68b431018e594c42be0e7e4aa0f1fa45c5343e4884bee1aa877bcffd3c341b29f933cba6470bed7b7323cf682d253a8b76a9bef3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 32596975448253ed5f0305a0d8835d13
SHA1 7bed99d65bfbf219cf6f26f8ca848b8b9ceb740e
SHA256 a7259eeca7a31b65bcf0483c66572d8e4e87154dbc1f45c1387c0c9f51ff907a
SHA512 c2896dc7d1eaca028bf631984a57d9fc98f87bad1e7614f87d2969a4506cbfcd3b90b72dd802a4a047002f49d522e9e8eeefbf05844fd5156f423d1521f6bf67

memory/1128-329-0x00000000069F0000-0x0000000006A5C000-memory.dmp

memory/1128-330-0x0000000006940000-0x000000000695E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp7C11.tmp

MD5 ea6b2c97c7ee85df960c4f3b0dc31e93
SHA1 292887de5103f58be662e9f5ef277a6de055a31e
SHA256 026ee03358bedce0189df5205dcbf2b917736b2629cd05a4bec4ffe144dd8568
SHA512 3c20f707453dc3fa924252691bde0bb501de2b0b0660893ec29b720ee1f94b1061ae86e9d94394a9b7ae957c0dce92c183c96436045731ac50d6b98397f5dd5c

memory/6036-334-0x0000000000400000-0x000000000041E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1000088001\aYWnghBSFXyK0uq.exe

MD5 920a089d7d8a61118bb3841a3baa3693
SHA1 2de4ce86a9f91d3e0dd122ccd4897d6149562288
SHA256 9afe813869db91d71c864c00264a6618027189cad8c6aee2596b887c507d52cf
SHA512 4639db2a091b17154a70ffb72309fd7064dc3cf040474a56bd22a2cb58dbed8e819fe449da6ddc1a2524c58106803b74c2835cbc9438dc575c409bbac2817de8

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aYWnghBSFXyK0uq.exe.log

MD5 17573558c4e714f606f997e5157afaac
SHA1 13e16e9415ceef429aaf124139671ebeca09ed23
SHA256 c18db6aecad2436da4a63ff26af4e3a337cca48f01c21b8db494fe5ccc60e553
SHA512 f4edf13f05a0d142e4dd42802098c8c44988ee8869621a62c2b565a77c9a95857f636583ff8d6d9baa366603d98b9bfbf1fc75bc6f9f8f83c80cb1215b2941cc

memory/1128-337-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/6036-339-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/6036-340-0x0000000002630000-0x0000000002640000-memory.dmp

memory/6036-341-0x0000000006310000-0x00000000064D2000-memory.dmp

memory/6036-342-0x00000000740F0000-0x00000000748A0000-memory.dmp

memory/6036-343-0x0000000006A10000-0x0000000006F3C000-memory.dmp

memory/6036-344-0x00000000064E0000-0x0000000006546000-memory.dmp

memory/6036-354-0x0000000002630000-0x0000000002640000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7dbd0eb2f1355f3d39bc516b3ad78bbf
SHA1 f9ea243197ecd0517c2577a17a193e5bdb14516b
SHA256 0948ffc058369597a5edcefed78abfad66b414b517214be47f7cb41db90321ca
SHA512 d23478674e1e74cbe2322465769c59e5bb4995b7636ee4ae4ee3d0486bddacabd5ae5498dcfb47ec6d7a583b01f599fead85ae99d3c5b90de63211c9ac9b542b

C:\Users\Admin\AppData\Local\Temp\tmpB00E.tmp

MD5 bfbc1a403197ac8cfc95638c2da2cf0e
SHA1 634658f4dd9747e87fa540f5ba47e218acfc8af2
SHA256 272ed278e82c84cf4f80f48ec7989e1fc35f2055d6d05b63c8a31880846597a6
SHA512 b8938526fcbf7152805aec130ca553e3ec949cb825430a5d0a25c90ec5eb0863857010484a4b31fdc4bb65a4c92ad7127c812b93114be4569a677f60debe43b1

C:\Users\Admin\AppData\Local\Temp\tmpB00D.tmp

MD5 4a8fbd593a733fc669169d614021185b
SHA1 166e66575715d4c52bcb471c09bdbc5a9bb2f615
SHA256 714cd32f8edacb3befbfc4b17db5b6eb05c2c8936e3bae14ea25a6050d88ae42
SHA512 6b2ebbbc34cd821fd9b3d7711d9cdadd8736412227e191883e5df19068f8118b7c80248eb61cc0a2f785a4153871a6003d79de934254b2c74c33b284c507a33b

C:\Users\Admin\AppData\Local\Temp\tmpB00C.tmp

MD5 a33e5b189842c5867f46566bdbf7a095
SHA1 e1c06359f6a76da90d19e8fd95e79c832edb3196
SHA256 5abf8e3d1f78de7b09d7f6fb87f9e80e60caacf13ef3c1289665653dacd7c454
SHA512 f2ad3812ec9b915e9618539b0f103f2e9acaad25fbbacd84941c954ce070af231324e83a4621e951c1dbae8d40d50410954e40dd52bbd46e34c54b0d1957407b

C:\Users\Admin\AppData\Local\Temp\tmpB01E.tmp

MD5 3b068f508d40eb8258ff0b0592ca1f9c
SHA1 59ac025c3256e9c6c86165082974fe791ff9833a
SHA256 07db44a8d6c3a512b15f1cb7262a2d7e4b63ced2130bc9228515431699191cc7
SHA512 e29624bc8fecb0e2a9d917642375bd97b42502e5f23812195a61a4920cae5b6ed540e74dfcf8432dcceb7de906ad0501cdd68056f9b0ec86a6bb0c1e336bfe32

C:\Users\Admin\AppData\Local\Temp\tmpB02F.tmp

MD5 87cbab2a743fb7e0625cc332c9aac537
SHA1 50f858caa7f4ac3a93cf141a5d15b4edeb447ee7
SHA256 57e3b0d22fa619da90237d8bcf8f922b142c9f6abf47efc5a1f5b208c4d3f023
SHA512 6b678f0dd0030806effe6825fd52a6a30b951e0c3dcf91dfd7a713d387aa8b39ec24368e9623c463360acba5e929e268f75ce996526c5d4485894b8ac6b2e0fa

memory/6036-409-0x0000000006820000-0x0000000006896000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0adc13b924e4aa6d26ec3b46f1e18424
SHA1 519271fd937303477b11fa2714c32c8224fb4068
SHA256 7a63b71a6954ae19c4443c9ef0db20c63fc308dbbfdfacf322aab32858fa99b8
SHA512 44b0a27c730ce1a6f922abd6f535343c580ee519ddd8162fd445fd4bdfcf71c6480a338da095345e48bab0d73f0a32d4968df13b3055918960682a69c2edf9ed

memory/6036-419-0x0000000007040000-0x000000000705E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB3BB.tmp

MD5 02d2c46697e3714e49f46b680b9a6b83
SHA1 84f98b56d49f01e9b6b76a4e21accf64fd319140
SHA256 522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9
SHA512 60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

C:\Users\Admin\AppData\Local\Temp\tmpB400.tmp

MD5 8395952fd7f884ddb74e81045da7a35e
SHA1 f0f7f233824600f49147252374bc4cdfab3594b9
SHA256 248c0c254592c08684c603ac37896813354c88ab5992fadf9d719ec5b958af58
SHA512 ea296a74758c94f98c352ff7d64c85dcd23410f9b4d3b1713218b8ee45c6b02febff53073819c973da0207471c7d70309461d47949e4d40ba7423328cf23f6cd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 0adc13b924e4aa6d26ec3b46f1e18424
SHA1 519271fd937303477b11fa2714c32c8224fb4068
SHA256 7a63b71a6954ae19c4443c9ef0db20c63fc308dbbfdfacf322aab32858fa99b8
SHA512 44b0a27c730ce1a6f922abd6f535343c580ee519ddd8162fd445fd4bdfcf71c6480a338da095345e48bab0d73f0a32d4968df13b3055918960682a69c2edf9ed

C:\Users\Admin\AppData\Local\Temp\tmpB449.tmp

MD5 349e6eb110e34a08924d92f6b334801d
SHA1 bdfb289daff51890cc71697b6322aa4b35ec9169
SHA256 c9fd7be4579e4aa942e8c2b44ab10115fa6c2fe6afd0c584865413d9d53f3b2a
SHA512 2a635b815a5e117ea181ee79305ee1baf591459427acc5210d8c6c7e447be3513ead871c605eb3d32e4ab4111b2a335f26520d0ef8c1245a4af44e1faec44574

C:\Users\Admin\AppData\Local\Temp\tmpB460.tmp

MD5 7e0a4476fa92f54a7afa4ee31081d53c
SHA1 70fefc4e8cae7f2e9be110467c27d8ebe0760623
SHA256 ce4275c85321d310646b79b8eb8f83a39995eda4abb9bb106c946f70cd76f774
SHA512 338202df96c7f552873c77a0d9d7bcae5aea1bc585730648fb922741bcee9990468e4d8037169cf56f60566c7dd41a4e00c411e36bbae412b68edbd1a23ebe04

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cookies

MD5 7e0a4476fa92f54a7afa4ee31081d53c
SHA1 70fefc4e8cae7f2e9be110467c27d8ebe0760623
SHA256 ce4275c85321d310646b79b8eb8f83a39995eda4abb9bb106c946f70cd76f774
SHA512 338202df96c7f552873c77a0d9d7bcae5aea1bc585730648fb922741bcee9990468e4d8037169cf56f60566c7dd41a4e00c411e36bbae412b68edbd1a23ebe04

memory/6036-512-0x0000000007440000-0x0000000007490000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpB4BF.tmp

MD5 f70aa3fa04f0536280f872ad17973c3d
SHA1 50a7b889329a92de1b272d0ecf5fce87395d3123
SHA256 8d782aa65de6db3538a14da82216e96d5e0a3c60496726e3541a8165bccc65f8
SHA512 30675c5c610d9aa32a4c4a4d9c3af7570823cd197f8d2a709222c78e2cd15304bbed80e233e3674ec2f6e33d1961c67fd6a46dc8ba8b1a301cd0722932c03c84

C:\Users\Admin\AppData\Local\Temp\tmpB4F9.tmp

MD5 d367ddfda80fdcf578726bc3b0bc3e3c
SHA1 23fcd5e4e0e5e296bee7e5224a8404ecd92cf671
SHA256 0b8607fdf72f3e651a2a8b0ac7be171b4cb44909d76bb8d6c47393b8ea3d84a0
SHA512 40e9239e3f084b4b981431817ca282feb986cf49227911bf3d68845baf2ee626b564c8fabe6e13b97e6eb214da1c02ca09a62bcf5e837900160cf479c104bf77

memory/6036-563-0x00000000740F0000-0x00000000748A0000-memory.dmp

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 877fc0a5e62253b4a2ee1f73768d01fa
SHA1 23f14de846efd96536c8f2d055e518c2e7598dc9
SHA256 99765228b1adda7fdbd06a07715df072820c533fa2b80a49a94d091bae133aa5
SHA512 c93e55e48ac385ff5b60868b752f99d7b2a1843803232c04c8ac28abcaf4683a02c63e4306e1234ce42c380e168416349d27776a1433cb1fe6bd76a9721acb61

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 e0e492a234d168f791b88902be6148f0
SHA1 4357e16c3d86e11cf1bb859cda16e60868219ef3
SHA256 34974796d70fdeb68ba176c23160002eb91a9fd11f5c208b6984804b680e0055
SHA512 ecf8232fd45841c7819e8e70ad9f49ebf1a0d95b0d55ca5e44afd4a479abd4a9a2f90582c4fff051502bb13f24786f19d5631b9363d3cad92d1aac26579ed826

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7f9b38a40096ed6ece4719ac734ee87b
SHA1 4273ddf4f52b067a10ec9b8e0097210a82d2863b
SHA256 502cb9be22c2ae092e3c38a5a5309950f7b6c55e93f4bad35d6353ab02d7cedb
SHA512 a4644837d1f1000f85b278b823e482c78a7ec7688562c120ce2f91497896323943491a7a8a4142c99cd7144a314263de1f2484e6c046266e5a278e2c73f9b9c9