Analysis Overview
SHA256
a90c2ac9fd785c74ae93d66e7886dc3b8f797c998eb45ba157317176a3604163
Threat Level: Known bad
The file a90c2ac9fd785c74ae93d66e7886dc3b8f797c998eb45ba157317176a3604163 was found to be: Known bad.
Malicious Activity Summary
Modifies Windows Defender Real-time Protection settings
RedLine
RedLine payload
Amadey
Detects Healer an antivirus disabler dropper
Healer
Executes dropped EXE
Loads dropped DLL
Windows security modification
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Program crash
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Creates scheduled task(s)
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 03:02
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 03:02
Reported
2023-10-03 03:04
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3408154.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2707529.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5421608.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6722797.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1551094.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\a90c2ac9fd785c74ae93d66e7886dc3b8f797c998eb45ba157317176a3604163.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4862441.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2388 set thread context of 4372 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1995398.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 2212 set thread context of 2776 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2337996.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\a90c2ac9fd785c74ae93d66e7886dc3b8f797c998eb45ba157317176a3604163.exe
"C:\Users\Admin\AppData\Local\Temp\a90c2ac9fd785c74ae93d66e7886dc3b8f797c998eb45ba157317176a3604163.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4862441.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4862441.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5421608.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5421608.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6722797.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6722797.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1551094.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1551094.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1995398.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1995398.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 456 -p 2388 -ip 2388
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 4372 -ip 4372
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4372 -s 540
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2388 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2337996.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2337996.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 2212 -ip 2212
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2707529.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2707529.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3408154.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3408154.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0329102.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0329102.exe
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C17B.tmp\C17C.tmp\C17D.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0329102.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe78fd46f8,0x7ffe78fd4708,0x7ffe78fd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffe78fd46f8,0x7ffe78fd4708,0x7ffe78fd4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2044,2376784052895234183,6501849260580823959,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2064 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2044,2376784052895234183,6501849260580823959,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2116 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2868 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2320 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3248 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3956 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2252,12906782931833725209,6564552250429561756,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 146.78.124.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.3.197.209.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| NL | 157.240.201.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.39.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | play.google.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.136.104.51.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 58.99.105.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| US | 8.8.8.8:53 | 224.162.46.104.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4862441.exe
| MD5 | c07adcb02d8b13ee8c31f94cdc949b9f |
| SHA1 | 36e7bfbe1b9d83b65c8d513e7648567488eac955 |
| SHA256 | 5716f3ef4108e9dbf3cc8a3a3bfd41574aa83b17d6ec30d3935149e529119227 |
| SHA512 | 5a945daa6b63f12b080b7f0d18efc5cbb4761636a7a03d83194021e85b2cf7786856d91c7c742084647bba1979cf8b6adf4bce86e3d8bfa2326df1e8eeb219f5 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z4862441.exe
| MD5 | c07adcb02d8b13ee8c31f94cdc949b9f |
| SHA1 | 36e7bfbe1b9d83b65c8d513e7648567488eac955 |
| SHA256 | 5716f3ef4108e9dbf3cc8a3a3bfd41574aa83b17d6ec30d3935149e529119227 |
| SHA512 | 5a945daa6b63f12b080b7f0d18efc5cbb4761636a7a03d83194021e85b2cf7786856d91c7c742084647bba1979cf8b6adf4bce86e3d8bfa2326df1e8eeb219f5 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5421608.exe
| MD5 | 50632bf210ea062388e894165e7c9bea |
| SHA1 | fa0217e2f8523aa981307c0331eb1e02a9d4427e |
| SHA256 | 70c5a124416a04584ed5d71e61a930d68353897d06127080b4673801cbd1564c |
| SHA512 | 336e5fd64bfebc5df967c287dd2947882a762c03e49f79fdb1d2e049ad2c6793d3d3fc64f4f469da80d87e74cd2fae089846ae3414de902334f9d7cbe1b8df6d |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5421608.exe
| MD5 | 50632bf210ea062388e894165e7c9bea |
| SHA1 | fa0217e2f8523aa981307c0331eb1e02a9d4427e |
| SHA256 | 70c5a124416a04584ed5d71e61a930d68353897d06127080b4673801cbd1564c |
| SHA512 | 336e5fd64bfebc5df967c287dd2947882a762c03e49f79fdb1d2e049ad2c6793d3d3fc64f4f469da80d87e74cd2fae089846ae3414de902334f9d7cbe1b8df6d |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6722797.exe
| MD5 | 1737be34db39b3fc7bea262a5066bd81 |
| SHA1 | bf034cf139ab6dcbeaf99f5daa6c1f7a17cc62bf |
| SHA256 | e18f2ebad1d04575dfa58b5bbb43fba67f24e58b349c1e44b32610f396cd0051 |
| SHA512 | 7e4dce4030a178217c6d68a5514239f3c9131c610f2217d80b3a4e5f1ad91fd9658480524cb71246b3757b15428f4a53f95a731dfc43a132626549dab53e1418 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z6722797.exe
| MD5 | 1737be34db39b3fc7bea262a5066bd81 |
| SHA1 | bf034cf139ab6dcbeaf99f5daa6c1f7a17cc62bf |
| SHA256 | e18f2ebad1d04575dfa58b5bbb43fba67f24e58b349c1e44b32610f396cd0051 |
| SHA512 | 7e4dce4030a178217c6d68a5514239f3c9131c610f2217d80b3a4e5f1ad91fd9658480524cb71246b3757b15428f4a53f95a731dfc43a132626549dab53e1418 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1551094.exe
| MD5 | d42eb359799ceedb0a1bad23a8bdb649 |
| SHA1 | 03fc18b59bfb6f1f42eb2458c64b176692cd57d5 |
| SHA256 | e515b3742c25f0598cd7d577db6c4d12cd89c1953fe1ddcc658d6c3beea4d241 |
| SHA512 | bb99fa8c99a48e8e503be2970365c10aa7f41c8fe9a5dcccf96b62c90943744d4bfd082dcccc6bde271a091b190b73f3c514be0602f4995cf8a269f80bc9e631 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z1551094.exe
| MD5 | d42eb359799ceedb0a1bad23a8bdb649 |
| SHA1 | 03fc18b59bfb6f1f42eb2458c64b176692cd57d5 |
| SHA256 | e515b3742c25f0598cd7d577db6c4d12cd89c1953fe1ddcc658d6c3beea4d241 |
| SHA512 | bb99fa8c99a48e8e503be2970365c10aa7f41c8fe9a5dcccf96b62c90943744d4bfd082dcccc6bde271a091b190b73f3c514be0602f4995cf8a269f80bc9e631 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe
| MD5 | 643aa5084b325376b6ca66e5a6382f35 |
| SHA1 | 0c5deb41d233d1a4e607a141dc6ae95eb2e5a20b |
| SHA256 | 4b11a7ef322ccd7253b110f649bd618b5ffdf493fc437a14e344ecabb264f3b1 |
| SHA512 | 6e5fcd5b47771ea1374edb7adc5d7d504c3648ad8cc0aff6fe380aab41b748f98112beb18894c54bbad2ca4bab5dbb23a088d5a4f43ff853ca02eebf5fa7246e |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q0359789.exe
| MD5 | 643aa5084b325376b6ca66e5a6382f35 |
| SHA1 | 0c5deb41d233d1a4e607a141dc6ae95eb2e5a20b |
| SHA256 | 4b11a7ef322ccd7253b110f649bd618b5ffdf493fc437a14e344ecabb264f3b1 |
| SHA512 | 6e5fcd5b47771ea1374edb7adc5d7d504c3648ad8cc0aff6fe380aab41b748f98112beb18894c54bbad2ca4bab5dbb23a088d5a4f43ff853ca02eebf5fa7246e |
memory/4640-35-0x0000000000190000-0x000000000019A000-memory.dmp
memory/4640-36-0x00007FFE77B60000-0x00007FFE78621000-memory.dmp
memory/4640-38-0x00007FFE77B60000-0x00007FFE78621000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1995398.exe
| MD5 | 5271300aa153526014bd1db7b254c813 |
| SHA1 | acf6b292fbe1a1635e1715427b14da0de995241e |
| SHA256 | 4badd90edc2f746c3df37b86a8551b6e00d8b7d475cea3d0ec958919f8967f0b |
| SHA512 | 22f4a7d33935a27201b022e3bf20a85acec74ff74ec3adf6757144e47df4b82df365ede36dd939f229f226c8b37d136ac204a65baa5c062657b74a932f680893 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r1995398.exe
| MD5 | 5271300aa153526014bd1db7b254c813 |
| SHA1 | acf6b292fbe1a1635e1715427b14da0de995241e |
| SHA256 | 4badd90edc2f746c3df37b86a8551b6e00d8b7d475cea3d0ec958919f8967f0b |
| SHA512 | 22f4a7d33935a27201b022e3bf20a85acec74ff74ec3adf6757144e47df4b82df365ede36dd939f229f226c8b37d136ac204a65baa5c062657b74a932f680893 |
memory/4372-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4372-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4372-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/4372-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2337996.exe
| MD5 | 635f89039016c0ab0c788fefa6e2df76 |
| SHA1 | f9913a45e1e6398bf4f0131b7d1954eaffa4e950 |
| SHA256 | 4d5747a7a76f7e24b975a1e6a4ca167568fa511a71f793a5f3879b924dac82b5 |
| SHA512 | 9c6ab0ee16a2dab691a473033bd6ff0b66df43baca0fe9afb06e64f1372da6a87fd63c53b5ec70bd5e9e839cd3b6d120f9db29fa87f9c997ccb9c43034e7f567 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s2337996.exe
| MD5 | 635f89039016c0ab0c788fefa6e2df76 |
| SHA1 | f9913a45e1e6398bf4f0131b7d1954eaffa4e950 |
| SHA256 | 4d5747a7a76f7e24b975a1e6a4ca167568fa511a71f793a5f3879b924dac82b5 |
| SHA512 | 9c6ab0ee16a2dab691a473033bd6ff0b66df43baca0fe9afb06e64f1372da6a87fd63c53b5ec70bd5e9e839cd3b6d120f9db29fa87f9c997ccb9c43034e7f567 |
memory/2776-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/2776-51-0x0000000074290000-0x0000000074A40000-memory.dmp
memory/2776-52-0x0000000008130000-0x00000000086D4000-memory.dmp
memory/2776-53-0x0000000007C20000-0x0000000007CB2000-memory.dmp
memory/2776-55-0x0000000007BA0000-0x0000000007BAA000-memory.dmp
memory/2776-54-0x0000000007BF0000-0x0000000007C00000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2707529.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t2707529.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2776-61-0x0000000008D00000-0x0000000009318000-memory.dmp
memory/2776-62-0x0000000007EE0000-0x0000000007FEA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/2776-71-0x0000000007E70000-0x0000000007EAC000-memory.dmp
memory/2776-68-0x0000000007E10000-0x0000000007E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3408154.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3408154.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/2776-77-0x0000000007FF0000-0x000000000803C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0329102.exe
| MD5 | 1a17201dee93e49d1b63bbdd1a1ea403 |
| SHA1 | d689986fd4e06b1d2f7fc0093a0fe37d33c08ba0 |
| SHA256 | 84adc3eb1738d273e8fb339d81740b49801758d5946fd8a696edfa86f3d49dff |
| SHA512 | dbe15ddd95fd5527a11194d97b18f5506960387029cd98b26a96fbc1613d073757d4754b6a4bd7f0952773801c0ab38cd912016a1f9c82559c53e901ac28c188 |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w0329102.exe
| MD5 | 1a17201dee93e49d1b63bbdd1a1ea403 |
| SHA1 | d689986fd4e06b1d2f7fc0093a0fe37d33c08ba0 |
| SHA256 | 84adc3eb1738d273e8fb339d81740b49801758d5946fd8a696edfa86f3d49dff |
| SHA512 | dbe15ddd95fd5527a11194d97b18f5506960387029cd98b26a96fbc1613d073757d4754b6a4bd7f0952773801c0ab38cd912016a1f9c82559c53e901ac28c188 |
C:\Users\Admin\AppData\Local\Temp\C17B.tmp\C17C.tmp\C17D.bat
| MD5 | 5a115a88ca30a9f57fdbb545490c2043 |
| SHA1 | 67e90f37fc4c1ada2745052c612818588a5595f4 |
| SHA256 | 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d |
| SHA512 | 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c126b33f65b7fc4ece66e42d6802b02e |
| SHA1 | 2a169a1c15e5d3dab708344661ec04d7339bcb58 |
| SHA256 | ca9d2a9ab8047067c8a78be0a7e7af94af34957875de8e640cf2f98b994f52d8 |
| SHA512 | eecbe3f0017e902639e0ecb8256ae62bf681bb5f80a7cddc9008d2571fe34d91828dfaee9a8df5a7166f337154232b9ea966c83561ace45d1e2923411702e822 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
\??\pipe\LOCAL\crashpad_3244_UNKRXFOLELZPINHN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
\??\pipe\LOCAL\crashpad_3204_UIAMUNBDPYVRUVBE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | db9dbef3f8b1f616429f605c1ebca2f0 |
| SHA1 | ffba76f0836c024828d4ff1982cc4240c41a8f16 |
| SHA256 | 3e0297327872058355ac041a5e0fc83ed017faee0f6c0105b44bb3e5399a93a1 |
| SHA512 | 4eedc387fe304f27f9d52ff5d71461c7f22147f7a8c18b8e7982acb76515528a36486a567451daafe093f9563b133c6799f2ad046e04256ccb46c83eb99e86c5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9d6010e15e22a09d263a4ba7ef52b2b1 |
| SHA1 | 21849e971c507dd6c05ef19c7e42b3225546360d |
| SHA256 | 0c860012a1687deada6c2907c43e5e9fd365cb0764fe11cbd67413eca4fab377 |
| SHA512 | 06d6fbe390f41d4a4d3bdcd8c27da0b32c86a75d9c7866f0b162a85879077759f63cd4fb6c86ee88d73625e05d647484cd2bd0162ecbebc6bc4bf8ba866c78ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 4d49eb4134ed5dbf76458414843f2692 |
| SHA1 | 32879821c2bebbedf728afd06aa59d499326b55b |
| SHA256 | db5445b99a3325610de118e81dc470015dc129aaf506c65adaba374b228b3342 |
| SHA512 | 78e3e0a1448a81923b8ed1190c205638e2a00e32a9761cf8cbf843aac443eea6b553cfd9db2e080667c528bfab7bcd2bfd9e800b9d1e5e11363de4bbf6b21a15 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/2776-245-0x0000000074290000-0x0000000074A40000-memory.dmp
memory/2776-246-0x0000000007BF0000-0x0000000007C00000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | e340d6adc64c8145a0b343ad09166a7e |
| SHA1 | e9c05ba20989a2502f1f6fa4d6f272087ea3f0da |
| SHA256 | 50cf8d4c04b5e2407125429d3754839e35fdc1b6f4898e5de105681c02eaed43 |
| SHA512 | c3c6144bfc8434f5a32108fc712b0d39b9fea73b3adbc0b6cfaa1aedad3c51286f1e5d0f073c2d3e800fe8a25aa3453f79e817410e1fef60d6deccdbde814626 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 9d6010e15e22a09d263a4ba7ef52b2b1 |
| SHA1 | 21849e971c507dd6c05ef19c7e42b3225546360d |
| SHA256 | 0c860012a1687deada6c2907c43e5e9fd365cb0764fe11cbd67413eca4fab377 |
| SHA512 | 06d6fbe390f41d4a4d3bdcd8c27da0b32c86a75d9c7866f0b162a85879077759f63cd4fb6c86ee88d73625e05d647484cd2bd0162ecbebc6bc4bf8ba866c78ce |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 501553f9bbb162c0fbabda54fa73a597 |
| SHA1 | bece28e81dfab997a1ed80cd02b260707fa5ba0d |
| SHA256 | 2e2caa9dbd02eade8c71395fdde361861988e009935dc0660c22a73b2f3983f5 |
| SHA512 | 5fc44c0896e6482df9458702ce4ea0f713b3dd05d9412548cd486265ebffece04ea1194ba098e35dae15fac8d69a41c035af0eafb17b86b41dd65cb261c758c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 6dcb90ba1ba8e06c1d4f27ec78f6911a |
| SHA1 | 71e7834c7952aeb9f1aa6eb88e1959a1ae4985d9 |
| SHA256 | 30d89e5026668c5a58bef231930a8bfb27ca099b24399a2615b210210d418416 |
| SHA512 | dc31807eaeb5221ac60d598035ca3ccab1dbeecc95caaff5e1f5a2a89ba1c83ef0a708ee0b8ed05b588ea5d50e360032a534356f84c89d3791df91d419daeff9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 61a9a2fb76f04f4257f502b16122a50a |
| SHA1 | 2478efea719d6b7707029a0bca8bc11fcb9f8d09 |
| SHA256 | 187c1cb4782a6f89a9c900ccecdc7e8884782d1de495631192ee132eb16ef534 |
| SHA512 | fff49a527bdab581f367bc2a7e26cf75ac4c0933f4cedef5fa2c9f9bce55e212d726abb5eb1864760303abde7f395ce6caea57d887c1b85dd9d6c39246831ad5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe5817b9.TMP
| MD5 | 0afd3fb7105ad505c4bb5f800d8fc17f |
| SHA1 | 8bdb6821e5b23da6b5d97cc4b64c67c6c662f8a7 |
| SHA256 | 4403da87b4e69cc580ad25ea5a2a67378333cf4e85228c87ff76d0d7cfe9aeef |
| SHA512 | 51cb2e885691f6c262f8157f9ac185938b40bb07b3fd74c8a92587c7857b76753f039c10dd3ee920e4b56a7ed993430bd78c7d07ea3063cc87ec6f20a899a4c6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2f9bd8b011cf13c9d773aa5f9d7106ba |
| SHA1 | 4b660a8617a3d34d95eed0d4785c791238929788 |
| SHA256 | bbd8127a5a97b9eda3479d50010ed6098586e9b55f021ac000ba3f7209930dc5 |
| SHA512 | 32e1f866c7f01f5324e873427bf826e7c9a2e83f66b37f6a6432028a95e55ac5d026645b6de92803f092a3568891fe6342acc31ce660c8f2609b2ba40fecfbf2 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | b624118b2ef219722c3daffeb7e66a17 |
| SHA1 | dc8730dbb1b5d3c8e6a9f43207ed80a20b2fc7bf |
| SHA256 | d65db7715d45385f958b9307ea734da2adb114e489d1def4458775cd22f4f196 |
| SHA512 | 6cabc60edb73343ac061d1b3aefd4ce34a4f8c393fdf52a802f7dfb29909430d4dcf6dd06f4af768693b79cae0decca48de314702222c0d364e4bd7b61af08ac |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 80af74383dd5dae20d8a4283e3ed55cc |
| SHA1 | cffda24e351014298ceeb1c376505a16635229a2 |
| SHA256 | 9f909ef2dc37669924417b89ffc637818394b9c28e52f8eba1810cfc21288d1f |
| SHA512 | f5df8bf7752b9b8a32ac48035c734fe10d3d9edf12e830e95d7c4b85cf9ee2989c46c1171bcfad72e21dbdc7f492f43b2614ac93caf1f17a450523212bb4ea09 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\0db9377b-5407-453f-a0c3-7c1dd1cdfd44.tmp
| MD5 | 5ae4407978708afd84263173630fb2ac |
| SHA1 | 02912933998ad76e894875e58002df8a311698e9 |
| SHA256 | ead7b7bee2ee6f30537f5079e7062e335b55c09f346f371f84bfe50e4c023578 |
| SHA512 | 5a7cc4e2e29b36fc4023caa1b79dbaa5198b8f9d00ea4e4a36e258800e94431d174fc3606db2b2263f6ab2c8584948cdf7dc4452222cbe0cb4e81f4bdd7b9bc6 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |