Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-n5kldscc95
Target c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872
SHA256 c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872
Tags
amadey healer redline jordan dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872

Threat Level: Known bad

The file c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline jordan dropper evasion infostealer persistence trojan

Amadey

RedLine

Modifies Windows Defender Real-time Protection settings

Healer

RedLine payload

Detects Healer an antivirus disabler dropper

Windows security modification

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Program crash

Creates scheduled task(s)

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:58

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:58

Reported

2023-10-03 12:01

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 224 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
PID 224 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
PID 224 wrote to memory of 4524 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
PID 4524 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
PID 4524 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
PID 4524 wrote to memory of 3868 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
PID 3868 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
PID 3868 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
PID 3868 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
PID 3728 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
PID 3728 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
PID 3728 wrote to memory of 864 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
PID 864 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
PID 864 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
PID 864 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
PID 864 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
PID 864 wrote to memory of 368 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 368 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3728 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
PID 3728 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
PID 3728 wrote to memory of 1136 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 1136 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 3868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
PID 3868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
PID 3868 wrote to memory of 2588 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
PID 2588 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2588 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2588 wrote to memory of 4656 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 4524 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
PID 4524 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
PID 4524 wrote to memory of 4864 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
PID 4656 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4656 wrote to memory of 4068 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4864 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4864 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4864 wrote to memory of 4452 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 4656 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 4656 wrote to memory of 4780 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 224 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
PID 224 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
PID 224 wrote to memory of 3876 N/A C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
PID 4452 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 4452 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 4452 wrote to memory of 8 N/A C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe C:\Windows\SysWOW64\schtasks.exe
PID 3876 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe C:\Windows\system32\cmd.exe
PID 3876 wrote to memory of 4552 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe C:\Windows\system32\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe

"C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 368 -ip 368

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2940 -ip 2940

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 596

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1136 -ip 1136

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 156

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 133.113.22.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 www.facebook.com udp
US 8.8.8.8:53 accounts.google.com udp
NL 157.240.247.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 35.247.240.157.in-addr.arpa udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 facebook.com udp
NL 157.240.201.35:443 facebook.com tcp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 fbcdn.net udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 play.google.com udp
US 8.8.8.8:53 fbsbx.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 208.194.73.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
NL 142.251.36.14:443 play.google.com udp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
FI 77.91.124.55:19071 tcp
NL 142.250.179.141:443 accounts.google.com udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

MD5 6625c1642b2e8b8bc9d1d04b8cf2de80
SHA1 2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b
SHA256 5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e
SHA512 351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe

MD5 6625c1642b2e8b8bc9d1d04b8cf2de80
SHA1 2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b
SHA256 5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e
SHA512 351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

MD5 18165959afa2070cb2cd6caaa7372992
SHA1 9fcbac0253a9db09c538ae845d2909432cb16eca
SHA256 6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b
SHA512 2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe

MD5 18165959afa2070cb2cd6caaa7372992
SHA1 9fcbac0253a9db09c538ae845d2909432cb16eca
SHA256 6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b
SHA512 2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

MD5 01dfaae2bf92a4e84f2ff793d710331a
SHA1 715508dfb740e52dcad6aabcbe86c402ac922722
SHA256 1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133
SHA512 34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe

MD5 01dfaae2bf92a4e84f2ff793d710331a
SHA1 715508dfb740e52dcad6aabcbe86c402ac922722
SHA256 1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133
SHA512 34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

MD5 1007173b5ab2cb724aaa101c3ebf9e8e
SHA1 20a2fcd834ed988dffe164716d4b0be3640cd41b
SHA256 f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297
SHA512 aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe

MD5 1007173b5ab2cb724aaa101c3ebf9e8e
SHA1 20a2fcd834ed988dffe164716d4b0be3640cd41b
SHA256 f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297
SHA512 aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

MD5 7d3e9519d040ef486f916d2fd0e1e575
SHA1 c4fbdb2d2dd539d89c884c527fb9b563576eb255
SHA256 a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e
SHA512 b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe

MD5 7d3e9519d040ef486f916d2fd0e1e575
SHA1 c4fbdb2d2dd539d89c884c527fb9b563576eb255
SHA256 a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e
SHA512 b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c

memory/3580-35-0x0000000000580000-0x000000000058A000-memory.dmp

memory/3580-36-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp

memory/3580-38-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

MD5 dff3675777834901577451dc381fded7
SHA1 69f3380649846dd90d9d535179c3e727eeae773c
SHA256 f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c
SHA512 76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe

MD5 dff3675777834901577451dc381fded7
SHA1 69f3380649846dd90d9d535179c3e727eeae773c
SHA256 f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c
SHA512 76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617

memory/2940-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2940-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2940-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2940-46-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

MD5 17be0273d4664a3091fd2c278c98f1c9
SHA1 565420c2490eb058096d2155d347c469004a150b
SHA256 9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a
SHA512 0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe

MD5 17be0273d4664a3091fd2c278c98f1c9
SHA1 565420c2490eb058096d2155d347c469004a150b
SHA256 9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a
SHA512 0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023

memory/4224-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4224-51-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/4224-52-0x0000000007840000-0x0000000007DE4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4224-56-0x0000000007290000-0x0000000007322000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/4224-59-0x0000000004E60000-0x0000000004E70000-memory.dmp

memory/4224-60-0x0000000004EA0000-0x0000000004EAA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/4224-73-0x0000000008410000-0x0000000008A28000-memory.dmp

memory/4224-74-0x0000000007610000-0x000000000771A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/4224-83-0x0000000007500000-0x000000000753C000-memory.dmp

memory/4224-79-0x00000000073A0000-0x00000000073B2000-memory.dmp

memory/4224-84-0x0000000007540000-0x000000000758C000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

MD5 3969336f99d24315cf07fc46339fbd1c
SHA1 0b62ff9769efc493b61d697e35b0c161a4178834
SHA256 7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1
SHA512 fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe

MD5 3969336f99d24315cf07fc46339fbd1c
SHA1 0b62ff9769efc493b61d697e35b0c161a4178834
SHA256 7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1
SHA512 fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab

C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 45fe8440c5d976b902cfc89fb780a578
SHA1 5696962f2d0e89d4c561acd58483b0a4ffeab800
SHA256 f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96
SHA512 efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_1904_ZUDGCKJPQWCOONNY

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 bf009481892dd0d1c49db97428428ede
SHA1 aee4e7e213f6332c1629a701b42335eb1a035c66
SHA256 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4
SHA512 d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11

\??\pipe\LOCAL\crashpad_2488_ONBJTLCGVMDWOFNU

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bc2833b4505ae39efca48d9bdbddace0
SHA1 0741d41e4a2e7507592c504780f96033d6fa870d
SHA256 fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42
SHA512 e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 a95fe7a1b7f36816116efc0c209b9008
SHA1 07435d8e7c92416c16f9779274604003c1dde9f1
SHA256 2cf5e3adfecafc3c26e4cec77081ecc06408abd45f78be2b6faedff0a29b976e
SHA512 d9306e10cc5a1689362434dac49b670e518c70c29f57b83c2eab4f7a69202c858b7f348c58d9af054ffc1b1643a071f8e4f8d1e4d0a9fa037851a2d46ab62269

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/4224-241-0x0000000073F80000-0x0000000074730000-memory.dmp

memory/4224-244-0x0000000004E60000-0x0000000004E70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 f95d0ffbf6dab4d181c140b97223a8b7
SHA1 9e85dcb0727ff6b63e2326ee45f40b79b25c4491
SHA256 ea4cdf1160beb4a3844a8db2c076ec047370f27c8bae7d4778aaec20a1f42ed8
SHA512 0e3eb1593d2c3ce06613192c136d2f66d859ba358587a63219b7a74dab66a9072ebb6dc2acbec2851836c87ee22081c2430eb0e514116f6c16e6d069cb6014dd

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bc2833b4505ae39efca48d9bdbddace0
SHA1 0741d41e4a2e7507592c504780f96033d6fa870d
SHA256 fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42
SHA512 e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 545829f2e1789d490ec3ca0bbfda1245
SHA1 9b8f6ef048279581c0e22bc9150e61ff805ba682
SHA256 aad40353adc00e60bdd46616b1eec6cbc217210786418b4cd063669caa8ca900
SHA512 1411c221fd2f67762a56a186e2af2ed032f6591df1c9bb0adc36fae8fcf4340e0994cbcce25ead03bdee2d7b6dc56a6d454fa9b071e8f575eb48c454162acf42

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 25ac77f8c7c7b76b93c8346e41b89a95
SHA1 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a
SHA256 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b
SHA512 df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 89fd01d4dbf5e14f4d8a6cceaf6aac8d
SHA1 2ef5743aedf51606116ec1281358cf0bc91bbd52
SHA256 e9e99f9d89ab13a6fba7e1b6e95e07ae6ce55612c67b02504c21eda331a3d4cc
SHA512 7c58983e89fef401813f8ed93417de0c2f1398359b0489632435d5f09409562913eac0abc1bae8183245a428e7088a24b834520037054693f48dea68517d1a22

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 16f383440b9ac70b9490f3847e8829e7
SHA1 bf85849f9b6394e38dbea6909f5e855de23e2bad
SHA256 c59143318d0fc167bab03793f357fafb1dd13d35af0dc089e2d855ad1195932c
SHA512 11f6cc62a83135921f243194d44922858c442d4b7fe6df8ad454f922d0ad66da9fdc43b4ff7b712d7feb522fe7719edbe40b317ebafdef37b51ffb06952e2eed

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589bed.TMP

MD5 8da6559fde856597a342b104ccf37271
SHA1 e41752bb11fafaa54f286da5bac901ae8816455f
SHA256 1aa4b2c8977d500f0c5c13cf61bf55966894e38d77845aa2da7b54db2bf3b453
SHA512 3432d55cc345d040d090f5f7a7bed08a2ada1aa4c6227ca8bbe82b8fde3b0d7ad6e8c26ee51d167deb0a8973b60b5f55a9c39b5f8f9f58de4e38d4bd42474f6b

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c990a12-a2dd-417e-b51a-f85b00de87f1.tmp

MD5 e59cd6e519265a56a3334ec85bf9cff1
SHA1 334707ed091bebaf0d6c2c803b9442aa78372d3d
SHA256 ee63e0fbc655fed0edb0431d03f00622ae12af1f15d3e7113f2094abee6537a4
SHA512 3d52dd37f7ec24084c5c0e4c33d670e28326a727d0172cc955a9d59f40525cf26d1c2d483213bb5da50d666b3cb3efd9e1ebc3e6d43989d065317c09ee3e9c40

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 72677668d785c7164871fb8864544e87
SHA1 7fcef0c409abd06851aaba1e3030a2ac45d385ef
SHA256 5b3fef350b201bc7c1448d52641f556a46f4e9637f51aa9928dc232ca2fe8d08
SHA512 d9191951ea464e039c9feb7590dcf1409441ebd21e182176d8ecfa7189d192bc6199d916d3b48efd709cdfd880d1a3c3538533e68d00192a79955a1f14f3d6c4

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976