Malware Analysis Report

2025-08-05 22:18

Sample ID 231003-nxg6ascb95
Target 930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229
SHA256 930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229
Tags
amadey healer redline jordan dropper evasion infostealer persistence trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229

Threat Level: Known bad

The file 930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229 was found to be: Known bad.

Malicious Activity Summary

amadey healer redline jordan dropper evasion infostealer persistence trojan

RedLine

Amadey

Detects Healer an antivirus disabler dropper

RedLine payload

Healer

Modifies Windows Defender Real-time Protection settings

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Windows security modification

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Program crash

Enumerates physical storage devices

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of FindShellTrayWindow

Creates scheduled task(s)

Enumerates system info in registry

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-10-03 11:46

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-10-03 11:46

Reported

2023-10-03 11:49

Platform

win10v2004-20230915-en

Max time kernel

149s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe"

Signatures

Amadey

trojan amadey

Detects Healer an antivirus disabler dropper

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Healer

dropper healer

Modifies Windows Defender Real-time Protection settings

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableBehaviorMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableIOAVProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableOnAccessProtection = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection\DisableScanOnRealtimeEnable = "1" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A

RedLine

infostealer redline

RedLine payload

Description Indicator Process Target
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1926387074-3400613176-3566796709-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Features\TamperProtection = "0" C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup2 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP002.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup3 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP003.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup4 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP004.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe N/A

Enumerates physical storage devices

Creates scheduled task(s)

persistence
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 456 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe
PID 456 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe
PID 456 wrote to memory of 3800 N/A C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe
PID 3800 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe
PID 3800 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe
PID 3800 wrote to memory of 2232 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe
PID 2232 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe
PID 2232 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe
PID 2232 wrote to memory of 60 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe
PID 60 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe
PID 60 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe
PID 60 wrote to memory of 4628 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe
PID 4628 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe
PID 4628 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe
PID 4628 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe
PID 4628 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe
PID 4628 wrote to memory of 4076 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe
PID 4076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2076 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4076 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 60 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe
PID 60 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe
PID 60 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 4504 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
PID 2232 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe
PID 2232 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe
PID 2232 wrote to memory of 2080 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe
PID 2080 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2080 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 2080 wrote to memory of 3488 N/A C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe
PID 3800 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe
PID 3800 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe
PID 3800 wrote to memory of 1888 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe
PID 3488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 560 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\schtasks.exe
PID 3488 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 3488 wrote to memory of 3756 N/A C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe C:\Windows\SysWOW64\cmd.exe
PID 1888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 1888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 1888 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
PID 3756 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe
PID 3756 wrote to memory of 3124 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe

"C:\Users\Admin\AppData\Local\Temp\930e6cc9111deb2b7f8e795b7e422ff618de991c4059622cc80814bbf662b229.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4076 -ip 4076

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 2592 -ip 2592

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4076 -s 612

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2592 -s 540

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 572 -p 4504 -ip 4504

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4504 -s 152

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

"C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe"

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN explothe.exe /TR "C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "explothe.exe" /P "Admin:N"&&CACLS "explothe.exe" /P "Admin:R" /E&&echo Y|CACLS "..\fefffe8cea" /P "Admin:N"&&CACLS "..\fefffe8cea" /P "Admin:R" /E&&Exit

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

"C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6546555.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6546555.exe

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:N"

C:\Windows\SysWOW64\schtasks.exe

"C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit

C:\Windows\system32\cmd.exe

"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C4A8.tmp\C4A9.tmp\C4AA.bat C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6546555.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "explothe.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "legota.exe" /P "Admin:R" /E

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:N"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /S /D /c" echo Y"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:N"

C:\Windows\SysWOW64\cacls.exe

CACLS "..\fefffe8cea" /P "Admin:R" /E

C:\Windows\SysWOW64\cacls.exe

CACLS "..\cb378487cf" /P "Admin:R" /E

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.facebook.com/login

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x168,0x16c,0x170,0x144,0x174,0x7ffd5a6446f8,0x7ffd5a644708,0x7ffd5a644718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://accounts.google.com/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x160,0x164,0x168,0x13c,0x16c,0x7ffd5a6446f8,0x7ffd5a644708,0x7ffd5a644718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,18202393424411739413,11006960237245688410,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,18202393424411739413,11006960237245688410,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2244 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2148 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3828 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5316 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5320 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6120 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6044 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll, Main

C:\Windows\SysWOW64\rundll32.exe

"C:\Windows\System32\rundll32.exe" C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll, Main

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,2874846371397525467,17270262565047094216,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1068 /prefetch:2

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 146.78.124.51.in-addr.arpa udp
US 8.8.8.8:53 241.154.82.20.in-addr.arpa udp
US 8.8.8.8:53 254.178.238.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 59.128.231.4.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 1.124.91.77.in-addr.arpa udp
US 8.8.8.8:53 78.68.91.77.in-addr.arpa udp
US 8.8.8.8:53 accounts.google.com udp
NL 142.250.179.141:443 accounts.google.com tcp
US 8.8.8.8:53 www.facebook.com udp
NL 157.240.201.35:443 www.facebook.com tcp
NL 142.250.179.141:443 accounts.google.com udp
US 8.8.8.8:53 static.xx.fbcdn.net udp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
NL 157.240.201.15:443 static.xx.fbcdn.net tcp
US 8.8.8.8:53 facebook.com udp
US 8.8.8.8:53 fbcdn.net udp
US 8.8.8.8:53 141.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 35.201.240.157.in-addr.arpa udp
US 8.8.8.8:53 15.201.240.157.in-addr.arpa udp
NL 157.240.201.35:443 fbcdn.net tcp
US 8.8.8.8:53 fbsbx.com udp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 2.136.104.51.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
FI 77.91.124.1:80 77.91.124.1 tcp
FI 77.91.68.78:80 77.91.68.78 tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 21.236.111.52.in-addr.arpa udp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
FI 77.91.124.55:19071 tcp
US 8.8.8.8:53 88.16.208.104.in-addr.arpa udp
FI 77.91.124.55:19071 tcp

Files

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe

MD5 f163cd0d45e8523a45720b4363018d05
SHA1 9e05be9b83842754d5fec056f304178f4717f40d
SHA256 90b92756182d4d4ee1e24509e0b6dabca6aa9e879b8bef51e76cdd559387a344
SHA512 19a65826b3c97d8b92acc24e2c1a4e8a8fe8aab176e0ce66856f20ac04938376f41ee7175aa1c6ba8517a454cbbe0898166880b380d0bef2e4609e9b4a68b0a5

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\z0959101.exe

MD5 f163cd0d45e8523a45720b4363018d05
SHA1 9e05be9b83842754d5fec056f304178f4717f40d
SHA256 90b92756182d4d4ee1e24509e0b6dabca6aa9e879b8bef51e76cdd559387a344
SHA512 19a65826b3c97d8b92acc24e2c1a4e8a8fe8aab176e0ce66856f20ac04938376f41ee7175aa1c6ba8517a454cbbe0898166880b380d0bef2e4609e9b4a68b0a5

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe

MD5 77f24b16b3ad9aa39f5015ca8c9db86a
SHA1 cf7cb294d1ce5562769c53eefc781b03bdb22e31
SHA256 bbd0a47ff17cac2e9050dbaf1017080b427c66c10fc7d7834bd33c029bd97b7f
SHA512 0246756bdf0add5fe1baed8cc65f5a2c522931f422677475d54d429cd6e3ec31b22709873f781f731c825a3d2ac6a7cdac54fc9f0c1f35212cb15283c3698507

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\z5771405.exe

MD5 77f24b16b3ad9aa39f5015ca8c9db86a
SHA1 cf7cb294d1ce5562769c53eefc781b03bdb22e31
SHA256 bbd0a47ff17cac2e9050dbaf1017080b427c66c10fc7d7834bd33c029bd97b7f
SHA512 0246756bdf0add5fe1baed8cc65f5a2c522931f422677475d54d429cd6e3ec31b22709873f781f731c825a3d2ac6a7cdac54fc9f0c1f35212cb15283c3698507

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe

MD5 6dc5fb6ef20d9bddc9cbd04b109dd891
SHA1 6b9b6b1789d466c951d0531e55f718f12a10e796
SHA256 122c541cff76ae08b96a74bdf99b9d13d6ee01ad15af75141f2a063fca1fc187
SHA512 b327443cdcdba08032a8ca20c8735ec0f1c5e7f9f63775732d8c9a7fe32ff23fd25fd379b41ff7b71f23fa197bf5ce4ef9a7c55e57b229f44b0d66599e066770

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\z8641148.exe

MD5 6dc5fb6ef20d9bddc9cbd04b109dd891
SHA1 6b9b6b1789d466c951d0531e55f718f12a10e796
SHA256 122c541cff76ae08b96a74bdf99b9d13d6ee01ad15af75141f2a063fca1fc187
SHA512 b327443cdcdba08032a8ca20c8735ec0f1c5e7f9f63775732d8c9a7fe32ff23fd25fd379b41ff7b71f23fa197bf5ce4ef9a7c55e57b229f44b0d66599e066770

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe

MD5 1f38a961c53f4954aa8ac77f9b42140e
SHA1 3958777d2a75b790b8367e64e09a5a67a7b6a1df
SHA256 0174429989aa45d0480d86278aae8c3ad434027907f5e3a1b71fd979574c7592
SHA512 e05ced27d52f1b245ec5dc7c4b3ab34f979b6b89f64f73d3ac3d9e235c1cd65f21e09bbbb6d8960920277c753906df93ac34d3b155723ab32a57902299df0208

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\z3030870.exe

MD5 1f38a961c53f4954aa8ac77f9b42140e
SHA1 3958777d2a75b790b8367e64e09a5a67a7b6a1df
SHA256 0174429989aa45d0480d86278aae8c3ad434027907f5e3a1b71fd979574c7592
SHA512 e05ced27d52f1b245ec5dc7c4b3ab34f979b6b89f64f73d3ac3d9e235c1cd65f21e09bbbb6d8960920277c753906df93ac34d3b155723ab32a57902299df0208

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe

MD5 acd47d5b95be0b98f659fe3d78e691bc
SHA1 2326e0944585341a4c7a9abfaad00d75b284267a
SHA256 d45ab7da32ba930fbdc658cfd666ed7fd79380e050d11a7e364f971958f6554a
SHA512 193dd3c01be538b2ec5c83abc8f7205eeff913ceaa16e61b3269dd8e22ccc09fafef3b95d5dbba368033573fcddee504e7592efcb5c9323eaa846bbf135303ed

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\q9933055.exe

MD5 acd47d5b95be0b98f659fe3d78e691bc
SHA1 2326e0944585341a4c7a9abfaad00d75b284267a
SHA256 d45ab7da32ba930fbdc658cfd666ed7fd79380e050d11a7e364f971958f6554a
SHA512 193dd3c01be538b2ec5c83abc8f7205eeff913ceaa16e61b3269dd8e22ccc09fafef3b95d5dbba368033573fcddee504e7592efcb5c9323eaa846bbf135303ed

memory/1884-35-0x0000000000030000-0x000000000003A000-memory.dmp

memory/1884-36-0x00007FFD58B50000-0x00007FFD59611000-memory.dmp

memory/1884-38-0x00007FFD58B50000-0x00007FFD59611000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe

MD5 4f0618a9c475f2cc448658d569feecf6
SHA1 894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256 b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA512 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

C:\Users\Admin\AppData\Local\Temp\IXP004.TMP\r9923254.exe

MD5 4f0618a9c475f2cc448658d569feecf6
SHA1 894882be7b89ef0fc6c80f1b6d2af88f70a633ab
SHA256 b45b29dfdeaa8ea21d2e73220210627f7feadb3d73326da0f24825b38389d382
SHA512 0a5b6ab69ab1cf37b9f93c0d59eb55af05f8976272fef45eb551d2ced503f9e64ecb7ef914bb176d52111f426933015200a847855ab21c84e35d2e8f492855b1

memory/2592-42-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2592-43-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2592-44-0x0000000000400000-0x0000000000428000-memory.dmp

memory/2592-46-0x0000000000400000-0x0000000000428000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe

MD5 c6317582f8130421161952b470811e4a
SHA1 66dfd5c8a307b34a9cfb6591b1e2b462388ac354
SHA256 b0f4d40847c9f4234103fab7ecc4242fab92564c1e25913bce81c46f1c8bf4fd
SHA512 d2aff815fbe22addebdfd9dd190d5e0bc6ea2c2a899b233500f8c29b3199cc2ab30270967f8cb63af3885a57a20ef1783f075bba6839e4e337b98e3151397008

C:\Users\Admin\AppData\Local\Temp\IXP003.TMP\s8523893.exe

MD5 c6317582f8130421161952b470811e4a
SHA1 66dfd5c8a307b34a9cfb6591b1e2b462388ac354
SHA256 b0f4d40847c9f4234103fab7ecc4242fab92564c1e25913bce81c46f1c8bf4fd
SHA512 d2aff815fbe22addebdfd9dd190d5e0bc6ea2c2a899b233500f8c29b3199cc2ab30270967f8cb63af3885a57a20ef1783f075bba6839e4e337b98e3151397008

memory/1608-50-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1608-51-0x00000000742C0000-0x0000000074A70000-memory.dmp

memory/1608-52-0x00000000081B0000-0x0000000008754000-memory.dmp

memory/1608-53-0x0000000007CB0000-0x0000000007D42000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\IXP002.TMP\t0365815.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1608-59-0x0000000007DE0000-0x0000000007DF0000-memory.dmp

memory/1608-60-0x0000000007DC0000-0x0000000007DCA000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

memory/1608-68-0x0000000008D80000-0x0000000009398000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\u3928333.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

memory/1608-74-0x0000000008060000-0x000000000816A000-memory.dmp

memory/1608-75-0x0000000007F90000-0x0000000007FA2000-memory.dmp

memory/1608-76-0x0000000007FF0000-0x000000000802C000-memory.dmp

memory/1608-79-0x0000000008760000-0x00000000087AC000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6546555.exe

MD5 a7b8c704037c5fa58351fb3fcd432894
SHA1 b379aa15b8d0b27e1a0e7fa4bb7e309b428064c6
SHA256 a56c13d1f66f8db2944972178f450f40ef8fc2fd4dc942070768d78936c33e55
SHA512 b7bb5dff325f7a9337ab62d1a3a158353f3ce32516985be07655564993c6ce2d666f4a56c3a2ca4e37a3365d3d80cf4b159ccb30fd249a25fe6f9b2a18cab6d1

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\w6546555.exe

MD5 a7b8c704037c5fa58351fb3fcd432894
SHA1 b379aa15b8d0b27e1a0e7fa4bb7e309b428064c6
SHA256 a56c13d1f66f8db2944972178f450f40ef8fc2fd4dc942070768d78936c33e55
SHA512 b7bb5dff325f7a9337ab62d1a3a158353f3ce32516985be07655564993c6ce2d666f4a56c3a2ca4e37a3365d3d80cf4b159ccb30fd249a25fe6f9b2a18cab6d1

C:\Users\Admin\AppData\Local\Temp\C4A8.tmp\C4A9.tmp\C4AA.bat

MD5 5a115a88ca30a9f57fdbb545490c2043
SHA1 67e90f37fc4c1ada2745052c612818588a5595f4
SHA256 52c4113e7f308faa933ae6e8ff5d1b955ba62d1edac0eb7c972caa26e1ae4e2d
SHA512 17c399dad7b7343d5b16156e4d83de78ff5755d12add358bd2987ed4216dd13d24cfec9ecdb92d9d6723bb1d20d8874c0bad969dbec69eed95beb7a2817eb4fe

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 0987267c265b2de204ac19d29250d6cd
SHA1 247b7b1e917d9ad2aa903a497758ae75ae145692
SHA256 474887e5292c0cf7d5ed52e3bcd255eedd5347f6f811200080c4b5d813886264
SHA512 3b272b8c8d4772e1a4dc68d17a850439ffdd72a6f6b1306eafa18b810b103f3198af2c58d6ed92a1f3c498430c1b351e9f5c114ea5776b65629b1360f7ad13f5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 f95638730ec51abd55794c140ca826c9
SHA1 77c415e2599fbdfe16530c2ab533fd6b193e82ef
SHA256 106137874d86d602d1f4af7dac605f3470ec7a5d69b644b99d502bb38925bbd3
SHA512 0eb01b446d876886066783242381d214a01e2d282729a69b890ae2b6d74d0e1325a6bd4671738ebe3b6ecadc22ceb00f42348bad18d2352896ed3344cc29f78a

\??\pipe\LOCAL\crashpad_808_ZFQFZFMOUVSWWRUA

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

\??\pipe\LOCAL\crashpad_2912_RQYXLUZPYJDBSANE

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 653056b7e752a9071e5917106c7f16aa
SHA1 762cef7da49c6c817b793eff3801db8850b5b22a
SHA256 897269218bdcf10283570f2e5b139232051df9f88156b0466600e21a2b943943
SHA512 eb15c1c2426c8210c1e2b39533317d5200ea02a67bf968da44cca6160ee2b4845280e6542f18d3ce335275ef68e7a2e466c5a83b58f7d590bb5313f9e0e26382

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 0dce96dd1ad3b088b61be3651d6bb0c6
SHA1 d9067a93e56c549238a4babe14375123d086b6a4
SHA256 4d8e9b8099aa73d3d3cc510cc14b5bbef578a4d3a69399a56a06f26d40b5c343
SHA512 dd0a189ce69dabd43c8de8246014b38318204a1e90ec0711a31809c1928417cd11b902c3fd37cf1517e2dd2c37b8469c808f6a55c034321009688fcf857d7a7f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

memory/1608-245-0x00000000742C0000-0x0000000074A70000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 653056b7e752a9071e5917106c7f16aa
SHA1 762cef7da49c6c817b793eff3801db8850b5b22a
SHA256 897269218bdcf10283570f2e5b139232051df9f88156b0466600e21a2b943943
SHA512 eb15c1c2426c8210c1e2b39533317d5200ea02a67bf968da44cca6160ee2b4845280e6542f18d3ce335275ef68e7a2e466c5a83b58f7d590bb5313f9e0e26382

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 bf862b15af0a8c629820c7baaf41d416
SHA1 571e352abe90a726417f6b4c7b580613be7de7a9
SHA256 b815721ada9d7c2b46da9b2b0a5a1304c38373048111117bb8895d80da0b5fe4
SHA512 a07db5094dd964006502b24496a153ba59901a78c7eb72075a429e4626a690460bf78293e2af38a6c65a3f85986476bd28518bc0f43801636f12d9a622e75c25

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b6d9051d3e0ca63ea512991b1915c56c
SHA1 58da8c59cd989d5664b5f6a07bb174027f4943d4
SHA256 4bfac3020c439510ea3876536803d5ea4d9c5e264453f3d79bf50805668af9d6
SHA512 5e05761185344df23f861064e7a0ad6823eb8df8115b0ea5c137f3e8fd3784eb05b7301907202bb3941d3c1d00525f74915c3105322091251e3d39d7c644b37d

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 4a078fb8a7c67594a6c2aa724e2ac684
SHA1 92bc5b49985c8588c60f6f85c50a516fae0332f4
SHA256 c225fb924400745c1cd7b56fffaee71dce06613c91fbbb9aa247401ccb49e1ee
SHA512 188270df5243186d00ca8cc457f8ab7f7b2cd6368d987c3673f9c8944a4be6687b30daf8715429bd1b335391118d0ce840e3cb919ff4138c6273b286fb57b2b6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 285252a2f6327d41eab203dc2f402c67
SHA1 acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6
SHA256 5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026
SHA512 11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 705a12f2269e8a23f57789fa4f28ca40
SHA1 acf71b971b54558499677ef860b274d309756195
SHA256 d36961b8e368ced5e0681b68a664bdd4634b7bfee5b7bd563d72097a36023e41
SHA512 33aa37e47bd12349b604dfc37b5811f6c56fab07037655be8fc24009956fc9828ed5a459a9a30aa794450e84b66dc49f83aa060c2c83ddbc2d65cf98264b61c3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581bb1.TMP

MD5 e459a42bdfcbd7465933d09cdbd0bf82
SHA1 4df6c4616c3d03a6314b725de5733b516dfe092d
SHA256 8b96a344e715be635973aa7d070bce7376b9dd37a0b7d9a611aaa4cf93b26366
SHA512 f805ab78af6e32d6e823a5664cefec20c2485853614608c882ad85fb8ce740720152ae9f1da1a4e32b48e3b7c48e08f02c0d52b94e39fe614d51d4b4c8302b31

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 c89ba9e816330ff68ea4871df262221d
SHA1 3bac6b268a54912d413ca8bd6600bbf971652da7
SHA256 e7f2d34fd305da65711977f9eb821affe74bf454a259350557e27341d4dcde23
SHA512 75512d323e104908de96a0a78f60cfe5d7a54f2d0cbd63028f73a78f6cbdc30a8f57414d129ddc30e3625af3dcbaf65f481fdd6a3e3736c5f384ba1de4d205da

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 422acf752b97b3a175904dc63bcff979
SHA1 f7ee7d08911c7fe129d88d472c0768dec457e187
SHA256 831d30abd3a4e893965fcef89dbee6f723da3ae42fe3c2dce3f31e3809475c52
SHA512 546d3dc1d20f40476b812346384780e2d29b1296192329225580db6343b448506a72ca167f0756c0130656cbcf3de2333f8e958e54e944bb77a1fb6f1a8eeaea

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\cred64.dll

MD5 a5b509a3fb95cc3c8d89cd39fc2a30fb
SHA1 5aff4266a9c0f2af440f28aa865cebc5ddb9cd5c
SHA256 5f3c80056c7b1104c15d6fee49dac07e665c6ffd0795ad486803641ed619c529
SHA512 3cc58d989c461a04f29acbfe03ed05f970b3b3e97e6819962fc5c853f55bce7f7aba0544a712e3a45ee52ab31943c898f6b3684d755b590e3e961ae5ecd1edb9

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\cred64.dll

MD5 6d5040418450624fef735b49ec6bffe9
SHA1 5fff6a1a620a5c4522aead8dbd0a5a52570e8773
SHA256 dbc5ab846d6c2b4a1d0f6da31adeaa6467e8c791708bf4a52ef43adbb6b6c0d3
SHA512 bdf1d85e5f91c4994c5a68f7a1289435fd47069bc8f844d498d7dfd19b5609086e32700205d0fd7d1eb6c65bcc5fab5382de8b912f7ce9b6f7f09db43e49f0b0

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\a091ec0a6e2227\clip64.dll

MD5 ec41f740797d2253dc1902e71941bbdb
SHA1 407b75f07cb205fee94c4c6261641bd40c2c28e9
SHA256 47425ebf3dd905bbfea15a7667662aa6ce3d2deba4b48dfbe646ce9d06f43520
SHA512 e544348e86cee7572a6f12827368d5377d66194a006621d4414ef7e0f2050826d32967b4374dfbcdecda027011c95d2044bd7c461db23fad639f9922b92a6d33

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Roaming\006700e5a2ab05\clip64.dll

MD5 e913b0d252d36f7c9b71268df4f634fb
SHA1 5ac70d8793712bcd8ede477071146bbb42d3f018
SHA256 4cf5b584cf79ac523f645807a65bc153fbeaa564c0e1acb4dac9004fc9d038da
SHA512 3ea08f0897c1b7b5859961351eef59840bbf319a6ad7ebe1c9e1b5e2ce25588d7b1a37fd6c5417653521fc73f1f42eb043d0ee6fcd645aa92b8f305d726273b4

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 192ed1fec1a684c32836c41ec9fb2447
SHA1 6ebfb9763622bd22bc8a11217987312f7cde7ee2
SHA256 de1f1d861b92664ca72357948691d2627336eb237a16fd2cfdadb9fa6afa3f09
SHA512 6b3b935979cd7f7633cde4026cf7fc765723f09b71fb465708c75e6e8cdd683541194921532d763c3ddedab16a29775cdefabe43e05273cb1d8df21b25529679

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 7be60db4c05f5e9a435a64c607a1e47e
SHA1 ea93716180ef20d363d303325c6189cddb74f684
SHA256 78ec86ce60c1507d77008bef53430de15f06f8ccc729aae004f03ae335306e53
SHA512 9424df51731c3be5ff3e023b893349d513d0e0dd0b10f341aa3c20f37c6ef50b92a0d5ab25c71b2eb52200c06a3a65228500c22a5b8e92153399d27ed1882213

C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

MD5 a427281ec99595c2a977a70e0009a30c
SHA1 c937c5d14127921f068a081bb3e8f450c9966852
SHA256 40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3
SHA512 2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

C:\Users\Admin\AppData\Local\Temp\fefffe8cea\explothe.exe

MD5 4bd59a6b3207f99fc3435baf3c22bc4e
SHA1 ae90587beed289f177f4143a8380ba27109d0a6f
SHA256 08e33db08288da47bbbe3a8d65a59e8536b05c464ba91dc66e08f9abd245e236
SHA512 ca7517384a5449145a819e45445ff9bbcb27ea1b9e2a63c13ef12e256475e0ccbf05031b5ab5cb83a24b2cdd37d425cc7b9044c660098d39f47f05e95bbb6324