Malware Analysis Report

2025-03-15 03:43

Sample ID 241102-e8kwws1jeq
Target RippleSpoofer.exe
SHA256 24da608c67872f52cabdba9feda205d8dba2b262d2beedc24f3d72f1f559d8b0
Tags
discovery evasion persistence themida trojan exelastealer collection defense_evasion privilege_escalation pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

24da608c67872f52cabdba9feda205d8dba2b262d2beedc24f3d72f1f559d8b0

Threat Level: Known bad

The file RippleSpoofer.exe was found to be: Known bad.

Malicious Activity Summary

discovery evasion persistence themida trojan exelastealer collection defense_evasion privilege_escalation pyinstaller spyware stealer upx

Modifies visiblity of hidden/system files in Explorer

Exelastealer family

Exela Stealer

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Boot or Logon Autostart Execution: Active Setup

Downloads MZ/PE file

Modifies Windows Firewall

Deletes itself

Executes dropped EXE

Clipboard Data

Loads dropped DLL

Reads user/profile data of web browsers

Themida packer

Checks BIOS information in registry

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Checks whether UAC is enabled

Enumerates connected drives

Network Service Discovery

Suspicious use of NtSetInformationThreadHideFromDebugger

Hide Artifacts: Hidden Files and Directories

UPX packed file

Drops file in System32 directory

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Permission Groups Discovery: Local Groups

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Location Discovery: System Language Discovery

Unsigned PE

Detects Pyinstaller

System Network Configuration Discovery: Wi-Fi Discovery

System Network Connections Discovery

Modifies Internet Explorer settings

Uses Task Scheduler COM API

Suspicious behavior: GetForegroundWindowSpam

Gathers system information

Suspicious use of FindShellTrayWindow

Gathers network information

Suspicious use of WriteProcessMemory

Runs net.exe

Views/modifies file attributes

Suspicious use of SendNotifyMessage

Kills process with taskkill

Checks SCSI registry key(s)

Modifies registry class

Enumerates system info in registry

Collects information from the system

Scheduled Task/Job: Scheduled Task

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Reported

2024-11-02 04:36

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-02 04:36

Reported

2024-11-02 04:39

Platform

win7-20240903-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1488793075-819845221-1497111674-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\schtasks.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2100 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 2100 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 2100 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 2100 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2100 wrote to memory of 536 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 536 wrote to memory of 2872 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 536 wrote to memory of 2872 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 536 wrote to memory of 2872 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 536 wrote to memory of 2872 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2872 wrote to memory of 2764 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2872 wrote to memory of 2764 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2872 wrote to memory of 2764 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2872 wrote to memory of 2764 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2764 wrote to memory of 2856 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2764 wrote to memory of 2856 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2764 wrote to memory of 2856 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2764 wrote to memory of 2856 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2856 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2856 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2856 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2856 wrote to memory of 2716 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2872 wrote to memory of 2208 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2872 wrote to memory of 2208 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2872 wrote to memory of 2208 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2872 wrote to memory of 2208 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2856 wrote to memory of 2228 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2228 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2228 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2228 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2384 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2384 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2384 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2384 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2856 wrote to memory of 2940 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

\??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 

c:\users\admin\appdata\local\temp\ripplespoofer.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:39 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:40 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 04:41 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dropbox.com udp
NL 162.125.65.18:443 www.dropbox.com tcp

Files

memory/2100-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\ripplespoofer.exe 

MD5 76ed914a265f60ff93751afe02cf35a4
SHA1 4f8ea583e5999faaec38be4c66ff4849fcf715c6
SHA256 51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
SHA512 83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

memory/2100-9-0x0000000002B40000-0x00000000047C0000-memory.dmp

memory/2128-10-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-12-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-14-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-13-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-15-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-16-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-18-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-19-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-20-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-22-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

memory/2128-23-0x0000000000340000-0x0000000001FC0000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 4528c38daa6a6d02713539fe7af6006b
SHA1 af33038764a138b0352a94319a31e6c03b69ffdd
SHA256 82b00ca9a3a4be9dff240dd1805f794cb706ca5df1721d492906314752290262
SHA512 ce2198bfcff3dc199cbad45ecbae87f78acaa002276ebb94c824cf25d6b89159ac14adadb69f87389ff1dfb50d1ab87f4054a5e9e8dbbb5a93e7bd4936bcce82

C:\Windows\Resources\Themes\explorer.exe

MD5 32d20614d1e5c8c16dfc5e77de0070ee
SHA1 45250fe5d658c95d8423ed9987a72e6e097f70cd
SHA256 1e1ef9a339309a4aea22d82af382f7f433ffd1337255536067b97b6546e4267d
SHA512 f9f844b1762205fe098d0fec4816c33bfd70ddd78f4c228f65c66a2ce2829fee13dab064ff88f415a966510260b7434b4aae72e540ca3e3d8d756fffada8e7f2

memory/2100-39-0x0000000000400000-0x000000000041F000-memory.dmp

\Windows\Resources\spoolsv.exe

MD5 035eb94e525dd5b40b6aa9cb683edb73
SHA1 dd7a7793daff755ae8758c25d9da9cf058d8d7ca
SHA256 25a67891b2cc77af333b63bbcde72c49329d12a59f68a429912bcb10ba5b5178
SHA512 bc4cf26b422eb306ff36559d9f26ef4ad3edebeaf9d1c1514b1e898f2496dd932d687b0e18d294ea24f4c1c9c3e94a7035723f16d1cf0de4a54c2deea14ebfa0

\Windows\Resources\svchost.exe

MD5 0bfe10fb50b478a036246faec22ae028
SHA1 4cec11713e9ed09a21c8eebc4a115afc7952696e
SHA256 34995da38248de3f5a2d5b68d55dd8da327ff0e84f6ba63dc648ede6d6860fb8
SHA512 6cb017e35cec4a2c65e9d8d93b02e3fcb55d11d7cb680b0b2ea66bdc687e3fabe5686a094bc6f18c3b4982b207e2b40eb20d00c9a7be6bf69ca6d26d4f66475c

memory/2100-70-0x0000000002B40000-0x00000000047C0000-memory.dmp

memory/2856-75-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-76-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-74-0x0000000000290000-0x00000000002AF000-memory.dmp

memory/2872-73-0x0000000000400000-0x000000000041F000-memory.dmp

memory/536-72-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2716-71-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2764-77-0x0000000000400000-0x000000000041F000-memory.dmp

memory/536-78-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2128-79-0x000000001D610000-0x000000001D6C2000-memory.dmp

memory/2128-80-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-81-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-82-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2128-84-0x0000000000340000-0x0000000001FC0000-memory.dmp

memory/2872-92-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2856-93-0x0000000000400000-0x000000000041F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-02 04:36

Reported

2024-11-02 04:46

Platform

win10v2004-20241007-en

Max time kernel

173s

Max time network

434s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

Signatures

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Boot or Logon Autostart Execution: Active Setup

persistence
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\Explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Active Setup\Installed Components C:\Windows\explorer.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\Explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\Explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\F: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A
File opened (read-only) \??\D: C:\Windows\explorer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Resources\Themes\icsys.icn.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\themes\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\spoolsv.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language \??\c:\windows\resources\svchost.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\ConfigFlags C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0002 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{a45c254e-df1c-4efd-8020-67d146a850e0}\0011 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001 C:\Windows\Explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\HardwareID C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Capabilities C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006 C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\Explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\0064 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004 C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\explorer.exe N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\it-IT-N\\L1040" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{F2AF614D-0FC4-4460-9B0F-559309682F60} C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "CC" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR es-ES Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DomStorageState C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\de-DE\\VoiceActivation_HW_de-DE.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "SR fr-FR Lts Lexicon" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "{06405088-BC01-4E08-B392-5303E75090C8}" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{3D5AF6D9-7A43-4122-949F-7C3193BA9BE3} C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.PeopleExperienceHost_cw5n1h2txyewy\ApplicationFrame\Microsoft.Windows.PeopleExperienceHos = 6801000088020000 C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "11.0.2013.1022" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "23" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff C:\Windows\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "C0A" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\MSTTSLocjaJP.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search\ = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\System32\\Speech_OneCore\\VoiceActivation\\it-IT\\VoiceActivation_it-IT.dat" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\EdpDomStorage\Total C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\microsoft.windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "- 0001 ! 0002 & 0003 , 0004 . 0005 ? 0006 _ 0007 1 0008 ~ 0009 aa 000a a 000b oh 000c ax 000d b 000e d 000f eh 0010 ey 0011 f 0012 g 0013 hy 0014 uy 0015 iy 0016 k 0017 l 0018 m 0019 n 001a ng 001b nj 001c oe 001d eu 001e ow 001f p 0020 r 0021 s 0022 sh 0023 t 0024 uw 0025 v 0026 w 0027 y 0028 z 0029 zh 002a" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "L1040" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\MuiCache C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search\Total = "56" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU C:\Windows\explorer.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings C:\Windows\Explorer.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\SR\\fr-FR-N\\c1036.fe" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "5248260" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\SOFTWARE\Microsoft\Speech_OneCore\Isolated\ohDO1Sgy3MzgdEgEb4WYfDS4eik = "%windir%\\Speech_OneCore\\Engines\\TTS\\ja-JP\\M1041Ayumi" C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.windows.search_cw5n1h2txyewy\Internet Explorer\DOMStorage\windows.search C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell C:\Windows\explorer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4050598569-1597076380-177084960-1000\{8FCDB164-971A-4E19-ADCD-8CDC033A7DCF} C:\Windows\explorer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Explorer.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Explorer.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\Explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A
N/A N/A C:\Windows\explorer.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A \??\c:\windows\resources\spoolsv.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe N/A
N/A N/A C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3504 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 3504 wrote to memory of 700 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 
PID 3504 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3504 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3504 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2236 wrote to memory of 2632 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2632 wrote to memory of 2280 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2280 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2632 wrote to memory of 2280 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2280 wrote to memory of 4596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2280 wrote to memory of 4596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2280 wrote to memory of 4596 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4596 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4596 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4596 wrote to memory of 2832 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 700 wrote to memory of 3772 N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  C:\Windows\SYSTEM32\taskkill.exe
PID 700 wrote to memory of 3772 N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  C:\Windows\SYSTEM32\taskkill.exe
PID 4596 wrote to memory of 3368 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4596 wrote to memory of 3368 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 4596 wrote to memory of 3368 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 3368 wrote to memory of 4168 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe
PID 3368 wrote to memory of 4168 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe
PID 3368 wrote to memory of 4168 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe
PID 700 wrote to memory of 3088 N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
PID 700 wrote to memory of 3088 N/A \??\c:\users\admin\appdata\local\temp\ripplespoofer.exe  C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
PID 4168 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4168 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4168 wrote to memory of 3528 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4168 wrote to memory of 2596 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 4168 wrote to memory of 2596 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 3088 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
PID 3088 wrote to memory of 3344 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
PID 3344 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 3656 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 3568 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3604 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3604 wrote to memory of 3168 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\Wbem\WMIC.exe
PID 3568 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3568 wrote to memory of 312 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3344 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 740 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 740 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 740 wrote to memory of 1160 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\attrib.exe
PID 3344 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1860 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 1860 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1860 wrote to memory of 3172 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 3344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1192 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 4044 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1480 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 3344 wrote to memory of 1840 N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1192 wrote to memory of 1104 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1480 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe
PID 1480 wrote to memory of 4732 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\tasklist.exe

Uses Task Scheduler COM API

persistence

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

\??\c:\users\admin\appdata\local\temp\ripplespoofer.exe 

c:\users\admin\appdata\local\temp\ripplespoofer.exe 

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x370 0x48c

C:\Windows\SYSTEM32\taskkill.exe

"taskkill" /F /IM explorer.exe

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\explorer.exe

explorer.exe

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Windows\explorer.exe

explorer.exe

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"

C:\Windows\explorer.exe

explorer.exe

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe"

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe

"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe

"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 www.dropbox.com udp
NL 162.125.65.18:443 www.dropbox.com tcp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 22.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 18.65.125.162.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 56.163.245.4.in-addr.arpa udp
NL 162.125.65.18:443 www.dropbox.com tcp
US 8.8.8.8:53 18.65.125.162.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 uc134cc99c1d26ab04d9f9bab8ed.dl.dropboxusercontent.com udp
NL 162.125.65.15:443 uc134cc99c1d26ab04d9f9bab8ed.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 136.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 15.65.125.162.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 241.42.69.40.in-addr.arpa udp
US 8.8.8.8:53 storage.bunnycdn.com udp
DE 109.61.89.54:443 storage.bunnycdn.com tcp
US 8.8.8.8:53 54.89.61.109.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
N/A 127.0.0.1:51383 tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
N/A 127.0.0.1:51397 tcp
N/A 127.0.0.1:51404 tcp
N/A 127.0.0.1:51406 tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 10.28.171.150.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
FR 45.112.123.126:443 api.gofile.io tcp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 131.72.42.20.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp

Files

memory/3504-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ripplespoofer.exe 

MD5 76ed914a265f60ff93751afe02cf35a4
SHA1 4f8ea583e5999faaec38be4c66ff4849fcf715c6
SHA256 51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
SHA512 83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac

memory/700-9-0x0000000000150000-0x0000000001DD0000-memory.dmp

memory/700-10-0x00007FF94BE8B000-0x00007FF94BE8C000-memory.dmp

memory/700-12-0x00007FF94BE70000-0x00007FF94BF2E000-memory.dmp

memory/700-11-0x00007FF94BE70000-0x00007FF94BF2E000-memory.dmp

memory/700-14-0x0000000000150000-0x0000000001DD0000-memory.dmp

memory/700-15-0x0000000000150000-0x0000000001DD0000-memory.dmp

memory/700-17-0x000002302D150000-0x000002302D151000-memory.dmp

memory/700-19-0x0000000000150000-0x0000000001DD0000-memory.dmp

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 4528c38daa6a6d02713539fe7af6006b
SHA1 af33038764a138b0352a94319a31e6c03b69ffdd
SHA256 82b00ca9a3a4be9dff240dd1805f794cb706ca5df1721d492906314752290262
SHA512 ce2198bfcff3dc199cbad45ecbae87f78acaa002276ebb94c824cf25d6b89159ac14adadb69f87389ff1dfb50d1ab87f4054a5e9e8dbbb5a93e7bd4936bcce82

C:\Windows\Resources\Themes\explorer.exe

MD5 9f84ca2e4cefa2324de6a359eb23d1c8
SHA1 1eb66edbad4a62fb5b4ea533536607d4aa074279
SHA256 78ffd61eee40762254e5be9f14175ff6728841e8c9a24c9a21f4e28a34ace53a
SHA512 55a60f45c2dfbb2e3f8253d89ba003d6a4d4507106c3da3a6c3a194f54fdf68e90be36e47f0d403da6002f2d30a80b1c61efa239ad55c59a8447a15029ffacbc

memory/2632-30-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 e2e09b72fac15881fc22f63d11d35591
SHA1 ef33571ce562b49a85899706ba82c861002ab8f8
SHA256 36b5c633f24389a341cfe22d3c5ef87a4e8e49c9177c66d5f0939377f047153e
SHA512 c38c3246f8c723607b34343345c6d532cbf69de6a7c7062c05a2937a73db523c803b72f0dab1a4ba4d877d3e8d459059544052b79f6f27cf72fa9fa2778e949f

C:\Windows\Resources\svchost.exe

MD5 68660bfac69f36a1c52f8a191389fb97
SHA1 510577318d989a4c913938f9f26ce5e1c2b48e8d
SHA256 3cdee810136f65c13e9e2b5a6d5305e2ac960afddf637050aa297e858fcf1710
SHA512 4c5228168f80fdc0186f06c560c2158d2208ab0522bab8ddadcfaf555484d7c305e3c1aa860e48aef40aa314421f5b805de7aad74a7fd7df5de121aaab4b9d3b

memory/700-47-0x00007FF94BE70000-0x00007FF94BF2E000-memory.dmp

memory/2832-55-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2280-56-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2236-57-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3504-58-0x0000000000400000-0x000000000041F000-memory.dmp

memory/700-59-0x0000023046880000-0x0000023046932000-memory.dmp

memory/700-61-0x00007FF94BE70000-0x00007FF94BF2E000-memory.dmp

memory/700-66-0x0000023045BF0000-0x0000023045C12000-memory.dmp

memory/700-67-0x0000023048950000-0x0000023048B64000-memory.dmp

memory/700-70-0x00000230494C0000-0x00000230494F4000-memory.dmp

memory/700-73-0x0000023049500000-0x0000023049514000-memory.dmp

memory/700-72-0x00000230494F0000-0x00000230494F8000-memory.dmp

memory/700-71-0x0000023049510000-0x000002304952A000-memory.dmp

memory/700-75-0x0000023049530000-0x0000023049562000-memory.dmp

memory/2632-88-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4596-96-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

MD5 d08d717e2e79f16ae07a0f1e188df907
SHA1 b25f509e2e40a7b2f51d5772daeb0308c20831c2
SHA256 60520faf79ce1ed233d167dfa2c0f5d4d78dbc792309e218ff3a3ff362a84cdc
SHA512 ff311037a90f031e33364dae40a8555150e71ef39f367f7055740dfe9244604b66b96fec149971a435e9ab6724aa89eef4e68f9f78cb0392550732f9244e2937

memory/3368-94-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3528-187-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30882\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI30882\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/3344-201-0x00007FF936B40000-0x00007FF937128000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-process-l1-1-0.dll

MD5 272c0f80fd132e434cdcdd4e184bb1d8
SHA1 5bc8b7260e690b4d4039fe27b48b2cecec39652f
SHA256 bd943767f3e0568e19fb52522217c22b6627b66a3b71cd38dd6653b50662f39d
SHA512 94892a934a92ef1630fbfea956d1fe3a3bfe687dec31092828960968cb321c4ab3af3caf191d4e28c8ca6b8927fbc1ec5d17d5c8a962c848f4373602ec982cd4

memory/3344-244-0x00007FF9487B0000-0x00007FF9487BF000-memory.dmp

memory/3344-250-0x00007FF935DD0000-0x00007FF935F43000-memory.dmp

memory/3344-255-0x0000014643750000-0x0000014643AC5000-memory.dmp

memory/3344-254-0x00007FF934F10000-0x00007FF935285000-memory.dmp

memory/3344-263-0x00007FF93EC20000-0x00007FF93EC42000-memory.dmp

memory/3344-262-0x00007FF93EF00000-0x00007FF93EF17000-memory.dmp

memory/3344-272-0x00007FF93E940000-0x00007FF93E95E000-memory.dmp

memory/3344-276-0x0000014643750000-0x0000014643AC5000-memory.dmp

memory/3344-277-0x00007FF926210000-0x00007FF9269B1000-memory.dmp

memory/3344-278-0x00007FF936A30000-0x00007FF936A66000-memory.dmp

memory/3344-275-0x00007FF934F10000-0x00007FF935285000-memory.dmp

memory/3344-274-0x00007FF93ED20000-0x00007FF93EDD8000-memory.dmp

memory/3344-273-0x00007FF93F480000-0x00007FF93F4AE000-memory.dmp

memory/3344-271-0x00007FF942980000-0x00007FF9429A3000-memory.dmp

memory/3344-270-0x00007FF944500000-0x00007FF94450A000-memory.dmp

memory/3344-282-0x00007FF93F610000-0x00007FF93F625000-memory.dmp

memory/3344-269-0x00007FF93E960000-0x00007FF93E971000-memory.dmp

memory/3344-268-0x00007FF93E980000-0x00007FF93E9CD000-memory.dmp

memory/3344-267-0x00007FF93EBB0000-0x00007FF93EBC9000-memory.dmp

memory/3344-266-0x00007FF93EEE0000-0x00007FF93EEF7000-memory.dmp

memory/3344-265-0x00007FF935DD0000-0x00007FF935F43000-memory.dmp

memory/3344-264-0x00007FF9429B0000-0x00007FF9429DD000-memory.dmp

memory/3344-261-0x00007FF942B60000-0x00007FF942B79000-memory.dmp

memory/3344-260-0x00007FF93EF40000-0x00007FF93EF54000-memory.dmp

memory/3344-259-0x00007FF935960000-0x00007FF935A7C000-memory.dmp

memory/3344-258-0x00007FF93EF20000-0x00007FF93EF34000-memory.dmp

memory/3344-257-0x00007FF93F460000-0x00007FF93F472000-memory.dmp

memory/3344-256-0x00007FF93F610000-0x00007FF93F625000-memory.dmp

memory/3344-253-0x00007FF93ED20000-0x00007FF93EDD8000-memory.dmp

memory/3344-292-0x00007FF935960000-0x00007FF935A7C000-memory.dmp

memory/3344-291-0x00007FF93F460000-0x00007FF93F472000-memory.dmp

memory/3344-252-0x00007FF93F480000-0x00007FF93F4AE000-memory.dmp

memory/3344-251-0x00007FF936B40000-0x00007FF937128000-memory.dmp

memory/3344-249-0x00007FF942980000-0x00007FF9429A3000-memory.dmp

memory/3344-248-0x00007FF9429B0000-0x00007FF9429DD000-memory.dmp

memory/3344-247-0x00007FF942B40000-0x00007FF942B59000-memory.dmp

memory/3344-246-0x00007FF9487A0000-0x00007FF9487AD000-memory.dmp

memory/3344-245-0x00007FF942B60000-0x00007FF942B79000-memory.dmp

memory/3344-243-0x00007FF944510000-0x00007FF944534000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-math-l1-1-0.dll

MD5 b8f0210c47847fc6ec9fbe2a1ad4debb
SHA1 e99d833ae730be1fedc826bf1569c26f30da0d17
SHA256 1c4a70a73096b64b536be8132ed402bcfb182c01b8a451bff452efe36ddf76e7
SHA512 992d790e18ac7ae33958f53d458d15bff522a3c11a6bd7ee2f784ac16399de8b9f0a7ee896d9f2c96d1e2c8829b2f35ff11fc5d8d1b14c77e22d859a1387797c

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-locale-l1-1-0.dll

MD5 650435e39d38160abc3973514d6c6640
SHA1 9a5591c29e4d91eaa0f12ad603af05bb49708a2d
SHA256 551a34c400522957063a2d71fa5aba1cd78cc4f61f0ace1cd42cc72118c500c0
SHA512 7b4a8f86d583562956593d27b7ecb695cb24ab7192a94361f994fadba7a488375217755e7ed5071de1d0960f60f255aa305e9dd477c38b7bb70ac545082c9d5e

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-heap-l1-1-0.dll

MD5 d5d77669bd8d382ec474be0608afd03f
SHA1 1558f5a0f5facc79d3957ff1e72a608766e11a64
SHA256 8dd9218998b4c4c9e8d8b0f8b9611d49419b3c80daa2f437cbf15bcfd4c0b3b8
SHA512 8defa71772105fd9128a669f6ff19b6fe47745a0305beb9a8cadb672ed087077f7538cd56e39329f7daa37797a96469eae7cd5e4cca57c9a183b35bdc44182f3

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 5107487b726bdcc7b9f7e4c2ff7f907c
SHA1 ebc46221d3c81a409fab9815c4215ad5da62449c
SHA256 94a86e28e829276974e01f8a15787fde6ed699c8b9dc26f16a51765c86c3eade
SHA512 a0009b80ad6a928580f2b476c1bdf4352b0611bb3a180418f2a42cfa7a03b9f0575ed75ec855d30b26e0cca96a6da8affb54862b6b9aff33710d2f3129283faa

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-environment-l1-1-0.dll

MD5 f9235935dd3ba2aa66d3aa3412accfbf
SHA1 281e548b526411bcb3813eb98462f48ffaf4b3eb
SHA256 2f6bd6c235e044755d5707bd560a6afc0ba712437530f76d11079d67c0cf3200
SHA512 ad0c0a7891fb8328f6f0cf1ddc97523a317d727c15d15498afa53c07610210d2610db4bc9bd25958d47adc1af829ad4d7cf8aabcab3625c783177ccdb7714246

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-convert-l1-1-0.dll

MD5 edf71c5c232f5f6ef3849450f2100b54
SHA1 ed46da7d59811b566dd438fa1d09c20f5dc493ce
SHA256 b987ab40cdd950ebe7a9a9176b80b8fffc005ccd370bb1cbbcad078c1a506bdc
SHA512 481a3c8dc5bef793ee78ce85ec0f193e3e9f6cd57868b813965b312bd0fadeb5f4419707cd3004fbdb407652101d52e061ef84317e8bd458979443e9f8e4079a

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-crt-conio-l1-1-0.dll

MD5 d4fba5a92d68916ec17104e09d1d9d12
SHA1 247dbc625b72ffb0bf546b17fb4de10cad38d495
SHA256 93619259328a264287aee7c5b88f7f0ee32425d7323ce5dc5a2ef4fe3bed90d5
SHA512 d5a535f881c09f37e0adf3b58d41e123f527d081a1ebecd9a927664582ae268341771728dc967c30908e502b49f6f853eeaebb56580b947a629edc6bce2340d8

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-util-l1-1-0.dll

MD5 0f129611a4f1e7752f3671c9aa6ea736
SHA1 40c07a94045b17dae8a02c1d2b49301fad231152
SHA256 2e1f090aba941b9d2d503e4cd735c958df7bb68f1e9bdc3f47692e1571aaac2f
SHA512 6abc0f4878bb302713755a188f662c6fe162ea6267e5e1c497c9ba9fddbdaea4db050e322cb1c77d6638ecf1dad940b9ebc92c43acaa594040ee58d313cbcfae

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-timezone-l1-1-0.dll

MD5 d12403ee11359259ba2b0706e5e5111c
SHA1 03cc7827a30fd1dee38665c0cc993b4b533ac138
SHA256 f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781
SHA512 9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 fd46c3f6361e79b8616f56b22d935a53
SHA1 107f488ad966633579d8ec5eb1919541f07532ce
SHA256 0dc92e8830bc84337dcae19ef03a84ef5279cf7d4fdc2442c1bc25320369f9df
SHA512 3360b2e2a25d545ccd969f305c4668c6cda443bbdbd8a8356ffe9fbc2f70d90cf4540f2f28c9ed3eea6c9074f94e69746e7705e6254827e6a4f158a75d81065b

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-synch-l1-2-0.dll

MD5 1281e9d1750431d2fe3b480a8175d45c
SHA1 bc982d1c750b88dcb4410739e057a86ff02d07ef
SHA256 433bd8ddc4f79aee65ca94a54286d75e7d92b019853a883e51c2b938d2469baa
SHA512 a954e6ce76f1375a8beac51d751b575bbc0b0b8ba6aa793402b26404e45718165199c2c00ccbcba3783c16bdd96f0b2c17addcc619c39c8031becebef428ce77

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-synch-l1-1-0.dll

MD5 225d9f80f669ce452ca35e47af94893f
SHA1 37bd0ffc8e820247bd4db1c36c3b9f9f686bbd50
SHA256 61c0ebe60ce6ebabcb927ddff837a9bf17e14cd4b4c762ab709e630576ec7232
SHA512 2f71a3471a9868f4d026c01e4258aff7192872590f5e5c66aabd3c088644d28629ba8835f3a4a23825631004b1afd440efe7161bb9fc7d7c69e0ee204813ca7b

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-string-l1-1-0.dll

MD5 2666581584ba60d48716420a6080abda
SHA1 c103f0ea32ebbc50f4c494bce7595f2b721cb5ad
SHA256 27e9d3e7c8756e4512932d674a738bf4c2969f834d65b2b79c342a22f662f328
SHA512 befed15f11a0550d2859094cc15526b791dadea12c2e7ceb35916983fb7a100d89d638fb1704975464302fae1e1a37f36e01e4bef5bc4924ab8f3fd41e60bd0c

memory/4172-294-0x0000019AC21D0000-0x0000019AC22D0000-memory.dmp

memory/4172-299-0x0000019AC3400000-0x0000019AC3420000-memory.dmp

memory/4172-330-0x0000019AC3800000-0x0000019AC3820000-memory.dmp

memory/4172-329-0x0000019AC31B0000-0x0000019AC31D0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 a0c2dbe0f5e18d1add0d1ba22580893b
SHA1 29624df37151905467a223486500ed75617a1dfd
SHA256 3c29730df2b28985a30d9c82092a1faa0ceb7ffc1bd857d1ef6324cf5524802f
SHA512 3e627f111196009380d1687e024e6ffb1c0dcf4dcb27f8940f17fec7efdd8152ff365b43cb7fdb31de300955d6c15e40a2c8fb6650a91706d7ea1c5d89319b12

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-profile-l1-1-0.dll

MD5 f3ff2d544f5cd9e66bfb8d170b661673
SHA1 9e18107cfcd89f1bbb7fdaf65234c1dc8e614add
SHA256 e1c5d8984a674925fa4afbfe58228be5323fe5123abcd17ec4160295875a625f
SHA512 184b09c77d079127580ef80eb34bded0f5e874cefbe1c5f851d86861e38967b995d859e8491fcc87508930dc06c6bbf02b649b3b489a1b138c51a7d4b4e7aaad

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-processthreads-l1-1-1.dll

MD5 517eb9e2cb671ae49f99173d7f7ce43f
SHA1 4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab
SHA256 57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54
SHA512 492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-processthreads-l1-1-0.dll

MD5 c3632083b312c184cbdd96551fed5519
SHA1 a93e8e0af42a144009727d2decb337f963a9312e
SHA256 be8d78978d81555554786e08ce474f6af1de96fcb7fa2f1ce4052bc80c6b2125
SHA512 8807c2444a044a3c02ef98cf56013285f07c4a1f7014200a21e20fcb995178ba835c30ac3889311e66bc61641d6226b1ff96331b019c83b6fcc7c87870cce8c4

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 0462e22f779295446cd0b63e61142ca5
SHA1 616a325cd5b0971821571b880907ce1b181126ae
SHA256 0b6b598ec28a9e3d646f2bb37e1a57a3dda069a55fba86333727719585b1886e
SHA512 07b34dca6b3078f7d1e8ede5c639f697c71210dcf9f05212fd16eb181ab4ac62286bc4a7ce0d84832c17f5916d0224d1e8aab210ceeff811fc6724c8845a74fe

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 321a3ca50e80795018d55a19bf799197
SHA1 df2d3c95fb4cbb298d255d342f204121d9d7ef7f
SHA256 5476db3a4fecf532f96d48f9802c966fdef98ec8d89978a79540cb4db352c15f
SHA512 3ec20e1ac39a98cb5f726d8390c2ee3cd4cd0bf118fdda7271f7604a4946d78778713b675d19dd3e1ec1d6d4d097abe9cd6d0f76b3a7dff53ce8d6dbc146870a

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-memory-l1-1-0.dll

MD5 3c38aac78b7ce7f94f4916372800e242
SHA1 c793186bcf8fdb55a1b74568102b4e073f6971d6
SHA256 3f81a149ba3862776af307d5c7feef978f258196f0a1bf909da2d3f440ff954d
SHA512 c2746aa4342c6afffbd174819440e1bbf4371a7fed29738801c75b49e2f4f94fd6d013e002bad2aadafbc477171b8332c8c5579d624684ef1afbfde9384b8588

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-localization-l1-2-0.dll

MD5 724223109e49cb01d61d63a8be926b8f
SHA1 072a4d01e01dbbab7281d9bd3add76f9a3c8b23b
SHA256 4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210
SHA512 19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 1f2a00e72bc8fa2bd887bdb651ed6de5
SHA1 04d92e41ce002251cc09c297cf2b38c4263709ea
SHA256 9c8a08a7d40b6f697a21054770f1afa9ffb197f90ef1eee77c67751df28b7142
SHA512 8cf72df019f9fc9cd22ff77c37a563652becee0708ff5c6f1da87317f41037909e64dcbdcc43e890c5777e6bcfa4035a27afc1aeeb0f5deba878e3e9aef7b02a

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-interlocked-l1-1-0.dll

MD5 c6024cc04201312f7688a021d25b056d
SHA1 48a1d01ae8bc90f889fb5f09c0d2a0602ee4b0fd
SHA256 8751d30df554af08ef42d2faa0a71abcf8c7d17ce9e9ff2ea68a4662603ec500
SHA512 d86c773416b332945acbb95cbe90e16730ef8e16b7f3ccd459d7131485760c2f07e95951aeb47c1cf29de76affeb1c21bdf6d8260845e32205fe8411ed5efa47

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-heap-l1-1-0.dll

MD5 accc640d1b06fb8552fe02f823126ff5
SHA1 82ccc763d62660bfa8b8a09e566120d469f6ab67
SHA256 332ba469ae84aa72ec8cce2b33781db1ab81a42ece5863f7a3cb5a990059594f
SHA512 6382302fb7158fc9f2be790811e5c459c5c441f8caee63df1e09b203b8077a27e023c4c01957b252ac8ac288f8310bcee5b4dcc1f7fc691458b90cdfaa36dcbe

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-handle-l1-1-0.dll

MD5 e89cdcd4d95cda04e4abba8193a5b492
SHA1 5c0aee81f32d7f9ec9f0650239ee58880c9b0337
SHA256 1a489e0606484bd71a0d9cb37a1dc6ca8437777b3d67bfc8c0075d0cc59e6238
SHA512 55d01e68c8c899e99a3c62c2c36d6bcb1a66ff6ecd2636d2d0157409a1f53a84ce5d6f0c703d5ed47f8e9e2d1c9d2d87cc52585ee624a23d92183062c999b97e

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-file-l2-1-0.dll

MD5 bfffa7117fd9b1622c66d949bac3f1d7
SHA1 402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2
SHA256 1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e
SHA512 b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-file-l1-2-0.dll

MD5 1c58526d681efe507deb8f1935c75487
SHA1 0e6d328faf3563f2aae029bc5f2272fb7a742672
SHA256 ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2
SHA512 8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-file-l1-1-0.dll

MD5 efad0ee0136532e8e8402770a64c71f9
SHA1 cda3774fe9781400792d8605869f4e6b08153e55
SHA256 3d2c55902385381869db850b526261ddeb4628b83e690a32b67d2e0936b2c6ed
SHA512 69d25edf0f4c8ac5d77cb5815dfb53eac7f403dc8d11bfe336a545c19a19ffde1031fa59019507d119e4570da0d79b95351eac697f46024b4e558a0ff6349852

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 eb0978a9213e7f6fdd63b2967f02d999
SHA1 9833f4134f7ac4766991c918aece900acfbf969f
SHA256 ab25a1fe836fc68bcb199f1fe565c27d26af0c390a38da158e0d8815efe1103e
SHA512 6f268148f959693ee213db7d3db136b8e3ad1f80267d8cbd7d5429c021adaccc9c14424c09d527e181b9c9b5ea41765aff568b9630e4eb83bfc532e56dfe5b63

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-debug-l1-1-0.dll

MD5 33bbece432f8da57f17bf2e396ebaa58
SHA1 890df2dddfdf3eeccc698312d32407f3e2ec7eb1
SHA256 7cf0944901f7f7e0d0b9ad62753fc2fe380461b1cce8cdc7e9c9867c980e3b0e
SHA512 619b684e83546d97fc1d1bc7181ad09c083e880629726ee3af138a9e4791a6dcf675a8df65dc20edbe6465b5f4eac92a64265df37e53a5f34f6be93a5c2a7ae5

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-datetime-l1-1-0.dll

MD5 cfe0c1dfde224ea5fed9bd5ff778a6e0
SHA1 5150e7edd1293e29d2e4d6bb68067374b8a07ce6
SHA256 0d0f80cbf476af5b1c9fd3775e086ed0dfdb510cd0cc208ec1ccb04572396e3e
SHA512 b0e02e1f19cfa7de3693d4d63e404bdb9d15527ac85a6d492db1128bb695bffd11bec33d32f317a7615cb9a820cd14f9f8b182469d65af2430ffcdbad4bd7000

C:\Users\Admin\AppData\Local\Temp\_MEI30882\api-ms-win-core-console-l1-1-0.dll

MD5 e8b9d74bfd1f6d1cc1d99b24f44da796
SHA1 a312cfc6a7ed7bf1b786e5b3fd842a7eeb683452
SHA256 b1b3fd40ab437a43c8db4994ccffc7f88000cc8bb6e34a2bcbff8e2464930c59
SHA512 b74d9b12b69db81a96fc5a001fd88c1e62ee8299ba435e242c5cb2ce446740ed3d8a623e1924c2bc07bfd9aef7b2577c9ec8264e53e5be625f4379119bafcc27

C:\Users\Admin\AppData\Local\Temp\_MEI30882\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

C:\Users\Admin\AppData\Local\Temp\_MEI30882\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI30882\python3.dll

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI30882\base_library.zip

MD5 83d235e1f5b0ee5b0282b5ab7244f6c4
SHA1 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256 db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA512 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

memory/3368-197-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI30882\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

memory/3344-471-0x00007FF9487C0000-0x00007FF9487CD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cd3veq1p.jl0.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3344-514-0x00007FF9487C0000-0x00007FF9487CD000-memory.dmp

memory/3344-515-0x00007FF926210000-0x00007FF9269B1000-memory.dmp

memory/3344-513-0x00007FF936A30000-0x00007FF936A66000-memory.dmp

memory/3344-508-0x00007FF93E980000-0x00007FF93E9CD000-memory.dmp

memory/3344-507-0x00007FF93EBB0000-0x00007FF93EBC9000-memory.dmp

memory/3344-506-0x00007FF93EEE0000-0x00007FF93EEF7000-memory.dmp

memory/3344-505-0x00007FF93EC20000-0x00007FF93EC42000-memory.dmp

memory/3344-504-0x00007FF93EF00000-0x00007FF93EF17000-memory.dmp

memory/3344-499-0x00007FF93F610000-0x00007FF93F625000-memory.dmp

memory/3344-487-0x00007FF936B40000-0x00007FF937128000-memory.dmp

memory/3344-495-0x00007FF935DD0000-0x00007FF935F43000-memory.dmp

memory/3344-488-0x00007FF944510000-0x00007FF944534000-memory.dmp

memory/4972-516-0x0000000004C10000-0x0000000004C11000-memory.dmp

memory/4408-523-0x000002587F1D0000-0x000002587F1F0000-memory.dmp

memory/4408-518-0x000002587E100000-0x000002587E200000-memory.dmp

memory/4408-552-0x000002587F5A0000-0x000002587F5C0000-memory.dmp

memory/4408-537-0x000002587F190000-0x000002587F1B0000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\LLDJA3WI\microsoft.windows[1].xml

MD5 372706547a804b876522fe741dbfc040
SHA1 9bca733d6804f24c6841ef02b52e8ade1b45d7e4
SHA256 09fe1eb66c953d75dc66ff6df9237cde5f419fb25fab6327de9cde6676219651
SHA512 cc8057de048bf5646e41bed6f01111328bceae9abb4282a4ee1be635d086b6b3647cb5cc17cc3564980e5e31342a767dc639e536edbd3720df6b35ac7ebce34a

memory/1876-660-0x0000000004680000-0x0000000004681000-memory.dmp

memory/3344-679-0x00007FF93F610000-0x00007FF93F625000-memory.dmp

memory/3344-667-0x00007FF936B40000-0x00007FF937128000-memory.dmp

memory/4168-1930-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\DebugUndo.xls

MD5 1823ce7b09540b78965be2d95e5daa3f
SHA1 9dd4a69e5e33d42173c28d9c54cb2bdb4fcc057a
SHA256 dcd514e4f0f9b2f3180af6b64e23773d1bd10ace2f44b48a47955a3c776ebf8c
SHA512 9ac859a069d8c566013ce9b1fe21b85211c8ff50e5916fbafcaaddfe71a8b32d26145cb985e2e43a97ce079ffa8791c75f6a87fd9c50785468f859fa2c32a042

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\FormatUnprotect.zip

MD5 77ec4d8d499279d84a5b1cf39bcc2119
SHA1 f2c70df1e7197503f44811310d6d1f73d6e81cc3
SHA256 0961532a713bb9d925c1290ebc01be3b8ebbd05c4bcd4611fb53a4cc0c127398
SHA512 0caf1d12058cbfa281cf069816140516777c356d58f12ebd79b05d658bd661d9731b8b2588fed74c88f8a7fd262e0bb959b9be618627c364f64e2ed9d60707ae

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\PopShow.xlsx

MD5 1b12eb93551e76e5a7b5462fd4ab864c
SHA1 72b48483621c28235827bd2db33470b5d2e84eb4
SHA256 dc41ac82532281ee64cb203124625b8bec2cf91656cec977d1b06ca4b1c19232
SHA512 886e8649584f2774e6019f04015f183d97abaf49e663f59eb34df761fe19d1c136301b8f7153e1c007c1c0aa9a150451207562e71ee5044ae22e48a334bfeb49

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UnblockApprove.mp3

MD5 acdaf8d55406dfc7e266a2a250796782
SHA1 9d1c59b8a11b4af2d9c01f609405872e16a43259
SHA256 476e566e5cb82a232a6a75942c45b880f96225441a5b959d697210bf76557f76
SHA512 8544ed619b28e37508641bca5fcf2d67bc8d4e42b4c1b816aab8731490f6d7be438bdb94bd2284871162d6ec4062405f99e1a3214cad505dfad10c0cd3c416f8

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\UndoUninstall.jpeg

MD5 543a9782954dc86ebf397c869e8526dd
SHA1 9263f43e3510e6afecee3b4c0be74c64d0a224ff
SHA256 8880db2f28033943307705f9c7419eacceb2ca79633f37b2827a3ea521f77db2
SHA512 9c55a1072661519a3245aa9735efcc18fb8b1d2c0062af215a4b504eab00f6ec8794ea21c5c502b2f85c736911e63ab31202c20aca8f023b488756cff7fd77f9

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ExitAssert.pdf

MD5 f8e5bb627d6897056798b0dbc808ef9b
SHA1 d134d122a76187b81277f6aefd3035c56bdd21b0
SHA256 117f84f63aceb2fb5ad99d4fe06676d8f01885314d6cc7b5e68c20bc1de98353
SHA512 64d08325effc27d0fcdd85e237265b04fa28c262e40c8cb2c9625a1022941d4fa357dba85f6b3d38f168dd7e39c1602c1ee8149d3eea9e4bf343a86400d28c48

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\ConvertFromRestart.docx

MD5 abf315e9fa7f98cc79f68584d6899e5d
SHA1 60ee8dbb5eeeb06e522c95de3fb4120877618960
SHA256 ae2bb12bd5f97bc4b5fb4e9fd2d1993ab5a391ed1b3514aa55fe1ea9ee0dbaa7
SHA512 fe7804f7f475e86f13bb8b4f2483e8d5a5559cf99f343629f17f0b2b5b11b763b5bc3f926a640a190b3dab59c0cdb2841698e373e7eeb9e779702bba3e74f24a

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SwitchConnect.xlsx

MD5 4566eddb399dfeab1b4f6872121fea22
SHA1 1bdcbce942a068dc330f8efedcc98369c1b4977a
SHA256 03b036c419f969c6f6547e355332f9b677812f98f6cd87fcd2a148734b5093b1
SHA512 f54a2fd38211e23cd791534525fd1adc599df8d6fb7c754ac32ca2a041f0e178f2551163bab50c106816bf2413f52c0109120ad2d28f4f0368d3951e545800d0

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\SkipTest.csv

MD5 1686ac43944450d6cb98cf03bc80f7e3
SHA1 3d1d9e942f028f97a1e9b74fab9953d184913d1f
SHA256 f41c0954d15e7bd479aed8c0ab4917b527e7eb4151aefee1837a0708e83cd128
SHA512 9ad2ace1d56ad302b327c3a5fa5ece7c6a4b3282a7c77bd90539b3f33e2bb0e6a92aaf966c6d351f20fc454b11c6c31e11ffa6d2cad1d05f5b84b94c5b9dde8c

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Documents\PopRemove.xlsx

MD5 31c82b1a926ffe047025961a53e56dc9
SHA1 61cd395f913adc90168beb75a22ba1c3b5d70afd
SHA256 df9c33ae7543ba88378c123d3a3d7259a91bd16f112c8a16abb479587976b8af
SHA512 4a50bdddf4ad380db2ab5f55276b8f365b10c23e5f24c66d2e1460402913483e0cd1a58636b2359e7beb9f0f858475146e8244f862776b7826b257a261311d12

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\CompareWrite.doc

MD5 0513c9b80f4380e117a2417ff9bec7cb
SHA1 fdcf1d0d5014894c86a8ad83f510cb5f471b2eba
SHA256 20230876f7485a4cfae1a732565d8e437a535f8d4baf8502a3547f98c3fceb77
SHA512 77c4b6915d2e20393a26bec8b61e50dce8e3ce47300807257c5e329cd6c03577e0c1c0c75363574f60a58f92abb1788af8381578ba6360083c7903337266f4ac

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\ConvertRevoke.docx

MD5 50b33c7e019cb52a911737cebeb4bf3b
SHA1 cb90e815e8929c8f7caeaffa468df96b92fdadd9
SHA256 d30e415e0f675aa874ebdcdc3453ef93096a2814bc1d33632994255f87bde06c
SHA512 6921fb3cc90a095e1cbb45c0798c01ce338174e362f9b0b167e4cc78fac9845fbb54ef5b25891dd12b54df9926eefa442da6deae3f36ce85643cc8d664732faa

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\FindRequest.png

MD5 81c0a7caf61a1ec1b76ba9560e67c1fe
SHA1 bd9b662bc7279668959a985ececc97d2dc965823
SHA256 e5e23177648e6872a2105ec9ec8a724aff001ae6fdfa6d561627a99e743d6516
SHA512 af6593e0ee3183461c000dda757bf3a2d473a3dbf8cf101cf60411af48c872a7f79001840e2f215f61a51bd047b3461b925c368432628702997c1411a55c5f88

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\BackupUninstall.svg

MD5 19db2601c89e10ca13cfe5af0ffe33dc
SHA1 298f3b9f2248cbc4797882e0f6d7ab15c0717d7b
SHA256 7e9b5fc040c1c7cbfbe10eecafde96f542c36b2d07ec6cde04c1cd5568ad9c44
SHA512 90ab78efa6384ace2601ec77d29f5694a9b76d5f2a21de7e9e9198ea1e5f85f4259ede808fe18b51c7cd9290b0a19a4da28db7316242fa65bb70f6d5462f4b86

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\LimitStep.png

MD5 33e70c0c99ebec5b25b0d1c831549255
SHA1 1d06ba25885519f67b80d3a08a67b6d8bddc4087
SHA256 dfa0fab82e7c2672329d869d0647f3a5f2b09e31b9a2d955bc5a401a60090a65
SHA512 28e552b1b1be7ef623baae9fe7a556c080854dd7d7604c6cadfc8758939d5a7a6f27f7e1dce115a0da99bee2a05f63417cf5411c2a54d65be6e3744fce6b7495

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\RemoveGet.png

MD5 6bf3ad07b983e9076766e334833186d3
SHA1 dd07394a12f5b2c446bb7d4d9e58045b7fd71564
SHA256 6f905b9f15823147766b0ba88d1a3cd3a96c39b72f87470e7e2a0e1e4d112f31
SHA512 d74a9cd3907bf84af3244a381ad0de3a2e70ca1d480c3d67a424a23b09daa6f9af01537a0398729fe1170a5e4dc157c86134ad6a302269616ae2f065ae02a281

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\UpdateExpand.jpeg

MD5 54916236a6c98421951bd176580e7bd1
SHA1 ef8e52c841aafc6126f685032f376a51608c8800
SHA256 afe711f78091038160e7349eaf45304743dbc9690e19d451b8332ac21a3c307f
SHA512 1f7944a01db4daa67184e100918dc7d683347bd523ec0f227ad3c5db23146c58e48b5d8f816bc4e847c37cd2c1b5bd52f596b21acad20cda1487b3950f69e3e7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SyncReceive.jpeg

MD5 b43517034a11b38910fd166d7c2024e8
SHA1 33ee4ee169b399c85cca6ed7c261fcde5eb12096
SHA256 f50c50ebb1c9a8b1f9ce951298b9ee8fbda306dd11216de22301cd8773e9aa0e
SHA512 9aa3b360e94eaea31d109964ed3987420f3b5632b6d4c9f6df74bca99211f6c823d84cefd36a667ed6bd246788d946131d5145dbc02d4a6e7317c43639d58bc3

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\SearchRequest.png

MD5 09e5411ced046c663e9181c5cd0d68d1
SHA1 88be7161ca58b84dd31558f9d3e4bb68e5e9aeab
SHA256 7c15094ebb0d4bf5b7a19f76debc4fe6cc9ba379fc03b3682c59abbc63ce4b97
SHA512 83c39e499721d9c6a0b806df4eb4d11dd3f0cb97e52628e803beea49a4b3286e6016a9a4e985505ec35450f9df5a126402b7452505914f327dbbc17b2d07a142

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\My Wallpaper.jpg

MD5 a51464e41d75b2aa2b00ca31ea2ce7eb
SHA1 5b94362ac6a23c5aba706e8bfd11a5d8bab6097d
SHA256 16d5506b6663085b1acd80644ffa5363c158e390da67ed31298b85ddf0ad353f
SHA512 b2a09d52c211e7100e3e68d88c13394c64f23bf2ec3ca25b109ffb1e1a96a054f0e0d25d2f2a0c2145616eabc88c51d63023cef5faa7b49129d020f67ab0b1ff

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\LockReceive.jpeg

MD5 3d119fb402864ab3272d836732d9db5a
SHA1 aa3230613dbf070955714eddf861872958667760
SHA256 0db141e6d8d583f12f590b7f214e4c679a7891500e4d35f6171267089d215535
SHA512 1ca33db4e4f2b89330169e285f240fe9456634dc02729462bb3b5beb6cdbeb848ef85abf888d8a2cf001a05d3e78851047e8d7f7b3342fde331595800d495b04

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Pictures\GetSearch.jpeg

MD5 53c578efc46e969aa1f68f9230bdf45e
SHA1 7632c54e0619eb2ab960af74143dba4fdcbac55f
SHA256 388caecbc32536636e1f37f4ae8f092250307a66b51e62ff2b3d4fd2ff7e7dc1
SHA512 1fab016e477efb41d47dbef07be129edbc69ca49c145d68df7fa5372f4758d97c944678d3d0bf0a0d5cdbc4fce5ee2c7fe019e57283487208952c5a66075afee

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Music\ReadUninstall.doc

MD5 1b19a6b6873f4d4d148f6d469af0a28f
SHA1 f82c9a198cdc0ef8939786afe8648f581725617c
SHA256 1797265529ec134e8c3f9affff743de11b4d30201c17851d6bd9a1f63b34078c
SHA512 ccd4e38b7cac130e4505cbc1a9662608d0615866bd07546ca6a88aff31e799c5819fb24afa88477f147dc471bd87a557049d20de1319fcd31795d5bd01fc23a7

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Downloads\BackupEdit.css

MD5 edb9e3a29a4966f4cfdefa93c9c8b518
SHA1 89ff67706500d649251d2391c411ec1c73cc2891
SHA256 6fd2f99099a69d10e64e92ecca8a1af49973b4c2ad99c9ca4b3b02fc78c52ed7
SHA512 d458f69b655dc7d05b803ac6d6c2d9f22f4cf45fac1b9eb54602badd3a35e02d93141f3bbe5c91031b4c5446c8892abea7f0b30a6122c556ce7bc4ac559eef15

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\StartAdd.docx

MD5 24b108b252cf4dd71a7574b64ac6802f
SHA1 adfce4f8601c4317aff455d8e366d7fa3b52e23c
SHA256 cca9e8d66265506e01510b9173badf65c848d9056c0da0fb5f7cbaa2dba0450c
SHA512 b7e35cbf450c60ba3208c2ee29c479e667e9123a77bc2ece724561dc2fbb37d9cd72bf89b2909d2304cb08f318be422020fc270479a3d8b4a2e779bbe5ed0615

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\SetCopy.docx

MD5 8434cfac04cf2847f375c4311584c2b8
SHA1 78bd3f551e56bc217057038c636bae049b27f50f
SHA256 cd41d26d5242976decd58fd811ee406443a2cbf8a411799e95a215ddbeeea66d
SHA512 df15702180a1dd18094307b4361744eede77edcf20ee46cb13753e9f7a6720783188f35792d3df78389e24a244bffba5bad52d8a8a1ba20a2dbb05712aa7016b

C:\Users\Admin\AppData\Local\Temp\StealedFilesByExela\Desktop\RepairApprove.docx

MD5 85089bffd58868eca802c7bd2a206702
SHA1 a5d5adf076ae6d2d3ed5f35b870fac49a2102650
SHA256 5fd57471ca1d27a487491d8b1ba1c7fc9595b3376bc73240d4cb511887bf1045
SHA512 9fce6259eafc55cf77bfecf60ac100cd72cc29657cdb5bc80fe5286b57081bb8c28a48a4f95fb8bcd7b52be2776c8908d2222e0b61db7d4ac7c97f6fce3be6a0

memory/3344-8804-0x00007FF93F480000-0x00007FF93F4AE000-memory.dmp

memory/3344-8815-0x00007FF935960000-0x00007FF935A7C000-memory.dmp

memory/3344-8824-0x00007FF942980000-0x00007FF9429A3000-memory.dmp

memory/3344-8823-0x00007FF944500000-0x00007FF94450A000-memory.dmp

memory/3344-8822-0x00007FF93E960000-0x00007FF93E971000-memory.dmp

memory/3344-8821-0x00007FF93E980000-0x00007FF93E9CD000-memory.dmp

memory/3344-8820-0x00007FF93EBB0000-0x00007FF93EBC9000-memory.dmp

memory/3344-8819-0x00007FF93EEE0000-0x00007FF93EEF7000-memory.dmp

memory/3344-8817-0x00007FF93EF00000-0x00007FF93EF17000-memory.dmp

memory/3344-8816-0x00007FF935DD0000-0x00007FF935F43000-memory.dmp

memory/3344-8814-0x00007FF93EF20000-0x00007FF93EF34000-memory.dmp

memory/3344-8813-0x00007FF93F460000-0x00007FF93F472000-memory.dmp

memory/3344-8812-0x00007FF93F610000-0x00007FF93F625000-memory.dmp

memory/3344-8811-0x00007FF934F10000-0x00007FF935285000-memory.dmp

memory/3344-8810-0x00007FF93ED20000-0x00007FF93EDD8000-memory.dmp

memory/3344-8818-0x00007FF93EC20000-0x00007FF93EC42000-memory.dmp

memory/3344-8803-0x00007FF93EF40000-0x00007FF93EF54000-memory.dmp

memory/3344-8802-0x00007FF93E940000-0x00007FF93E95E000-memory.dmp

memory/3344-8801-0x00007FF936B40000-0x00007FF937128000-memory.dmp

memory/3344-8800-0x00007FF9429B0000-0x00007FF9429DD000-memory.dmp

memory/3344-8799-0x00007FF9487A0000-0x00007FF9487AD000-memory.dmp

memory/3344-8798-0x00007FF942B60000-0x00007FF942B79000-memory.dmp

memory/3344-8797-0x00007FF9487B0000-0x00007FF9487BF000-memory.dmp

memory/3344-8796-0x00007FF944510000-0x00007FF944534000-memory.dmp

memory/3344-8795-0x00007FF942B40000-0x00007FF942B59000-memory.dmp

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\https___docs_oracle_com_javase_8_docs

MD5 8aaad0f4eb7d3c65f81c6e6b496ba889
SHA1 231237a501b9433c292991e4ec200b25c1589050
SHA256 813c66ce7dec4cff9c55fb6f809eab909421e37f69ff30e4acaa502365a32bd1
SHA512 1a83ce732dc47853bf6e8f4249054f41b0dea8505cda73433b37dfa16114f27bfed3b4b3ba580aa9d53c3dcc8d48bf571a45f7c0468e6a0f2a227a7e59e17d62

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel

MD5 fb5f8866e1f4c9c1c7f4d377934ff4b2
SHA1 d0a329e387fb7bcba205364938417a67dbb4118a
SHA256 1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170
SHA512 0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133749961756517441.txt

MD5 31945f4296702de387614035875192f6
SHA1 e1e508605879554edb5301e08abbf863c69132f0
SHA256 aa6754ea6883cb20ae35ae309270ef99244fa80dbab33699ce48e17e4b0c7893
SHA512 69a5162ad7901b80f2f358f6adec958651ef8417c74ed0fede546876d5538d61164f589b6b91e9f5f5c9b690d40b837048f1b14021d31f101553d0a8cffb541d