Analysis Overview
SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
Threat Level: Known bad
The file RippleSpoofer.exe was found to be: Known bad.
Malicious Activity Summary
Exelastealer family
Cerber family
Exela Stealer
Cerber
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Grants admin privileges
Downloads MZ/PE file
Modifies Windows Firewall
Executes dropped EXE
Reads user/profile data of web browsers
Checks BIOS information in registry
Themida packer
Checks computer location settings
Loads dropped DLL
Clipboard Data
Network Service Discovery
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Checks whether UAC is enabled
Suspicious use of NtSetInformationThreadHideFromDebugger
UPX packed file
Hide Artifacts: Hidden Files and Directories
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Event Triggered Execution: Netsh Helper DLL
Enumerates physical storage devices
System Network Connections Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Permission Groups Discovery: Local Groups
Detects Pyinstaller
Browser Information Discovery
Unsigned PE
System Location Discovery: System Language Discovery
Enumerates system info in registry
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Collects information from the system
Kills process with taskkill
Suspicious use of WriteProcessMemory
Modifies data under HKEY_USERS
Gathers system information
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Gathers network information
Modifies registry class
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-05 01:25
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-05 01:25
Reported
2024-12-05 01:27
Platform
win10ltsc2021-20241023-en
Max time kernel
102s
Max time network
104s
Command Line
Signatures
Cerber
| Description | Indicator | Process | Target |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
Cerber family
Exela Stealer
Exelastealer family
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-1263212995-3575756360-1418101905-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\CbsTemp | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "47" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1263212995-3575756360-1418101905-1000\{D7D127BB-307A-47A2-BE72-C2BB1B1DC332} | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x254 0x2fc
C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM explorer.exe
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\spoof.bat""
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /ID 02/25/2015
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SV Z6AehjhcjFGPtP8
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS agStatYafHR3ruy
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF fxuFzhdIzdlCObn
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SU AUTO
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SK KtNeAOKtA5ZEMAl
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF dz0JFQubfvc82ht
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BV M6lenSBh9ZZQeL9
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS iF4LApxnBpB1IVY
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BT FSf2g8qL0KUX0Vj
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLC J80stWjLzj3odvi
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CV ahhlTziDTlmeqHU
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CS pWx5G71sAJwDETw
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CM bsDbezyo4KhqmKK
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CA 7p1IiarnylZuIjr
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSK G7tvslXAmfSB63k
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PSN N2Nz3YhnfcSUISC
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PAT V8InMdYKe3JfB2w
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PPN qgfTYSy1Qurdga7
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BSH 3 g4khLuRYaIb3pTY
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BMH 3 KmYqlsd0mItnKie
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BPH 3 em6j5sZsyGnQC3j
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BVH 3 EAemrqsNyeFzWWl
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSH 4 WMq1hfpUyFxWYXg
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CMH 4 TTaPaygVppITivs
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CVH 4 yr2pPs69cslbqmR
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CAH 4 MPHvSkYNYL3fD33
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSKH 4 HQ8T25EQHAZr3PY
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BTH 3 mnIxL0x3C2si9dV
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLCH 3 4g2g1UuTYW1IqaM
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IVN emdnfWGYoCtJSzW
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IV 3.6.2
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SM k5MEVzJppxlNMZI
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SP IOSOFGaxlXlQLJL
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BM YjlvMx4HxH6c9Ln
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BP y7CLtknoeFig3AX
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SCO 1 m8BuYDOiKmiRmHI
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 1 xv9FtpAG8bcoqCm
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 3 AomqBZBACmbw2Jg
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 4 93fsldulwjgj1B2
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 5 Pw4GmmxjYuzgsUJ
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39d3055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | ucc19a88b08bed224611bc70d7ad.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucc19a88b08bed224611bc70d7ad.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.bunnycdn.com | udp |
| DE | 109.61.89.53:443 | storage.bunnycdn.com | tcp |
| US | 8.8.8.8:53 | 53.89.61.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| N/A | 127.0.0.1:50015 | tcp | |
| N/A | 127.0.0.1:50022 | tcp | |
| N/A | 127.0.0.1:50025 | tcp | |
| N/A | 127.0.0.1:50027 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| N/A | 127.0.0.1:50198 | tcp | |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 201.201.50.20.in-addr.arpa | udp |
Files
memory/2056-0-0x0000000000530000-0x00000000021B0000-memory.dmp
memory/2056-1-0x00007FFA6ED1B000-0x00007FFA6ED1C000-memory.dmp
memory/2056-2-0x00007FFA6ED00000-0x00007FFA6EDBD000-memory.dmp
memory/2056-4-0x0000000000530000-0x00000000021B0000-memory.dmp
memory/2056-5-0x0000000000530000-0x00000000021B0000-memory.dmp
memory/2056-7-0x0000020DE4A30000-0x0000020DE4A31000-memory.dmp
memory/2056-8-0x00007FFA6ED00000-0x00007FFA6EDBD000-memory.dmp
memory/2056-9-0x0000020D82840000-0x0000020D828F2000-memory.dmp
memory/2056-10-0x0000020DE4FA0000-0x0000020DE4FC2000-memory.dmp
memory/2056-11-0x0000020D82DA0000-0x0000020D82FB4000-memory.dmp
memory/2056-12-0x0000000000530000-0x00000000021B0000-memory.dmp
memory/2056-13-0x00007FFA6ED00000-0x00007FFA6EDBD000-memory.dmp
memory/2056-16-0x0000020D83810000-0x0000020D83844000-memory.dmp
memory/2056-17-0x0000020DE4F60000-0x0000020DE4F7A000-memory.dmp
memory/2056-19-0x0000020D82B90000-0x0000020D82BA4000-memory.dmp
memory/2056-21-0x0000020D83840000-0x0000020D83872000-memory.dmp
memory/2056-18-0x0000020D82B80000-0x0000020D82B88000-memory.dmp
memory/2056-24-0x00007FFA6ED00000-0x00007FFA6EDBD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
| MD5 | d1291397afba61f29aa4edf736846e0a |
| SHA1 | 7689fa6f0981abf689cf530db90b5362290f3417 |
| SHA256 | 26f760c4a2ed24f038075e77622205d8052316eed2bdf5ec9176f7656d6549b0 |
| SHA512 | 9d8f4d07e84f462c3e696dbdfd00170e0dc114101da76476af40c8a65bd80060aa031dd001ab0cdb8908ae24287034a3b970696c46ee519aeac8a22044a5a12a |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
memory/4776-131-0x00007FFA584E0000-0x00007FFA58AC8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\base_library.zip
| MD5 | 3b3654276bbb89fcba4df6a0a0fad8d6 |
| SHA1 | 668cd7e62cb6449e820ce1c24484e7ab9c4ca9a4 |
| SHA256 | de67ef0597974ce98ac33c99d230f370284031ef62249d55c5d6210066874938 |
| SHA512 | ecade71b589213ba9bcf8f997e4ab1d1c7c2c78fb88d5f2d562f376986c005e9b98ffdbbd0988f6b5f50adff4cc46be1c076b377a6e6152014d5552effec4973 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\unicodedata.pyd
| MD5 | 06a5e52caf03426218f0c08fc02cc6b8 |
| SHA1 | ae232c63620546716fbb97452d73948ebfd06b35 |
| SHA256 | 118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a |
| SHA512 | 546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718 |
memory/4776-188-0x00007FFA697F0000-0x00007FFA697FF000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_bz2.pyd
| MD5 | 80c69a1d87f0c82d6c4268e5a8213b78 |
| SHA1 | bae059da91d48eaac4f1bb45ca6feee2c89a2c06 |
| SHA256 | 307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87 |
| SHA512 | 542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d |
memory/4776-194-0x00007FFA60760000-0x00007FFA608D3000-memory.dmp
memory/4776-193-0x00007FFA68190000-0x00007FFA681B3000-memory.dmp
memory/4776-197-0x00007FFA58E70000-0x00007FFA58F28000-memory.dmp
memory/4776-199-0x00007FFA69800000-0x00007FFA69824000-memory.dmp
memory/4776-200-0x00007FFA68140000-0x00007FFA68155000-memory.dmp
memory/4776-205-0x00007FFA65980000-0x00007FFA659A2000-memory.dmp
memory/4776-208-0x00007FFA65770000-0x00007FFA6578B000-memory.dmp
memory/4776-207-0x00007FFA68190000-0x00007FFA681B3000-memory.dmp
memory/4776-215-0x00007FFA61160000-0x00007FFA6116A000-memory.dmp
memory/4776-217-0x00007FFA61850000-0x00007FFA61861000-memory.dmp
memory/4776-220-0x00007FFA68140000-0x00007FFA68155000-memory.dmp
memory/4776-219-0x00007FFA60E90000-0x00007FFA60EAE000-memory.dmp
memory/4776-218-0x00007FFA56290000-0x00007FFA56A8B000-memory.dmp
memory/4776-221-0x00007FFA60E50000-0x00007FFA60E87000-memory.dmp
memory/4776-216-0x00007FFA57D80000-0x00007FFA580F5000-memory.dmp
memory/4776-214-0x00007FFA60EE0000-0x00007FFA60F12000-memory.dmp
memory/4776-213-0x00007FFA58E70000-0x00007FFA58F28000-memory.dmp
memory/4776-212-0x00007FFA68160000-0x00007FFA6818E000-memory.dmp
memory/4776-211-0x00007FFA61870000-0x00007FFA618BD000-memory.dmp
memory/4776-210-0x00007FFA618C0000-0x00007FFA618D9000-memory.dmp
memory/4776-209-0x00007FFA60760000-0x00007FFA608D3000-memory.dmp
memory/4776-206-0x00007FFA58CE0000-0x00007FFA58DFC000-memory.dmp
memory/4776-204-0x00007FFA659B0000-0x00007FFA659C4000-memory.dmp
memory/4776-203-0x00007FFA65AD0000-0x00007FFA65AE4000-memory.dmp
memory/4776-202-0x00007FFA697D0000-0x00007FFA697E9000-memory.dmp
memory/4776-201-0x00007FFA65AF0000-0x00007FFA65B02000-memory.dmp
memory/4776-198-0x00007FFA57D80000-0x00007FFA580F5000-memory.dmp
memory/4776-196-0x00007FFA68160000-0x00007FFA6818E000-memory.dmp
memory/4776-195-0x00007FFA584E0000-0x00007FFA58AC8000-memory.dmp
memory/4776-192-0x00007FFA681C0000-0x00007FFA681ED000-memory.dmp
memory/4776-191-0x00007FFA697A0000-0x00007FFA697B9000-memory.dmp
memory/4776-190-0x00007FFA697C0000-0x00007FFA697CD000-memory.dmp
memory/4776-189-0x00007FFA697D0000-0x00007FFA697E9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_asyncio.pyd
| MD5 | 1b8ce772a230a5da8cbdccd8914080a5 |
| SHA1 | 40d4faf1308d1af6ef9f3856a4f743046fd0ead5 |
| SHA256 | fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f |
| SHA512 | d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\sqlite3.dll
| MD5 | 895f001ae969364432372329caf08b6a |
| SHA1 | 4567fc6672501648b277fe83e6b468a7a2155ddf |
| SHA256 | f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7 |
| SHA512 | 05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\select.pyd
| MD5 | c39459806c712b3b3242f8376218c1e1 |
| SHA1 | 85d254fb6cc5d6ed20a04026bff1158c8fd0a530 |
| SHA256 | 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9 |
| SHA512 | b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
memory/4776-263-0x00007FFA61150000-0x00007FFA6115D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yuebiugu.umu.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b5c0e86861a795b607b3dddf29ceab01 |
| SHA1 | 4ece72b0a9d8f42da935f9affe3280b48805d9c1 |
| SHA256 | 837167faa319cab764615fcfdb375008aed60c399b139dc0b3b0338a106f3b18 |
| SHA512 | 6ec88fbbbdd3377650bc575da6f1d1a8f94b445bceb6d96894a511b690cd3af63be5df448bc6bcac0e3200086f90cd1707c5b281bacfbbdf7a02f984f3ddf32b |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-time-l1-1-0.dll
| MD5 | c4af0dc7d97105deac352f569beb603d |
| SHA1 | f52d7ee9ae432dbf5b42d5fb2a816411138d7e03 |
| SHA256 | b66ae7e1d0da45a758b2ec9d2727f8f59a2d0a59bf43be347369381338c6afb3 |
| SHA512 | 8961b1acab372511d45b4cb08f6672bebc436f19c854f73058bb28e56ddd57dfd18aab785b39e0b1254ce9e2989e6db744e1de503429932fce2b0f53f000d91f |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 03f1e99c4258416b4c6800081b3701e2 |
| SHA1 | 502d6654cc0a331b8c45eb760db39edbc3ee93c9 |
| SHA256 | abf8a6ad52f6c71458dc2c159eb8ce7a297494177f8e05fd52a1e7bceb493426 |
| SHA512 | 7a1fc6488c4eee4a32963b1e78b76ac1c4d4c196c8b2743ae4cc89805fa02f554210d0fe5a87afa258abe3c24c710315facdea997e7aa2effcf8664b8531c459 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | ce04551e4a578993207eed8f49e045dc |
| SHA1 | f2ea2b8901458263879e76f67c4154559252aa5b |
| SHA256 | f6ba90e21a1e31ff2be7292c2a03d20570788fd829e075ab4a6d37a9ca2ba194 |
| SHA512 | 872af73065241877679e96dd6c5e8458417436241262829a378768aa47cb290f45aab67ddf205bccd6846a2189a0bd26a31fb01f1d7886fe93067687055f4fe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | be6d51793bc63716fb45cb49958b0f6a |
| SHA1 | e2563b2c324b58bad602c46bc4d6148ce5319c10 |
| SHA256 | edd8206ef8caf25e955e9fba2c9c8ebf73d8ec3fd0f562372f7ed8b8f7004c2f |
| SHA512 | 31fa876b8dc54d882db0d8a3c7e6784b893b6c8b4a04688261720d75402cb4229f07c70df4dabb032b63940d8e3ba95978d439b5f0f9a21c62a8adbcc92bcabe |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-process-l1-1-0.dll
| MD5 | fa9b5cec8eed4fef73ec60d7f4c1eb1e |
| SHA1 | 03f19b2886688de1fb2016d614fe514f8b508250 |
| SHA256 | 09f19b41a8d71cd5174efdae2a7649022780434d7c4416d6121153359aa85918 |
| SHA512 | 744288d8903fdceed87cc5b7e0e286fab59584b57acdd943b04c5f6a39391a1662961a686344c1fdce36aea039adf8b1fcfc883e06011dd592077931716cdff7 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e6184d65799033dbee51667790130016 |
| SHA1 | b00461d14ffa2beab0887bcb716f331090cce8c9 |
| SHA256 | eecac10f830ad0dcbdf0f0dc1422ef5cfed490a877429a4674aecc560869a5e5 |
| SHA512 | 987c14f8c22ae0d6c1005cc7b0d9a240283c2120e8ded030a407f25fb7786f7283980850ca243859f0148dbeb7bfaec01c8208865b81046999252d07e5f42d53 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 3cca955cde8362605fc268e4b12accaa |
| SHA1 | 6f3c214ef223f35495c0cb0ee359b9d975c14e72 |
| SHA256 | 34c6e58abcce5bccace50df3bd6c3e2d3f4e8413b14aae8e707ddfddccdeba6d |
| SHA512 | 5b7fe7deb6066c53bd41479172eac2736301f5cf32921f13d2ce6ad2811925e7bc1c436627698050be86ddf18852eeac927be4efc2182d857b31f637adc6c206 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | e3ede68927c68aa73ac95722d24334ce |
| SHA1 | dbe71e1a56f9b7569b4a568bb67e37c38011b879 |
| SHA256 | 5dd42e524920f4cb467031eb9e0e440bbe73de0fb39f71e65736a2ab2f6fcfe8 |
| SHA512 | d935058d8409b518d82336dc0b1521bf411ef77ef49485ede15baf5d1ac527f46ad813ebdb889c0f9999d553a879150d5ba41ce3a0b11d5ca08907e378fc9b8d |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 3491700e847fb9e9c4413fc82a0ad285 |
| SHA1 | 03694cd43a06bb2fff6a1d85f73bd7b87198e07e |
| SHA256 | ed969fae3cf64f46b5f4d2447980befd6f0a7fd05802529dbc793f3c014bc46c |
| SHA512 | 07e81eabcef621ec6a84e1932e299e0b865c06e6f9907017bbed0121771712b007a18771099131f24da134f3cbff0a7af30ca4e1c262b117e8bacf055cd54002 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 16a97489dab15db9b9713c53726f3411 |
| SHA1 | c15ad01807955374283805104233bd56760b25c9 |
| SHA256 | 9c06541d13c7088f313aab0be5af20b72e583f34e442df3d2fc29953640d4812 |
| SHA512 | 54ffa278e4d0975830c1a8eff9b7fc41d487cd9e8390d0e14f58cff62efadfc5816bcda3ca11e2b1cbaeecb20546839593f7c6ea9500eef433f299861d205822 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 4bb011d3e58e958e94ca23ae05a8e958 |
| SHA1 | 741af22136c1d6dce03c75c68e977c05d76ac027 |
| SHA256 | 06b0fd7e6d7cbe35177af8fc17863f247bd5caee64543e3a9a125253d51af777 |
| SHA512 | 07668515aa4099c390ce30ef3415e412113483da792d7cd02bb3ddce561719e808d6be81b90d599f4a7fa50ba27382c8d84ecb45292200bba7094a5204ff7715 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 5bc2660d94760af50f96b1999de6cfab |
| SHA1 | 75dec9b15bf9181f0e8015992b678bac718d8c0b |
| SHA256 | 03bebf73df97beed5da608cae73324df2aaec092277d53ce8c119031cf8e21fd |
| SHA512 | 7e9c67b5e46b35ba3f733110cf7fe35ac9dc1b41a4f7633180cd69631d1b82bcac99f8b94b6f36a373f72bc4fd7eeaac21a8fb51830914a32e19d738208ca636 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-util-l1-1-0.dll
| MD5 | 8222b0f8bcf884433a55996253963a96 |
| SHA1 | 35914b003bbe6527e2479d7f897024915821500f |
| SHA256 | 7f18dc2971d15434bfe03c4842dced10b466e849d782a1c8e398d96c2e2b12e2 |
| SHA512 | 5e67b25af8a1f23450cf8807135fea1ec39dfe8ff7cd3858e492ae9e016a23967ed6009da8868cd9dc87d583c3b7e6fb66d00bd48a7bba6b0eea638716514cc6 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 10d466341e7ece8cf75b5d026105741b |
| SHA1 | 31d1e9b9a4511156695b5aa33d65b6a36f8139c2 |
| SHA256 | 5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82 |
| SHA512 | 8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | e496d42d228b5e90c7b96350dbb1159c |
| SHA1 | 746ba35a931e05aebda957608a6e28c1699237aa |
| SHA256 | 1ff617fb9d681551fb456aabaae078c0ac7f96580ac1144ea441826a6d98caef |
| SHA512 | ce555cb7fc0625d7568b002306e203e013f03127aad7383ce26774cb1f1fa820f5fa6145dc9f5930b4d0791631bdbce2ee2e4ee3efa7720b1b2c413ff782e197 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 2914ea20c9b8d79b1e98ea6b6dd85450 |
| SHA1 | 2e25617bb4f3f6391658b5778f5248d9e6762c6b |
| SHA256 | 047d09b49dae9a101eb55277aa37c31390ea6c7187379b448122d77bd77bf005 |
| SHA512 | c0731aaecbca9b70151e7630e0dbc7d744d534effe56ad703df881f09c7820cb143873dbf95d57357d51be44d53a3b9862d0c6483ca6c70aad01a3f11350abc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 87c57eddf837c1e7aaaddb451d3d981e |
| SHA1 | 5287af84ca9cdfa928355c3c899a43051169a2fd |
| SHA256 | e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44 |
| SHA512 | 0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2ebacbbda70b888b1bcc5e816d14f3a2 |
| SHA1 | ebf1763b0cee267040312deccb3dad61af1b9cf4 |
| SHA256 | 96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304 |
| SHA512 | af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 8aad6a3a2fe9052ef218d5c8ce1995e1 |
| SHA1 | 33748750e57cdc165fcdd186ae53003649607221 |
| SHA256 | e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4 |
| SHA512 | 841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-profile-l1-1-0.dll
| MD5 | fb731a1f96c9e34347cba5bb18e54581 |
| SHA1 | 88a62edfbbd806b1043b4a1266c4708e1d47be1d |
| SHA256 | c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e |
| SHA512 | be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a6776c201baae1dd6f88048d7747d14c |
| SHA1 | 646119d2e440e6dad0ffb0fe449ab4fc27f09fbe |
| SHA256 | ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112 |
| SHA512 | a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | abaabc1df36c7a0674f20fb83247fd71 |
| SHA1 | 345db0ffea0cb2531b79d464ad69347ac71ee2b9 |
| SHA256 | ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a |
| SHA512 | 7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 6d0762a2ba4263d0901ca7aaa0725c0c |
| SHA1 | e36d2d049116bd2d84121cdfa179098ac03650b4 |
| SHA256 | 2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805 |
| SHA512 | 94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 7e751952f122f4e8be1317087dc9dc71 |
| SHA1 | f65884c8cfbb8ad565b3df3a51af11b1617c7092 |
| SHA256 | d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799 |
| SHA512 | 960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 41e0b7cb0eecba317cf321b1ada084d7 |
| SHA1 | 4ce1f13188fc00eb29c726717eae489c524c1c8a |
| SHA256 | db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383 |
| SHA512 | f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 4c26932f8f1f490017add31f5ec0a533 |
| SHA1 | 0da01a7c89b506fe3fd939344bb51b976efb3207 |
| SHA256 | dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23 |
| SHA512 | eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 259b4186004bb41e706dd781e29f5c5b |
| SHA1 | 85751d31fe233ed51c46466f214f497d01be8d87 |
| SHA256 | b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f |
| SHA512 | f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 0b65672b91c6a12d769dd777f810b149 |
| SHA1 | 2d527b45dcbe653a91e10365891c7e589f5e51e0 |
| SHA256 | c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e |
| SHA512 | f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 993b5bc35dac959bed58b77fe42ac77a |
| SHA1 | 2abad159cbab86ff423d6446143427daab751366 |
| SHA256 | b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b |
| SHA512 | ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 4166d703abc9c6de65d5b269d3a5425e |
| SHA1 | 16bcd7191312b94bdf38368d188e5a5cc479a36c |
| SHA256 | 0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056 |
| SHA512 | f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-file-l1-2-0.dll
| MD5 | 4a060eec454c222a5381cd359dc00b81 |
| SHA1 | 21e1bc115d04a74779e955ea16a16bd71454d9bb |
| SHA256 | e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df |
| SHA512 | 16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-file-l1-1-0.dll
| MD5 | 4b328f140a3ae7fedb21ca50cc23d938 |
| SHA1 | 9e71b4c2cf030a644d2050188c4b77e638c0ee14 |
| SHA256 | e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345 |
| SHA512 | 4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 201ff3cd2ffe7d222f46574d4ac40a70 |
| SHA1 | b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6 |
| SHA256 | b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a |
| SHA512 | 3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 12ea48ce605ebb204a21ae7d86db3417 |
| SHA1 | 5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66 |
| SHA256 | 189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c |
| SHA512 | 39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 7ad2034acd0f296fe9eed320e5ad7591 |
| SHA1 | fe1b217e3f4567905968f7a3d48a7611e3cf3f7b |
| SHA256 | 0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4 |
| SHA512 | 06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 854458ad55c39a9dfd1e350a51be02b8 |
| SHA1 | 5013cf58de5a0b55e026ace967e9842b3b131c2a |
| SHA256 | f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef |
| SHA512 | faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\api-ms-win-core-console-l1-1-0.dll
| MD5 | 9313c86e7bae859f0174a1c8b6aba58b |
| SHA1 | dce67fd1da5da8dc4ba406c544e55a83d6536cc9 |
| SHA256 | af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3 |
| SHA512 | 2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI38162\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
memory/4776-139-0x00007FFA69800000-0x00007FFA69824000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
memory/4776-279-0x00007FFA65980000-0x00007FFA659A2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI38162\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
memory/4776-280-0x00007FFA58CE0000-0x00007FFA58DFC000-memory.dmp
memory/4776-281-0x00007FFA65770000-0x00007FFA6578B000-memory.dmp
memory/4776-282-0x00007FFA618C0000-0x00007FFA618D9000-memory.dmp
memory/4776-283-0x00007FFA61870000-0x00007FFA618BD000-memory.dmp
memory/4776-285-0x00007FFA60EE0000-0x00007FFA60F12000-memory.dmp
memory/4776-293-0x00007FFA56290000-0x00007FFA56A8B000-memory.dmp
memory/4776-324-0x00007FFA60E50000-0x00007FFA60E87000-memory.dmp
memory/4776-315-0x00007FFA618C0000-0x00007FFA618D9000-memory.dmp
memory/4776-306-0x00007FFA57D80000-0x00007FFA580F5000-memory.dmp
memory/4776-309-0x00007FFA65AF0000-0x00007FFA65B02000-memory.dmp
memory/4776-308-0x00007FFA68140000-0x00007FFA68155000-memory.dmp
memory/4776-307-0x00007FFA58E70000-0x00007FFA58F28000-memory.dmp
memory/4776-296-0x00007FFA584E0000-0x00007FFA58AC8000-memory.dmp
memory/4776-305-0x00007FFA68160000-0x00007FFA6818E000-memory.dmp
memory/4776-304-0x00007FFA60760000-0x00007FFA608D3000-memory.dmp
memory/4776-297-0x00007FFA69800000-0x00007FFA69824000-memory.dmp
memory/4776-326-0x00007FFA584E0000-0x00007FFA58AC8000-memory.dmp
memory/4776-424-0x00007FFA58E70000-0x00007FFA58F28000-memory.dmp
memory/4776-437-0x00007FFA61870000-0x00007FFA618BD000-memory.dmp
memory/4776-436-0x00007FFA61160000-0x00007FFA6116A000-memory.dmp
memory/4776-441-0x00007FFA61150000-0x00007FFA6115D000-memory.dmp
memory/4776-440-0x00007FFA60E50000-0x00007FFA60E87000-memory.dmp
memory/4776-439-0x00007FFA57D80000-0x00007FFA580F5000-memory.dmp
memory/4776-438-0x00007FFA56290000-0x00007FFA56A8B000-memory.dmp
memory/4776-435-0x00007FFA60EE0000-0x00007FFA60F12000-memory.dmp
memory/4776-434-0x00007FFA60760000-0x00007FFA608D3000-memory.dmp
memory/4776-433-0x00007FFA618C0000-0x00007FFA618D9000-memory.dmp
memory/4776-432-0x00007FFA65770000-0x00007FFA6578B000-memory.dmp
memory/4776-431-0x00007FFA58CE0000-0x00007FFA58DFC000-memory.dmp
memory/4776-430-0x00007FFA65980000-0x00007FFA659A2000-memory.dmp
memory/4776-429-0x00007FFA659B0000-0x00007FFA659C4000-memory.dmp
memory/4776-428-0x00007FFA65AD0000-0x00007FFA65AE4000-memory.dmp
memory/4776-427-0x00007FFA65AF0000-0x00007FFA65B02000-memory.dmp
memory/4776-426-0x00007FFA68140000-0x00007FFA68155000-memory.dmp
memory/4776-425-0x00007FFA584E0000-0x00007FFA58AC8000-memory.dmp
memory/4776-423-0x00007FFA68160000-0x00007FFA6818E000-memory.dmp
memory/4776-422-0x00007FFA61850000-0x00007FFA61861000-memory.dmp
memory/4776-421-0x00007FFA68190000-0x00007FFA681B3000-memory.dmp
memory/4776-420-0x00007FFA681C0000-0x00007FFA681ED000-memory.dmp
memory/4776-419-0x00007FFA697A0000-0x00007FFA697B9000-memory.dmp
memory/4776-418-0x00007FFA60E90000-0x00007FFA60EAE000-memory.dmp
memory/4776-417-0x00007FFA697D0000-0x00007FFA697E9000-memory.dmp
memory/4776-416-0x00007FFA697F0000-0x00007FFA697FF000-memory.dmp
memory/4776-415-0x00007FFA69800000-0x00007FFA69824000-memory.dmp
memory/4776-414-0x00007FFA697C0000-0x00007FFA697CD000-memory.dmp
memory/2056-458-0x00007FFA6ED00000-0x00007FFA6EDBD000-memory.dmp
memory/2056-459-0x0000000000530000-0x00000000021B0000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-05 01:25
Reported
2024-12-05 01:27
Platform
win11-20241007-en
Max time kernel
74s
Max time network
76s
Command Line
Signatures
Exela Stealer
Exelastealer family
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-556537508-2730415644-482548075-1000\{7301F971-3128-41CE-B3BB-ED3B4A4DBFA1} | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D8 0x00000000000004E0
C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM explorer.exe
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | uca424c1d59f46fd6257361807e8.dl.dropboxusercontent.com | tcp |
| DE | 109.61.89.53:443 | storage.bunnycdn.com | tcp |
| DE | 109.61.89.53:443 | storage.bunnycdn.com | tcp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| N/A | 127.0.0.1:50035 | tcp | |
| N/A | 127.0.0.1:50042 | tcp | |
| N/A | 127.0.0.1:50045 | tcp | |
| N/A | 127.0.0.1:50047 | tcp | |
| US | 162.159.137.232:443 | discord.com | tcp |
| US | 162.159.137.232:443 | discord.com | tcp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
Files
memory/1060-1-0x00007FFA2F24A000-0x00007FFA2F24B000-memory.dmp
memory/1060-0-0x0000000000E00000-0x0000000002A80000-memory.dmp
memory/1060-3-0x00007FFA2F230000-0x00007FFA2F2ED000-memory.dmp
memory/1060-2-0x00007FFA2F230000-0x00007FFA2F2ED000-memory.dmp
memory/1060-5-0x0000000000E00000-0x0000000002A80000-memory.dmp
memory/1060-6-0x0000000000E00000-0x0000000002A80000-memory.dmp
memory/1060-8-0x000002232B020000-0x000002232B021000-memory.dmp
memory/1060-9-0x0000022345FA0000-0x0000022346052000-memory.dmp
memory/1060-10-0x00000223461D0000-0x00000223461F2000-memory.dmp
memory/1060-11-0x0000022346210000-0x0000022346424000-memory.dmp
memory/1060-12-0x0000000000E00000-0x0000000002A80000-memory.dmp
memory/1060-13-0x00007FFA2F230000-0x00007FFA2F2ED000-memory.dmp
memory/1060-16-0x0000022346E90000-0x0000022346EC4000-memory.dmp
memory/1060-17-0x0000022346EE0000-0x0000022346EFA000-memory.dmp
memory/1060-21-0x0000022346F00000-0x0000022346F32000-memory.dmp
memory/1060-19-0x0000022346ED0000-0x0000022346EE4000-memory.dmp
memory/1060-18-0x0000022346EC0000-0x0000022346EC8000-memory.dmp
memory/1060-25-0x0000022346FC0000-0x0000022346FCD000-memory.dmp
memory/1060-27-0x0000022346FF0000-0x0000022346FFB000-memory.dmp
memory/1060-28-0x00007FFA2F230000-0x00007FFA2F2ED000-memory.dmp
memory/1060-26-0x0000022346FD0000-0x0000022346FEE000-memory.dmp
memory/1060-24-0x0000022346F40000-0x0000022346F86000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
| MD5 | d1291397afba61f29aa4edf736846e0a |
| SHA1 | 7689fa6f0981abf689cf530db90b5362290f3417 |
| SHA256 | 26f760c4a2ed24f038075e77622205d8052316eed2bdf5ec9176f7656d6549b0 |
| SHA512 | 9d8f4d07e84f462c3e696dbdfd00170e0dc114101da76476af40c8a65bd80060aa031dd001ab0cdb8908ae24287034a3b970696c46ee519aeac8a22044a5a12a |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/4336-163-0x00007FFA182E0000-0x00007FFA188C8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35282\python3.dll
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\_bz2.pyd
| MD5 | 80c69a1d87f0c82d6c4268e5a8213b78 |
| SHA1 | bae059da91d48eaac4f1bb45ca6feee2c89a2c06 |
| SHA256 | 307359f1b2552b60839385eb63d74cbfe75cd5efdb4e7cd0bb7d296fa67d8a87 |
| SHA512 | 542cf4ba19dd6a91690340779873e0cb8864b28159f55917f98a192ff9c449aba2d617e9b2b3932ddfeee13021706577ab164e5394e0513fe4087af6bc39d40d |
memory/4336-220-0x00007FFA2A980000-0x00007FFA2A98F000-memory.dmp
memory/4336-225-0x00007FFA21940000-0x00007FFA21963000-memory.dmp
memory/4336-226-0x00007FFA18160000-0x00007FFA182D3000-memory.dmp
memory/4336-227-0x00007FFA21910000-0x00007FFA2193E000-memory.dmp
memory/4336-230-0x0000021872840000-0x0000021872BB5000-memory.dmp
memory/4336-235-0x00007FFA218F0000-0x00007FFA21902000-memory.dmp
memory/4336-234-0x00007FFA26790000-0x00007FFA267A9000-memory.dmp
memory/4336-242-0x00007FFA21890000-0x00007FFA218AB000-memory.dmp
memory/4336-241-0x00007FFA18160000-0x00007FFA182D3000-memory.dmp
memory/4336-245-0x00007FFA199E0000-0x00007FFA19A98000-memory.dmp
memory/4336-253-0x00007FFA20680000-0x00007FFA2069E000-memory.dmp
memory/4336-254-0x00007FFA05390000-0x00007FFA05B8B000-memory.dmp
memory/4336-252-0x00007FFA24170000-0x00007FFA24185000-memory.dmp
memory/4336-251-0x00007FFA206A0000-0x00007FFA206D2000-memory.dmp
memory/4336-255-0x00007FFA20490000-0x00007FFA204C7000-memory.dmp
memory/4336-250-0x00007FFA20740000-0x00007FFA20751000-memory.dmp
memory/4336-249-0x00007FFA17DE0000-0x00007FFA18155000-memory.dmp
memory/4336-248-0x00007FFA25040000-0x00007FFA2504A000-memory.dmp
memory/4336-247-0x00007FFA20940000-0x00007FFA2098D000-memory.dmp
memory/4336-246-0x0000021872840000-0x0000021872BB5000-memory.dmp
memory/4336-244-0x00007FFA21600000-0x00007FFA21619000-memory.dmp
memory/4336-243-0x00007FFA21910000-0x00007FFA2193E000-memory.dmp
memory/4336-240-0x00007FFA17780000-0x00007FFA1789C000-memory.dmp
memory/4336-239-0x00007FFA21940000-0x00007FFA21963000-memory.dmp
memory/4336-238-0x00007FFA21740000-0x00007FFA21762000-memory.dmp
memory/4336-237-0x00007FFA218B0000-0x00007FFA218C4000-memory.dmp
memory/4336-236-0x00007FFA218D0000-0x00007FFA218E4000-memory.dmp
memory/4336-233-0x00007FFA24170000-0x00007FFA24185000-memory.dmp
memory/4336-232-0x00007FFA267B0000-0x00007FFA267D4000-memory.dmp
memory/4336-231-0x00007FFA17DE0000-0x00007FFA18155000-memory.dmp
memory/4336-229-0x00007FFA199E0000-0x00007FFA19A98000-memory.dmp
memory/4336-228-0x00007FFA182E0000-0x00007FFA188C8000-memory.dmp
memory/4336-224-0x00007FFA242F0000-0x00007FFA2431D000-memory.dmp
memory/4336-223-0x00007FFA26760000-0x00007FFA26779000-memory.dmp
memory/4336-222-0x00007FFA26780000-0x00007FFA2678D000-memory.dmp
memory/4336-221-0x00007FFA26790000-0x00007FFA267A9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35282\_asyncio.pyd
| MD5 | 1b8ce772a230a5da8cbdccd8914080a5 |
| SHA1 | 40d4faf1308d1af6ef9f3856a4f743046fd0ead5 |
| SHA256 | fa5a1e7031de5849ab2ab5a177e366b41e1df6bbd90c8d2418033a01c740771f |
| SHA512 | d2fc21b9f58b57065b337c3513e7e6c3e2243b73c5a230e81c91dafcb6724b521ad766667848ba8d0a428d530691ffc4020de6ce9ce1eaa2bf5e15338114a603 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\unicodedata.pyd
| MD5 | 06a5e52caf03426218f0c08fc02cc6b8 |
| SHA1 | ae232c63620546716fbb97452d73948ebfd06b35 |
| SHA256 | 118c31faa930f2849a14c3133df36420a5832114df90d77b09cde0ad5f96f33a |
| SHA512 | 546b1a01f36d3689b0fdeeda8b1ce55e7d3451731ca70fffe6627d542fff19d7a70e27147cab1920aae8bed88272342908d4e9d671d7aba74abb5db398b90718 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\sqlite3.dll
| MD5 | 895f001ae969364432372329caf08b6a |
| SHA1 | 4567fc6672501648b277fe83e6b468a7a2155ddf |
| SHA256 | f5dd29e1e99cf8967f7f81487dc624714dcbec79c1630f929d5507fc95cbfad7 |
| SHA512 | 05b4559d283ea84174da72a6c11b8b93b1586b4e7d8cda8d745c814f8f6dff566e75f9d7890f32bd9dfe43485244973860f83f96ba39296e28127c9396453261 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\select.pyd
| MD5 | c39459806c712b3b3242f8376218c1e1 |
| SHA1 | 85d254fb6cc5d6ed20a04026bff1158c8fd0a530 |
| SHA256 | 7cbd4339285d145b422afa280cee685258bc659806be9cf8b334805bc45b29c9 |
| SHA512 | b727c6d1cd451d658e174161135d3be48d7efda21c775b8145bc527a54d6592bfc50919276c6498d2e2233ac1524c1699f59f0f467cc6e43e5b5e9558c87f49d |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b5c0e86861a795b607b3dddf29ceab01 |
| SHA1 | 4ece72b0a9d8f42da935f9affe3280b48805d9c1 |
| SHA256 | 837167faa319cab764615fcfdb375008aed60c399b139dc0b3b0338a106f3b18 |
| SHA512 | 6ec88fbbbdd3377650bc575da6f1d1a8f94b445bceb6d96894a511b690cd3af63be5df448bc6bcac0e3200086f90cd1707c5b281bacfbbdf7a02f984f3ddf32b |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-time-l1-1-0.dll
| MD5 | c4af0dc7d97105deac352f569beb603d |
| SHA1 | f52d7ee9ae432dbf5b42d5fb2a816411138d7e03 |
| SHA256 | b66ae7e1d0da45a758b2ec9d2727f8f59a2d0a59bf43be347369381338c6afb3 |
| SHA512 | 8961b1acab372511d45b4cb08f6672bebc436f19c854f73058bb28e56ddd57dfd18aab785b39e0b1254ce9e2989e6db744e1de503429932fce2b0f53f000d91f |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 03f1e99c4258416b4c6800081b3701e2 |
| SHA1 | 502d6654cc0a331b8c45eb760db39edbc3ee93c9 |
| SHA256 | abf8a6ad52f6c71458dc2c159eb8ce7a297494177f8e05fd52a1e7bceb493426 |
| SHA512 | 7a1fc6488c4eee4a32963b1e78b76ac1c4d4c196c8b2743ae4cc89805fa02f554210d0fe5a87afa258abe3c24c710315facdea997e7aa2effcf8664b8531c459 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | ce04551e4a578993207eed8f49e045dc |
| SHA1 | f2ea2b8901458263879e76f67c4154559252aa5b |
| SHA256 | f6ba90e21a1e31ff2be7292c2a03d20570788fd829e075ab4a6d37a9ca2ba194 |
| SHA512 | 872af73065241877679e96dd6c5e8458417436241262829a378768aa47cb290f45aab67ddf205bccd6846a2189a0bd26a31fb01f1d7886fe93067687055f4fe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | be6d51793bc63716fb45cb49958b0f6a |
| SHA1 | e2563b2c324b58bad602c46bc4d6148ce5319c10 |
| SHA256 | edd8206ef8caf25e955e9fba2c9c8ebf73d8ec3fd0f562372f7ed8b8f7004c2f |
| SHA512 | 31fa876b8dc54d882db0d8a3c7e6784b893b6c8b4a04688261720d75402cb4229f07c70df4dabb032b63940d8e3ba95978d439b5f0f9a21c62a8adbcc92bcabe |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-process-l1-1-0.dll
| MD5 | fa9b5cec8eed4fef73ec60d7f4c1eb1e |
| SHA1 | 03f19b2886688de1fb2016d614fe514f8b508250 |
| SHA256 | 09f19b41a8d71cd5174efdae2a7649022780434d7c4416d6121153359aa85918 |
| SHA512 | 744288d8903fdceed87cc5b7e0e286fab59584b57acdd943b04c5f6a39391a1662961a686344c1fdce36aea039adf8b1fcfc883e06011dd592077931716cdff7 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e6184d65799033dbee51667790130016 |
| SHA1 | b00461d14ffa2beab0887bcb716f331090cce8c9 |
| SHA256 | eecac10f830ad0dcbdf0f0dc1422ef5cfed490a877429a4674aecc560869a5e5 |
| SHA512 | 987c14f8c22ae0d6c1005cc7b0d9a240283c2120e8ded030a407f25fb7786f7283980850ca243859f0148dbeb7bfaec01c8208865b81046999252d07e5f42d53 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 3cca955cde8362605fc268e4b12accaa |
| SHA1 | 6f3c214ef223f35495c0cb0ee359b9d975c14e72 |
| SHA256 | 34c6e58abcce5bccace50df3bd6c3e2d3f4e8413b14aae8e707ddfddccdeba6d |
| SHA512 | 5b7fe7deb6066c53bd41479172eac2736301f5cf32921f13d2ce6ad2811925e7bc1c436627698050be86ddf18852eeac927be4efc2182d857b31f637adc6c206 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | e3ede68927c68aa73ac95722d24334ce |
| SHA1 | dbe71e1a56f9b7569b4a568bb67e37c38011b879 |
| SHA256 | 5dd42e524920f4cb467031eb9e0e440bbe73de0fb39f71e65736a2ab2f6fcfe8 |
| SHA512 | d935058d8409b518d82336dc0b1521bf411ef77ef49485ede15baf5d1ac527f46ad813ebdb889c0f9999d553a879150d5ba41ce3a0b11d5ca08907e378fc9b8d |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 3491700e847fb9e9c4413fc82a0ad285 |
| SHA1 | 03694cd43a06bb2fff6a1d85f73bd7b87198e07e |
| SHA256 | ed969fae3cf64f46b5f4d2447980befd6f0a7fd05802529dbc793f3c014bc46c |
| SHA512 | 07e81eabcef621ec6a84e1932e299e0b865c06e6f9907017bbed0121771712b007a18771099131f24da134f3cbff0a7af30ca4e1c262b117e8bacf055cd54002 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 16a97489dab15db9b9713c53726f3411 |
| SHA1 | c15ad01807955374283805104233bd56760b25c9 |
| SHA256 | 9c06541d13c7088f313aab0be5af20b72e583f34e442df3d2fc29953640d4812 |
| SHA512 | 54ffa278e4d0975830c1a8eff9b7fc41d487cd9e8390d0e14f58cff62efadfc5816bcda3ca11e2b1cbaeecb20546839593f7c6ea9500eef433f299861d205822 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 4bb011d3e58e958e94ca23ae05a8e958 |
| SHA1 | 741af22136c1d6dce03c75c68e977c05d76ac027 |
| SHA256 | 06b0fd7e6d7cbe35177af8fc17863f247bd5caee64543e3a9a125253d51af777 |
| SHA512 | 07668515aa4099c390ce30ef3415e412113483da792d7cd02bb3ddce561719e808d6be81b90d599f4a7fa50ba27382c8d84ecb45292200bba7094a5204ff7715 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 5bc2660d94760af50f96b1999de6cfab |
| SHA1 | 75dec9b15bf9181f0e8015992b678bac718d8c0b |
| SHA256 | 03bebf73df97beed5da608cae73324df2aaec092277d53ce8c119031cf8e21fd |
| SHA512 | 7e9c67b5e46b35ba3f733110cf7fe35ac9dc1b41a4f7633180cd69631d1b82bcac99f8b94b6f36a373f72bc4fd7eeaac21a8fb51830914a32e19d738208ca636 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-util-l1-1-0.dll
| MD5 | 8222b0f8bcf884433a55996253963a96 |
| SHA1 | 35914b003bbe6527e2479d7f897024915821500f |
| SHA256 | 7f18dc2971d15434bfe03c4842dced10b466e849d782a1c8e398d96c2e2b12e2 |
| SHA512 | 5e67b25af8a1f23450cf8807135fea1ec39dfe8ff7cd3858e492ae9e016a23967ed6009da8868cd9dc87d583c3b7e6fb66d00bd48a7bba6b0eea638716514cc6 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 10d466341e7ece8cf75b5d026105741b |
| SHA1 | 31d1e9b9a4511156695b5aa33d65b6a36f8139c2 |
| SHA256 | 5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82 |
| SHA512 | 8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | e496d42d228b5e90c7b96350dbb1159c |
| SHA1 | 746ba35a931e05aebda957608a6e28c1699237aa |
| SHA256 | 1ff617fb9d681551fb456aabaae078c0ac7f96580ac1144ea441826a6d98caef |
| SHA512 | ce555cb7fc0625d7568b002306e203e013f03127aad7383ce26774cb1f1fa820f5fa6145dc9f5930b4d0791631bdbce2ee2e4ee3efa7720b1b2c413ff782e197 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 2914ea20c9b8d79b1e98ea6b6dd85450 |
| SHA1 | 2e25617bb4f3f6391658b5778f5248d9e6762c6b |
| SHA256 | 047d09b49dae9a101eb55277aa37c31390ea6c7187379b448122d77bd77bf005 |
| SHA512 | c0731aaecbca9b70151e7630e0dbc7d744d534effe56ad703df881f09c7820cb143873dbf95d57357d51be44d53a3b9862d0c6483ca6c70aad01a3f11350abc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 87c57eddf837c1e7aaaddb451d3d981e |
| SHA1 | 5287af84ca9cdfa928355c3c899a43051169a2fd |
| SHA256 | e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44 |
| SHA512 | 0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2ebacbbda70b888b1bcc5e816d14f3a2 |
| SHA1 | ebf1763b0cee267040312deccb3dad61af1b9cf4 |
| SHA256 | 96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304 |
| SHA512 | af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 8aad6a3a2fe9052ef218d5c8ce1995e1 |
| SHA1 | 33748750e57cdc165fcdd186ae53003649607221 |
| SHA256 | e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4 |
| SHA512 | 841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-profile-l1-1-0.dll
| MD5 | fb731a1f96c9e34347cba5bb18e54581 |
| SHA1 | 88a62edfbbd806b1043b4a1266c4708e1d47be1d |
| SHA256 | c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e |
| SHA512 | be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a6776c201baae1dd6f88048d7747d14c |
| SHA1 | 646119d2e440e6dad0ffb0fe449ab4fc27f09fbe |
| SHA256 | ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112 |
| SHA512 | a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | abaabc1df36c7a0674f20fb83247fd71 |
| SHA1 | 345db0ffea0cb2531b79d464ad69347ac71ee2b9 |
| SHA256 | ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a |
| SHA512 | 7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 6d0762a2ba4263d0901ca7aaa0725c0c |
| SHA1 | e36d2d049116bd2d84121cdfa179098ac03650b4 |
| SHA256 | 2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805 |
| SHA512 | 94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 7e751952f122f4e8be1317087dc9dc71 |
| SHA1 | f65884c8cfbb8ad565b3df3a51af11b1617c7092 |
| SHA256 | d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799 |
| SHA512 | 960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 41e0b7cb0eecba317cf321b1ada084d7 |
| SHA1 | 4ce1f13188fc00eb29c726717eae489c524c1c8a |
| SHA256 | db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383 |
| SHA512 | f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 4c26932f8f1f490017add31f5ec0a533 |
| SHA1 | 0da01a7c89b506fe3fd939344bb51b976efb3207 |
| SHA256 | dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23 |
| SHA512 | eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 259b4186004bb41e706dd781e29f5c5b |
| SHA1 | 85751d31fe233ed51c46466f214f497d01be8d87 |
| SHA256 | b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f |
| SHA512 | f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 0b65672b91c6a12d769dd777f810b149 |
| SHA1 | 2d527b45dcbe653a91e10365891c7e589f5e51e0 |
| SHA256 | c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e |
| SHA512 | f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 993b5bc35dac959bed58b77fe42ac77a |
| SHA1 | 2abad159cbab86ff423d6446143427daab751366 |
| SHA256 | b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b |
| SHA512 | ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 4166d703abc9c6de65d5b269d3a5425e |
| SHA1 | 16bcd7191312b94bdf38368d188e5a5cc479a36c |
| SHA256 | 0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056 |
| SHA512 | f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-file-l1-2-0.dll
| MD5 | 4a060eec454c222a5381cd359dc00b81 |
| SHA1 | 21e1bc115d04a74779e955ea16a16bd71454d9bb |
| SHA256 | e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df |
| SHA512 | 16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-file-l1-1-0.dll
| MD5 | 4b328f140a3ae7fedb21ca50cc23d938 |
| SHA1 | 9e71b4c2cf030a644d2050188c4b77e638c0ee14 |
| SHA256 | e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345 |
| SHA512 | 4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 201ff3cd2ffe7d222f46574d4ac40a70 |
| SHA1 | b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6 |
| SHA256 | b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a |
| SHA512 | 3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 12ea48ce605ebb204a21ae7d86db3417 |
| SHA1 | 5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66 |
| SHA256 | 189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c |
| SHA512 | 39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 7ad2034acd0f296fe9eed320e5ad7591 |
| SHA1 | fe1b217e3f4567905968f7a3d48a7611e3cf3f7b |
| SHA256 | 0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4 |
| SHA512 | 06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 854458ad55c39a9dfd1e350a51be02b8 |
| SHA1 | 5013cf58de5a0b55e026ace967e9842b3b131c2a |
| SHA256 | f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef |
| SHA512 | faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\api-ms-win-core-console-l1-1-0.dll
| MD5 | 9313c86e7bae859f0174a1c8b6aba58b |
| SHA1 | dce67fd1da5da8dc4ba406c544e55a83d6536cc9 |
| SHA256 | af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3 |
| SHA512 | 2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
memory/4336-171-0x00007FFA267B0000-0x00007FFA267D4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI35282\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI35282\base_library.zip
| MD5 | 3b3654276bbb89fcba4df6a0a0fad8d6 |
| SHA1 | 668cd7e62cb6449e820ce1c24484e7ab9c4ca9a4 |
| SHA256 | de67ef0597974ce98ac33c99d230f370284031ef62249d55c5d6210066874938 |
| SHA512 | ecade71b589213ba9bcf8f997e4ab1d1c7c2c78fb88d5f2d562f376986c005e9b98ffdbbd0988f6b5f50adff4cc46be1c076b377a6e6152014d5552effec4973 |
memory/4336-297-0x00007FFA24F30000-0x00007FFA24F3D000-memory.dmp
memory/4336-296-0x00007FFA21740000-0x00007FFA21762000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hmf5xp54.ddw.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/4336-312-0x00007FFA17780000-0x00007FFA1789C000-memory.dmp
memory/4336-313-0x00007FFA21890000-0x00007FFA218AB000-memory.dmp
memory/4336-320-0x00007FFA21600000-0x00007FFA21619000-memory.dmp
memory/4336-328-0x00007FFA20940000-0x00007FFA2098D000-memory.dmp
memory/4336-329-0x00007FFA206A0000-0x00007FFA206D2000-memory.dmp
memory/4336-332-0x00007FFA05390000-0x00007FFA05B8B000-memory.dmp
memory/4336-344-0x00007FFA17DE0000-0x00007FFA18155000-memory.dmp
memory/4336-360-0x00007FFA24F30000-0x00007FFA24F3D000-memory.dmp
memory/4336-359-0x00007FFA20490000-0x00007FFA204C7000-memory.dmp
memory/4336-352-0x00007FFA21600000-0x00007FFA21619000-memory.dmp
memory/4336-346-0x00007FFA218F0000-0x00007FFA21902000-memory.dmp
memory/4336-345-0x00007FFA24170000-0x00007FFA24185000-memory.dmp
memory/4336-333-0x00007FFA182E0000-0x00007FFA188C8000-memory.dmp
memory/4336-343-0x00007FFA199E0000-0x00007FFA19A98000-memory.dmp
memory/4336-342-0x00007FFA21910000-0x00007FFA2193E000-memory.dmp
memory/4336-341-0x00007FFA18160000-0x00007FFA182D3000-memory.dmp
memory/4336-334-0x00007FFA267B0000-0x00007FFA267D4000-memory.dmp