amadey | hxxp://77[.]91[.]124[.]1/file/lega[.]exe

Analysis

max time kernel
68s
max time network
79s
platform
windows10-2004_x64
resource
win10v2004-20231020-en
resource tags

arch:x64arch:x86image:win10v2004-20231020-enlocale:en-usos:windows10-2004-x64system
submitted
28-10-2023 23:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://77.91.124.1/file/lega.exe

Score

10^/10

amadey trojan

Malware Config

Extracted

Family

amadey

Version

3.89

http://77.91.68.78/help/index.php

Attributes

install_dir
cb378487cf
install_file
legota.exe
strings_key
f3785cbeef2013b6724eed349fd316ba

rc4.plain

Signatures

Amadey
Amadey bot is a simple trojan bot primarily used for collecting reconnaissance information.
trojan amadey
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	lega.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1873812795-1433807462-1429862679-1000\Control Panel\International\Geo\Nation	legota.exe

Executes dropped EXE 2 IoCs

pid	Process
4304	lega.exe
3548	legota.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2516	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe\:SmartScreen:$DATA	lega.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 49396.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2140	msedge.exe
2140	msedge.exe
2896	msedge.exe
2896	msedge.exe
4672	identity_helper.exe
4672	identity_helper.exe
4368	msedge.exe
4368	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe
2896	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2896 wrote to memory of 3552	2896	msedge.exe	84
PID 2896 wrote to memory of 3552	2896	msedge.exe	84
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 3112	2896	msedge.exe	88
PID 2896 wrote to memory of 2140	2896	msedge.exe	89
PID 2896 wrote to memory of 2140	2896	msedge.exe	89
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90
PID 2896 wrote to memory of 4044	2896	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://77.91.124.1/file/lega.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2896
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff965e346f8,0x7ff965e34708,0x7ff965e34718
  2⤵
  PID:3552
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2132 /prefetch:2
  2⤵
  PID:3112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2196 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:3868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:3048
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
  2⤵
  PID:3160
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3932 /prefetch:8
  2⤵
  PID:3124
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6160 /prefetch:8
  2⤵
  PID:2580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3264 /prefetch:1
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3200 /prefetch:1
  2⤵
  PID:3216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:1
  2⤵
  PID:3772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2120,17950729901194211842,6585098517403205584,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4024 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4368
- C:\Users\Admin\Downloads\lega.exe
  "C:\Users\Admin\Downloads\lega.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - NTFS ADS
  PID:4304
- - C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe
    "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    PID:3548
  - - C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /SC MINUTE /MO 1 /TN legota.exe /TR "C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe" /F
      4⤵
      Creates scheduled task(s)
      PID:2516
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k echo Y|CACLS "legota.exe" /P "Admin:N"&&CACLS "legota.exe" /P "Admin:R" /E&&echo Y|CACLS "..\cb378487cf" /P "Admin:N"&&CACLS "..\cb378487cf" /P "Admin:R" /E&&Exit
      4⤵
      PID:3404
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:N"
        5⤵
        
        PID:904
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "legota.exe" /P "Admin:R" /E
        5⤵
        
        PID:4640
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:N"
        5⤵
        
        PID:1688
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /S /D /c" echo Y"
        5⤵
        
        PID:4176
    - - C:\Windows\SysWOW64\cacls.exe
        
        CACLS "..\cb378487cf" /P "Admin:R" /E
        5⤵
        
        PID:4076

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5080

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6dded92ec95cf9f22410bdeac841a00d

SHA1
83c32c23d53c59d654868f0b2a5c6be0a46249c2

SHA256
1840d5c60c79874359414677662439087173c575d814c07ebe661ae1cebb639e

SHA512
e13df653c0364be2b61619fe3d46799e10a565b41f33d3ce15e50397f8f9aa328e8c821212efe10cfe3b8283c1e8c7e9eb15f9674fc456837d6ee8c38bc8b0d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
74c73909003adf49f1045f21a0c27d2a

SHA1
1a7bf2279f1ab36f05724312910eaabb26ea2aaf

SHA256
56f2fce62b4df86330d24fc33ca1883487f21cf85756cc35c28eedd048285464

SHA512
18c2aa03e9b4c9550210bd3ba2ff1d8b680d4cb91d448aa13f2414718752a88564cf68b5644b58369ffbd1ec49d3a412a566a710223aa01cb69f37f01bff56a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
169e6d8ce7825ba0e3910062bbada927

SHA1
453bce2dfa7cb35c62195d4e4ce6a42defe40e4f

SHA256
478be09c83efabe43a59d5c9585f832e2b5fd2bc835fb42daaac50581690ea55

SHA512
b07d7cfe542d7fcb392a6a947fcaaf04b144beccd94a195deefd8b78e7bf210f2a59d6b2f64c3cda8cb48c3d96a29d31a3431a094644998b845df8b20f7394fa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6c24d2feed94e207656593654e02b7ad

SHA1
583ee906b6b44a403cd479b2bf672adfff5e81b5

SHA256
c8c0104d85d67ba575ed95cfbdf820578028c4c45028c757f50e64874ccfd643

SHA512
a57c8a8d0ac470460e78a78b17f7a85a383e592d777d481878fe4ef06cbe552c3efc1b3d04d9d6450fcce23c1265a35327ef520fc2e039e1bf0ca2a0773a24a5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
e05436aebb117e9919978ca32bbcefd9

SHA1
97b2af055317952ce42308ea69b82301320eb962

SHA256
cc9bd0953e70356e31a957ad9a9b1926f5e2a9f6a297cdef303ac693a2a86b7f

SHA512
11328e9514ffaa3c1eab84fae06595d75c8503bd5601adfd806182d46065752885a871b738439b356d1bb2c1ac71fc81e9d46bd2d0daa1b2ba0f40543bf952b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
38b66c8fc5a2661c98038481850cb2c3

SHA1
fe67504200a6d905e3722cd6f6b1a10c06adc224

SHA256
a7b4aa40e4fde6a3c3d92f02c8225470ab6e7fd34c31fe2fdc0d409e36290723

SHA512
7903004eee50fb6ef0500c64cebbe263de61b5245ddd1495b7dcd38634d5ff01599c6cf148623af83c7b7f392bc4a075cd0b48e3a4d2f0738468d9dde352857e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c12edffae7de439aca523eaab9e7b6ed

SHA1
0ec3a06cb909eb76fcbab1b68409870b87e8e6d2

SHA256
b56c142e07985c371064c6bc6a250ad2200a8dd7d8820bc76e0ade6c04d6eccb

SHA512
8663a171f2b438767a17cb171ddef77f47eac71002c7e55c438fe0e9b955e9a11167a50d7227e227cdd67777bddb003ad0ee4621806e12cab3fc50f132118076

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\AppData\Local\Temp\cb378487cf\legota.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 49396.crdownload

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\Downloads\lega.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit
C:\Users\Admin\Downloads\lega.exe

Filesize
219KB

MD5
a427281ec99595c2a977a70e0009a30c

SHA1
c937c5d14127921f068a081bb3e8f450c9966852

SHA256
40ff20f391de89b6604882de34b20f32e78d6ead62c4587b3fa968c6c21e03d3

SHA512
2a7a735bbaab2b19d5ca23e988ff7aaba8dc91b7e6295a84a4a9ff5efa5e89a67ff40073c671192054262153d188f0534bfd6e67231fe79c0e6e46d0ed380976

Download Submit