Analysis Overview
SHA256
c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872
Threat Level: Known bad
The file c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872 was found to be: Known bad.
Malicious Activity Summary
Amadey
RedLine
Modifies Windows Defender Real-time Protection settings
Healer
RedLine payload
Detects Healer an antivirus disabler dropper
Windows security modification
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Program crash
Creates scheduled task(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-10-03 11:58
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-10-03 11:58
Reported
2023-10-03 12:01
Platform
win10v2004-20230915-en
Max time kernel
149s
Max time network
154s
Command Line
Signatures
Amadey
Detects Healer an antivirus disabler dropper
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Healer
Modifies Windows Defender Real-time Protection settings
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
RedLine
RedLine payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3027552071-446050021-1254071215-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe | N/A |
Executes dropped EXE
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 368 set thread context of 2940 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
| PID 1136 set thread context of 4224 | N/A | C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Program crash
Creates scheduled task(s)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe
"C:\Users\Admin\AppData\Local\Temp\c32e43da1f1aab52f0b35a7378215a78587347f09853884d73196bb04a0a6872.exe"
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 472 -p 368 -ip 368
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 2940 -ip 2940
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 368 -s 596
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2940 -s 540
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 584 -p 1136 -ip 1136
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1136 -s 156
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:N"
C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe"
C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
C:\Windows\SysWOW64\cacls.exe
CACLS "explothe.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:N"
C:\Windows\SysWOW64\cacls.exe
CACLS "legota.exe" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:N"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo Y"
C:\Windows\SysWOW64\cacls.exe
CACLS "..\fefffe8cea" /P "Admin:R" /E
C:\Windows\SysWOW64\cacls.exe
CACLS "..\cb378487cf" /P "Admin:R" /E
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffa5d0946f8,0x7ffa5d094708,0x7ffa5d094718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1984 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1968,17341027096377107078,9797894429993711241,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2452 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2256 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3848 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5300 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5340 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5684 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5652 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main
C:\Windows\SysWOW64\rundll32.exe
"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2244,4353107189317795441,3113245550919324526,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3084 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.113.22.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| US | 8.8.8.8:53 | 1.124.91.77.in-addr.arpa | udp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| US | 8.8.8.8:53 | www.facebook.com | udp |
| US | 8.8.8.8:53 | accounts.google.com | udp |
| NL | 157.240.247.35:443 | www.facebook.com | tcp |
| NL | 142.250.179.141:443 | accounts.google.com | tcp |
| US | 8.8.8.8:53 | 78.68.91.77.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.247.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 141.179.250.142.in-addr.arpa | udp |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| US | 8.8.8.8:53 | static.xx.fbcdn.net | udp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| NL | 157.240.201.15:443 | static.xx.fbcdn.net | tcp |
| US | 8.8.8.8:53 | 195.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 131.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | facebook.com | udp |
| NL | 157.240.201.35:443 | facebook.com | tcp |
| US | 8.8.8.8:53 | 196.168.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 35.201.240.157.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fbcdn.net | udp |
| NL | 157.240.201.35:443 | fbcdn.net | tcp |
| US | 8.8.8.8:53 | play.google.com | udp |
| US | 8.8.8.8:53 | fbsbx.com | udp |
| NL | 142.251.36.14:443 | play.google.com | tcp |
| NL | 142.251.36.14:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.36.251.142.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 208.194.73.20.in-addr.arpa | udp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.251.36.14:443 | play.google.com | udp |
| FI | 77.91.124.1:80 | 77.91.124.1 | tcp |
| FI | 77.91.68.78:80 | 77.91.68.78 | tcp |
| FI | 77.91.124.55:19071 | tcp | |
| NL | 142.250.179.141:443 | accounts.google.com | udp |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp | |
| FI | 77.91.124.55:19071 | tcp |
Files
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
| MD5 | 6625c1642b2e8b8bc9d1d04b8cf2de80 |
| SHA1 | 2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b |
| SHA256 | 5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e |
| SHA512 | 351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z5408280.exe
| MD5 | 6625c1642b2e8b8bc9d1d04b8cf2de80 |
| SHA1 | 2b34ca2ff31c4b26352aba284053b9c9f5fbfc0b |
| SHA256 | 5881fbc7919fa0608449c1dcc115aaf06e45aa171afe4e7e8f7cb2c0b0607a6e |
| SHA512 | 351aff42be816890d604578803b7078e9e49dc38816d772606f34752beaa0c753499bf32043d4e09d8dbbd87fb3a69c65d37f687c8ecbed518e49a38749558ab |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
| MD5 | 18165959afa2070cb2cd6caaa7372992 |
| SHA1 | 9fcbac0253a9db09c538ae845d2909432cb16eca |
| SHA256 | 6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b |
| SHA512 | 2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z1856633.exe
| MD5 | 18165959afa2070cb2cd6caaa7372992 |
| SHA1 | 9fcbac0253a9db09c538ae845d2909432cb16eca |
| SHA256 | 6d3d215a0cb5fc7f5cd40caa266bed5986b078e08f604d6c527d67dd0adf6a9b |
| SHA512 | 2875afebac74dd6e5a3fcadb7228daf9241bf45ce7ed24e639f151e08ef7ec099eca486ae8bc9a7d4e9e0ac02e4f4040439128b7d2ac97948cc327916dc0d370 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
| MD5 | 01dfaae2bf92a4e84f2ff793d710331a |
| SHA1 | 715508dfb740e52dcad6aabcbe86c402ac922722 |
| SHA256 | 1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133 |
| SHA512 | 34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8055166.exe
| MD5 | 01dfaae2bf92a4e84f2ff793d710331a |
| SHA1 | 715508dfb740e52dcad6aabcbe86c402ac922722 |
| SHA256 | 1186720b7a3c5c94abce7a6350a0437051c7bf9cdeef347d69407f42816c7133 |
| SHA512 | 34288428f20f39daf3b1394152c187ca79c932fb4115b43ec5536fd70c5ba87469f0c40aacd5bd7dc3f20cd1650b030f7505bd1fd8648a2d671103cf31deb3ea |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
| MD5 | 1007173b5ab2cb724aaa101c3ebf9e8e |
| SHA1 | 20a2fcd834ed988dffe164716d4b0be3640cd41b |
| SHA256 | f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297 |
| SHA512 | aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z9298734.exe
| MD5 | 1007173b5ab2cb724aaa101c3ebf9e8e |
| SHA1 | 20a2fcd834ed988dffe164716d4b0be3640cd41b |
| SHA256 | f34b9a354179a91e73124161202366ac71d8be0a56e073e01a713048c0306297 |
| SHA512 | aeec6beb30ddfbdf287b6628ab7764ab563fb8aac181f249405bfd40ae9c1587c085e865089b9ed628f11e682153880b063ba216b4a293a300fe77aea2ad4f01 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
| MD5 | 7d3e9519d040ef486f916d2fd0e1e575 |
| SHA1 | c4fbdb2d2dd539d89c884c527fb9b563576eb255 |
| SHA256 | a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e |
| SHA512 | b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q1852473.exe
| MD5 | 7d3e9519d040ef486f916d2fd0e1e575 |
| SHA1 | c4fbdb2d2dd539d89c884c527fb9b563576eb255 |
| SHA256 | a9009400a38edb155dceb082d00494c18d7743c8f4f7520e96ce164121b96c6e |
| SHA512 | b8630e07c85e73e8024d2d2703ab88f83f685a3d4afcc837792aa69515b780570dff886f77f7e305d324e96be9ae009f3cb8a26678042d5494093281f4e7790c |
memory/3580-35-0x0000000000580000-0x000000000058A000-memory.dmp
memory/3580-36-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp
memory/3580-38-0x00007FFA5CC90000-0x00007FFA5D751000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
| MD5 | dff3675777834901577451dc381fded7 |
| SHA1 | 69f3380649846dd90d9d535179c3e727eeae773c |
| SHA256 | f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c |
| SHA512 | 76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617 |
C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r3399058.exe
| MD5 | dff3675777834901577451dc381fded7 |
| SHA1 | 69f3380649846dd90d9d535179c3e727eeae773c |
| SHA256 | f4d718259b7f4af46ded5dfee7109a212ecaace13a76b915a7835f85aab2065c |
| SHA512 | 76179d864dcdb0bf54fbd3087b33c6ede20a072fe974fe75ae4910edfab36c26355a9ca00b131b6b3f9147bc2b6ae013aefe5ce2aa1cf66f70b6135a24745617 |
memory/2940-42-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2940-43-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2940-44-0x0000000000400000-0x0000000000428000-memory.dmp
memory/2940-46-0x0000000000400000-0x0000000000428000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
| MD5 | 17be0273d4664a3091fd2c278c98f1c9 |
| SHA1 | 565420c2490eb058096d2155d347c469004a150b |
| SHA256 | 9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a |
| SHA512 | 0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023 |
C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s9431967.exe
| MD5 | 17be0273d4664a3091fd2c278c98f1c9 |
| SHA1 | 565420c2490eb058096d2155d347c469004a150b |
| SHA256 | 9de280b82bbf600aa63280b73b507e315c3f641e14b5da47bd113f1d0c923c4a |
| SHA512 | 0821123eec77914e1e3afb149878f049262ac3a2e97ca4152482de66df3f651bfca72e2f0218f6dfed5afa37a8828bd3ef1a67d107d2bf6448cc64ad157e8023 |
memory/4224-50-0x0000000000400000-0x000000000043E000-memory.dmp
memory/4224-51-0x0000000073F80000-0x0000000074730000-memory.dmp
memory/4224-52-0x0000000007840000-0x0000000007DE4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t4667719.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4224-56-0x0000000007290000-0x0000000007322000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
memory/4224-59-0x0000000004E60000-0x0000000004E70000-memory.dmp
memory/4224-60-0x0000000004EA0000-0x0000000004EAA000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u0759130.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/4224-73-0x0000000008410000-0x0000000008A28000-memory.dmp
memory/4224-74-0x0000000007610000-0x000000000771A000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
memory/4224-83-0x0000000007500000-0x000000000753C000-memory.dmp
memory/4224-79-0x00000000073A0000-0x00000000073B2000-memory.dmp
memory/4224-84-0x0000000007540000-0x000000000758C000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
| MD5 | 3969336f99d24315cf07fc46339fbd1c |
| SHA1 | 0b62ff9769efc493b61d697e35b0c161a4178834 |
| SHA256 | 7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1 |
| SHA512 | fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab |
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w9101287.exe
| MD5 | 3969336f99d24315cf07fc46339fbd1c |
| SHA1 | 0b62ff9769efc493b61d697e35b0c161a4178834 |
| SHA256 | 7552e87abcd327e1285df5e900170fce707ebe747e4c2710dc3407eada3636b1 |
| SHA512 | fdcebd2310058928b2ffc584a5198e62039d263c4c47b46c2e724a7c2379d51d462d1dd381e1c83c95e39153cee2c3336c2b52eb533896f819b2fec9b16c9eab |
C:\Users\Admin\AppData\Local\Temp\EA9E.tmp\EA9F.tmp\EAA0.bat
| MD5 | 5a115a88ca30a9f57fdbb545490c2043 |
| SHA1 | 67e90f37fc4c1ada2745052c612818588a5595f4 |
| SHA256 | 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d |
| SHA512 | 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 45fe8440c5d976b902cfc89fb780a578 |
| SHA1 | 5696962f2d0e89d4c561acd58483b0a4ffeab800 |
| SHA256 | f620e0b35ac0ead6ed51984859edc75f7d4921aaa90d829bb9ad362d15504f96 |
| SHA512 | efe817ea03c203f8e63d7b50a965cb920fb4f128e72b458a7224c0c1373b31fae9eaa55a504290d2bc0cf55c96fd43f295f9aef6c2791a35fc4ab3e965f6ff25 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
\??\pipe\LOCAL\crashpad_1904_ZUDGCKJPQWCOONNY
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | bf009481892dd0d1c49db97428428ede |
| SHA1 | aee4e7e213f6332c1629a701b42335eb1a035c66 |
| SHA256 | 18236c88bc4fe576f82223cca595133aa3b4e5fd24ebac9fd515b70e6f403ab4 |
| SHA512 | d05515ff319b0b82030bc9d4a27f0432b613488f945d1dae8b8dfe73c64e651eb39f4141a5d2e157e2afb43dd1dd95b6611c1003ac4e2e80511e6c5cd7cfdf11 |
\??\pipe\LOCAL\crashpad_2488_ONBJTLCGVMDWOFNU
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bc2833b4505ae39efca48d9bdbddace0 |
| SHA1 | 0741d41e4a2e7507592c504780f96033d6fa870d |
| SHA256 | fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42 |
| SHA512 | e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | a95fe7a1b7f36816116efc0c209b9008 |
| SHA1 | 07435d8e7c92416c16f9779274604003c1dde9f1 |
| SHA256 | 2cf5e3adfecafc3c26e4cec77081ecc06408abd45f78be2b6faedff0a29b976e |
| SHA512 | d9306e10cc5a1689362434dac49b670e518c70c29f57b83c2eab4f7a69202c858b7f348c58d9af054ffc1b1643a071f8e4f8d1e4d0a9fa037851a2d46ab62269 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
memory/4224-241-0x0000000073F80000-0x0000000074730000-memory.dmp
memory/4224-244-0x0000000004E60000-0x0000000004E70000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | f95d0ffbf6dab4d181c140b97223a8b7 |
| SHA1 | 9e85dcb0727ff6b63e2326ee45f40b79b25c4491 |
| SHA256 | ea4cdf1160beb4a3844a8db2c076ec047370f27c8bae7d4778aaec20a1f42ed8 |
| SHA512 | 0e3eb1593d2c3ce06613192c136d2f66d859ba358587a63219b7a74dab66a9072ebb6dc2acbec2851836c87ee22081c2430eb0e514116f6c16e6d069cb6014dd |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | bc2833b4505ae39efca48d9bdbddace0 |
| SHA1 | 0741d41e4a2e7507592c504780f96033d6fa870d |
| SHA256 | fb977e299ebe0369c1056a5fa313aee4f9ab7ca391422769f0ab04152ad4ae42 |
| SHA512 | e5d86175d05f3a508439fa61efa74cd60bfed22204e55ece57782d880dc5995cf9bb72190dcb651cbbbe3d7f34529efe70852b122d01e80d4aab450e1cce37d2 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 545829f2e1789d490ec3ca0bbfda1245 |
| SHA1 | 9b8f6ef048279581c0e22bc9150e61ff805ba682 |
| SHA256 | aad40353adc00e60bdd46616b1eec6cbc217210786418b4cd063669caa8ca900 |
| SHA512 | 1411c221fd2f67762a56a186e2af2ed032f6591df1c9bb0adc36fae8fcf4340e0994cbcce25ead03bdee2d7b6dc56a6d454fa9b071e8f575eb48c454162acf42 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 25ac77f8c7c7b76b93c8346e41b89a95 |
| SHA1 | 5a8f769162bab0a75b1014fb8b94f9bb1fb7970a |
| SHA256 | 8ad26364375358eac8238a730ef826749677c62d709003d84e758f0e7478cc4b |
| SHA512 | df64a3593882972f3b10c997b118087c97a7fa684cd722624d7f5fb41d645c605d59a89eccf7518570ff9e73b4310432c4bb5864ee58e78c0743c0c1606853a7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 285252a2f6327d41eab203dc2f402c67 |
| SHA1 | acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6 |
| SHA256 | 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026 |
| SHA512 | 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 89fd01d4dbf5e14f4d8a6cceaf6aac8d |
| SHA1 | 2ef5743aedf51606116ec1281358cf0bc91bbd52 |
| SHA256 | e9e99f9d89ab13a6fba7e1b6e95e07ae6ce55612c67b02504c21eda331a3d4cc |
| SHA512 | 7c58983e89fef401813f8ed93417de0c2f1398359b0489632435d5f09409562913eac0abc1bae8183245a428e7088a24b834520037054693f48dea68517d1a22 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 16f383440b9ac70b9490f3847e8829e7 |
| SHA1 | bf85849f9b6394e38dbea6909f5e855de23e2bad |
| SHA256 | c59143318d0fc167bab03793f357fafb1dd13d35af0dc089e2d855ad1195932c |
| SHA512 | 11f6cc62a83135921f243194d44922858c442d4b7fe6df8ad454f922d0ad66da9fdc43b4ff7b712d7feb522fe7719edbe40b317ebafdef37b51ffb06952e2eed |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe589bed.TMP
| MD5 | 8da6559fde856597a342b104ccf37271 |
| SHA1 | e41752bb11fafaa54f286da5bac901ae8816455f |
| SHA256 | 1aa4b2c8977d500f0c5c13cf61bf55966894e38d77845aa2da7b54db2bf3b453 |
| SHA512 | 3432d55cc345d040d090f5f7a7bed08a2ada1aa4c6227ca8bbe82b8fde3b0d7ad6e8c26ee51d167deb0a8973b60b5f55a9c39b5f8f9f58de4e38d4bd42474f6b |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll
| MD5 | a5b509a3fb95cc3c8d89cd39fc2a30fb |
| SHA1 | 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c |
| SHA256 | 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529 |
| SHA512 | 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll
| MD5 | 6d5040418450624fef735b49ec6bffe9 |
| SHA1 | 5fff6a1a620a5c4522aead8dbd0a5a52570e8773 |
| SHA256 | dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3 |
| SHA512 | bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll
| MD5 | e913b0d252d36f7c9b71268df4f634fb |
| SHA1 | 5ac70d8793712bcd8ede477071146bbb42d3f018 |
| SHA256 | 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da |
| SHA512 | 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll
| MD5 | ec41f740797d2253dc1902e71941bbdb |
| SHA1 | 407b75f07cb205fee94c4c6261641bd40c2c28e9 |
| SHA256 | 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520 |
| SHA512 | e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\2c990a12-a2dd-417e-b51a-f85b00de87f1.tmp
| MD5 | e59cd6e519265a56a3334ec85bf9cff1 |
| SHA1 | 334707ed091bebaf0d6c2c803b9442aa78372d3d |
| SHA256 | ee63e0fbc655fed0edb0431d03f00622ae12af1f15d3e7113f2094abee6537a4 |
| SHA512 | 3d52dd37f7ec24084c5c0e4c33d670e28326a727d0172cc955a9d59f40525cf26d1c2d483213bb5da50d666b3cb3efd9e1ebc3e6d43989d065317c09ee3e9c40 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 72677668d785c7164871fb8864544e87 |
| SHA1 | 7fcef0c409abd06851aaba1e3030a2ac45d385ef |
| SHA256 | 5b3fef350b201bc7c1448d52641f556a46f4e9637f51aa9928dc232ca2fe8d08 |
| SHA512 | d9191951ea464e039c9feb7590dcf1409441ebd21e182176d8ecfa7189d192bc6199d916d3b48efd709cdfd880d1a3c3538533e68d00192a79955a1f14f3d6c4 |
C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
| MD5 | 4bd59a6b3207f99fc3435baf3c22bc4e |
| SHA1 | ae90587beed289f177f4143a8380ba27109d0a6f |
| SHA256 | 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236 |
| SHA512 | ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324 |
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
| MD5 | a427281ec99595c2a977a70e0009a30c |
| SHA1 | c937c5d14127921f068a081bb3e8f450c9966852 |
| SHA256 | 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3 |
| SHA512 | 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976 |