Analysis Overview
SHA256
51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
Threat Level: Known bad
The file RippleSpoofer.exe was found to be: Known bad.
Malicious Activity Summary
Cerber
Exela Stealer
Cerber family
Exelastealer family
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Modifies Windows Firewall
Downloads MZ/PE file
A potential corporate email address has been identified in the URL: httpswww.youtube.com@ripple9cbrd1
Reads user/profile data of web browsers
Checks computer location settings
Themida packer
Clipboard Data
Loads dropped DLL
Executes dropped EXE
Checks BIOS information in registry
Checks whether UAC is enabled
Network Service Discovery
Legitimate hosting services abused for malware hosting/C2
Looks up external IP address via web service
Suspicious use of NtSetInformationThreadHideFromDebugger
Hide Artifacts: Hidden Files and Directories
UPX packed file
Enumerates processes with tasklist
Drops file in Windows directory
Launches sc.exe
Detects Pyinstaller
System Location Discovery: System Language Discovery
Permission Groups Discovery: Local Groups
System Network Connections Discovery
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Browser Information Discovery
System Network Configuration Discovery: Wi-Fi Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
Runs net.exe
Collects information from the system
Modifies registry class
Suspicious use of WriteProcessMemory
Gathers network information
Suspicious behavior: LoadsDriver
Kills process with taskkill
Modifies data under HKEY_USERS
Suspicious behavior: EnumeratesProcesses
Suspicious use of SendNotifyMessage
Enumerates system info in registry
Gathers system information
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Views/modifies file attributes
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-12-08 02:56
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-08 02:56
Reported
2024-12-08 02:59
Platform
win10v2004-20241007-en
Max time kernel
196s
Max time network
189s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{75809EB7-1411-4909-8541-AEB8DDC25FB5} | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{6DAB8BC6-63F2-4538-B2CB-44FAFCCC61E0} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3d8 0x2b4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat" "
C:\Windows\system32\chcp.com
chcp 65001
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
C:\Windows\system32\mode.com
mode con: cols=70 lines=18
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6152 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1492 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 182.129.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | uc886fb88901ce097047f641f282.dl.dropboxusercontent.com | udp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| GB | 162.125.64.15:443 | uc886fb88901ce097047f641f282.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | justpaste.it | udp |
| PL | 83.168.108.45:443 | justpaste.it | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| PL | 83.168.108.45:443 | justpaste.it | tcp |
| US | 8.8.8.8:53 | stats.justpaste.it | udp |
| PL | 83.168.108.85:443 | stats.justpaste.it | tcp |
| US | 8.8.8.8:53 | 85.108.168.83.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | storage.bunnycdn.com | udp |
| DE | 109.61.89.54:443 | storage.bunnycdn.com | tcp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 162.159.133.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | 54.89.61.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 234.133.159.162.in-addr.arpa | udp |
| US | 162.159.136.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.136.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | a.nel.cloudflare.com | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | 1.80.190.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.130.81.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | justpaste.it | udp |
| PL | 83.168.108.45:443 | justpaste.it | tcp |
| US | 8.8.8.8:53 | stats.justpaste.it | udp |
| PL | 83.168.108.85:443 | stats.justpaste.it | tcp |
| DE | 109.61.89.54:443 | storage.bunnycdn.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| US | 8.8.8.8:53 | streamable.com | udp |
| US | 151.101.129.63:443 | streamable.com | tcp |
| US | 151.101.129.63:443 | streamable.com | tcp |
| US | 8.8.8.8:53 | ui-statics-cf.streamable.com | udp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| FR | 13.249.9.22:443 | ui-statics-cf.streamable.com | tcp |
| US | 8.8.8.8:53 | 63.129.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.9.249.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.66.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 38.201.222.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api-f.streamable.com | udp |
| US | 8.8.8.8:53 | socket.streamable.com | udp |
| US | 151.101.1.95:443 | api-f.streamable.com | tcp |
| US | 52.45.107.72:443 | socket.streamable.com | tcp |
| US | 8.8.8.8:53 | region1.google-analytics.com | udp |
| US | 216.239.32.36:443 | region1.google-analytics.com | tcp |
| US | 8.8.8.8:53 | statics.streamable.com | udp |
| US | 8.8.8.8:53 | cdn-cf-east.streamable.com | udp |
| GB | 143.244.38.136:443 | statics.streamable.com | tcp |
| FR | 3.165.113.89:443 | cdn-cf-east.streamable.com | tcp |
| US | 151.101.1.95:443 | api-f.streamable.com | tcp |
| US | 8.8.8.8:53 | crt.rootg2.amazontrust.com | udp |
| FR | 3.164.163.127:80 | crt.rootg2.amazontrust.com | tcp |
| FR | 3.164.163.127:80 | crt.rootg2.amazontrust.com | tcp |
| US | 8.8.8.8:53 | 95.1.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 72.107.45.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 136.38.244.143.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 89.113.165.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 127.163.164.3.in-addr.arpa | udp |
| US | 8.8.8.8:53 | socket.streamable.com | udp |
| US | 34.195.223.21:443 | socket.streamable.com | tcp |
| US | 8.8.8.8:53 | 21.223.195.34.in-addr.arpa | udp |
Files
memory/1480-0-0x0000000000DE0000-0x0000000002A60000-memory.dmp
memory/1480-3-0x00007FFDDD3D0000-0x00007FFDDD3D2000-memory.dmp
memory/1480-4-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-2-0x00007FFD80030000-0x00007FFD80031000-memory.dmp
memory/1480-1-0x00007FFD80000000-0x00007FFD80002000-memory.dmp
memory/1480-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-7-0x0000000000DE0000-0x0000000002A60000-memory.dmp
memory/1480-8-0x0000000000DE0000-0x0000000002A60000-memory.dmp
memory/1480-10-0x0000020B6BF20000-0x0000020B6BF21000-memory.dmp
memory/1480-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-12-0x0000000000DE0000-0x0000000002A60000-memory.dmp
memory/1480-13-0x0000020B6F600000-0x0000020B6F6B2000-memory.dmp
memory/1480-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-16-0x0000020B6F8A0000-0x0000020B6F8C2000-memory.dmp
memory/1480-17-0x0000020B6F930000-0x0000020B6FB44000-memory.dmp
memory/1480-18-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-21-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-22-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-23-0x0000020B70770000-0x0000020B707A4000-memory.dmp
memory/1480-24-0x0000020B707C0000-0x0000020B707DA000-memory.dmp
memory/1480-26-0x0000020B707B0000-0x0000020B707C4000-memory.dmp
memory/1480-25-0x0000020B707A0000-0x0000020B707A8000-memory.dmp
memory/1480-28-0x0000020B707E0000-0x0000020B70812000-memory.dmp
memory/1480-30-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-32-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
memory/1480-33-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 36988ca14952e1848e81a959880ea217 |
| SHA1 | a0482ef725657760502c2d1a5abe0bb37aebaadb |
| SHA256 | d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6 |
| SHA512 | d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173 |
\??\pipe\LOCAL\crashpad_4028_YMDHNHORYKWHYPEM
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | fab8d8d865e33fe195732aa7dcb91c30 |
| SHA1 | 2637e832f38acc70af3e511f5eba80fbd7461f2c |
| SHA256 | 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea |
| SHA512 | 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | ca8e3cfc5d52a9a1412718addce860aa |
| SHA1 | 8ea69b356cfb9612fbadc9d44ffdc8333df8acca |
| SHA256 | b617a29c819f6f5ceba2e04d842901d1f779bb0bc9cbb422c13d884ee0416242 |
| SHA512 | ebe6f8ef30bf1c06037c723a4f1f2ca6667ae1eae8b07e15695d5fd2592833c8207e7fe3f5a221dde31f43653c4c33198da8a1f78c3e1c2cf9e70c7db6cf684b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 2355202485d7db90fcfec87775a3881d |
| SHA1 | a6df1fdce608fe5cb6df5dde70ac95197861c557 |
| SHA256 | 04faee146680fd239fa18e4e149ae523e86203ea11a265ae47af9267ffc7b73e |
| SHA512 | 80a45655dade0c84f2eba0fa7c5e2c20ce428d24d36fa22aa88a65ff3ab640a709c1da5fe4b2c2fc1b15c1a2434f10b18001b982802fbb15a7e6daf1dae938e6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | bbcf2e68c41c5ea17630903542f4f8d3 |
| SHA1 | d0b1ad10cfaa179d7da89d46173ba4d8bd2042ad |
| SHA256 | 26bcc98fb844ff0645ba9e53b2ea052d6c749f075413ecf0cdfc06510ae08d35 |
| SHA512 | 20ea9102c240e34b9b7b29e99c16e7e3e7950ccdb47a038be0ceca74fc8d271dad841f592222c8cd73f8abafb88015d4608b21e5003175b94e7f6196a2be2ff6 |
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat
| MD5 | 5264f00456cbe53023be7b5e80963fa7 |
| SHA1 | bfba30d1b1cd84f9d15a6a8b18d22d9e318df512 |
| SHA256 | feda308f941e53aef81effefd1249ab4d75a698fa4ae16bf4b148f87d6c27e9c |
| SHA512 | 14e369da936d049b3f2c1cd4249508061024bdba2c0c7c840e12a6edf4f5d58d8d510a401240b24ccddce5baab74903c8cc2ff71841c7d716b821a8d30c0e442 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | b262863f0acbff4e8406337d316c667f |
| SHA1 | de066ad17b1f6c89e1fa1febc20cf60f01260b3d |
| SHA256 | 68062b31b8f55d9e2e96015ca9731dd4da5775f01e45e5d878d29c63f189ceb5 |
| SHA512 | 965bcf6c7eab64caea464f9c7d303a0082c887109df1b2276b0be2f0ca6dc111e93d527bf725da7093433a6ce2ac3fb58e0d526dcd6b690e60fa58550878596c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ce3.TMP
| MD5 | 0e63cb8e50755be72ad301069a021478 |
| SHA1 | d0924bf2c7c3566fd24a4c5b6281d302c198e433 |
| SHA256 | bfcb0220c355dc0c251257383c95a8d6bf15223bbacd10460a8a3c08e4e8e10b |
| SHA512 | 1c0eaaf5821fd448968ec06cf6ddc034b00272979e99f8ecf0ac49de70e91ae546eccafb562ac486aacf80289ec007896b04a5cafc5f5f9ff0bd59a235402aab |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 434bb4a5735a87db50a36b6d14844ef7 |
| SHA1 | 0676b0b0264c75acb5a1911d0a3037e65505d921 |
| SHA256 | 1f5e1e15fc553b434f516182a476d59a3f61c36056e6c5ddec8874559db47a01 |
| SHA512 | 869f75dde0224d1d74ef99a3509d7ab9e96f55453641a6195705af7ab380031e09158b7ce99c63a1bfab5b960a191514e073e9aa38293887edeea4f75b35e1b4 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5d40717635ff5caa866d98ab3d4cbade |
| SHA1 | 3d8ebc391a1249975f019567b3fa173d4bcd4429 |
| SHA256 | b6a70b2139f14c471d7839971acd005a7a976f99aed4a2f2dcb785023f0a76fb |
| SHA512 | 406d08957136db6269859ea06d6fa49b5d1535b36096881b24446d7c0bc258ed6eceddb624f1fd58452045af4f9d2c9523a3c29f43faf348771a0c072ed0e84f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f51895773e83275d41ed2d6d993fb623 |
| SHA1 | c7cee0a33d5e16cc588efe9b2061666f69ea1b7f |
| SHA256 | 798ca7552cff8ca7c5250f6960a5554f90ede01bfc371478bbc18044a3ed5cbd |
| SHA512 | f7e7a9e53a01e7efae27101cb211e0939e817af2e426a98e4edbca89f26b36f1169fbb2a0c615ca003b60e9a56292a55fdf09216f5b9cc20441eb74a068d5345 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | a275d3b7f842ab5b89b7475a45aac370 |
| SHA1 | c47d34ba31fc4ea59d3d84e87aa4864e571dbe39 |
| SHA256 | 3e677dcd7a54d6611d9b4a4a59342b9c34eba4a21f1a5a5434153fdd762c059e |
| SHA512 | 20e70554bcbdb2a9386e8702cfb6d67ecfea4f196efb4f681b9baeb3d79f929c2f3358a83600929abd27537fc4a682f2b214c795b1f8a4e810d82e6bdbe002e9 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | 4f3275cb72e545fa35b6d92deac1e9ba |
| SHA1 | fcba88fdb15c7ea92e143ae8c7e92da763c5be62 |
| SHA256 | 5823faed6da96055d3466d3b8bc1c7e726e7e9e7e8fde6f273e187659621fd04 |
| SHA512 | 07d8fe3b451a8fa3d68649e8eb552da5ca1f3db39449136e3e68393349dd8e323ad288d9cf2cb3b4fe0d02c5de8b14cbe03bc704086b3d2c20d06b94d23392a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021
| MD5 | fe192be72a7f010f687779df8e76fc02 |
| SHA1 | 880d592c372207f7c575e96498494026cb9f49a5 |
| SHA256 | d0c8a0b0e0b4ccc02aa259eb93d4078ca2002a4b1dc1ee28222f609e6638adb8 |
| SHA512 | dbf33c9d94b8c8155fa089eec9d3e589fd54be16a7343f8c1bc9e777c4002ab9751a8c1e90ffac67418e94fa423691f3963b8f743df221acbb5319cc2644830e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 15d8e69db128404a0f21fd6f50d4c474 |
| SHA1 | dff351e9dbd6222c26a258939d6d1085b5e56b7c |
| SHA256 | f1dfc410db9ff45667a27eb870b1346d858f58fa54ffc9ab06569dcb26efa205 |
| SHA512 | 4190949ae8d86790d871e85c7119159d8151961f371388fd0625e25dffac8965b8a3f7495ec9ca3254ba3ab748550e55c652d4966010d9f6d40ce9f175535ca6 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023
| MD5 | 26b9ea94b02bdc57ae7b3cd8151b6f29 |
| SHA1 | 34b21217c43084e3a16a9dab23bdb935150891b1 |
| SHA256 | cd88d8151802ee864080bfa768a6f58bce5b654846efb89fc9d3f1a10acab22a |
| SHA512 | c2c7f4268a023db891cc0c6313085995b340347079a926fac2c4474ef40aa4fc128760078215ceae1d6df9b59bb77891910712fb1b0e48b7240fc88e85f52842 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity
| MD5 | db0d0cbdc5d789f0d0841f7c44733eee |
| SHA1 | e60184b856bb840e5aef8d2a50299d45f6856828 |
| SHA256 | 23f4daee07aadcf12da3c6cc6f4d571397d08b3121a624f94aa940ed457a0150 |
| SHA512 | 3ea1ae5271cf05d06a01f332b0f9463cab9589c4e7291524cd7be96e0bcdfbf8f6944f23125d46fe39e5e233e2f2bf33e061622fb83783cbbc402ac58c9648a8 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 1b0a8f7ee3700f574331e103ffd12bda |
| SHA1 | ae1818d748336819bf08249baa6a22d385b1fbb1 |
| SHA256 | 8bfc3fd2e8d6aefd3711e6087360624613bdf2ad007f0971556695fdeff647b3 |
| SHA512 | ee6fe625b3eb08f2e494d11f8f2f6758b7067bf2c7a9b9aa386e8ef71765f3364ea8417129e32fa9528f4fe08bc6b5b252e52b8bb645da5b8c2dba2fb049fc58 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | a026022a1eb610b9e54ea896aaad1755 |
| SHA1 | 700f99ae74526a23236062e75bda3af0e5880911 |
| SHA256 | c35d43b124a667e4d0c19695b00e25dd17c3ddeaea145e560190fbdcfddcb2c8 |
| SHA512 | 1c2c15e08c9d0954fbb370e30717dc3f472e5be3d10c0f35b6d9ac8e9c9e3155695226332de2b128a68b4c004eba84994447368a8f9daba5d8e905567ee1b052 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | af62db1f7d850a806a055986b1c35c41 |
| SHA1 | fa5030ab4f575ac816adf9e929f1863716d2604d |
| SHA256 | b34d600ad80cb5abe41b9566dd9a3123635dbc35b870107ee02914c7c48bd592 |
| SHA512 | abf770f262d629ee223b9da134bc888f303d76b652debb18f0338b5434291c7f1e7209972734a031324dc8e57228a7d5d79adef2240f5cd76576052cd1cc0dba |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-08 02:56
Reported
2024-12-08 02:59
Platform
win10ltsc2021-20241023-en
Max time kernel
161s
Max time network
162s
Command Line
Signatures
Cerber
| Description | Indicator | Process | Target |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
| Mutant created | AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE | N/A |
Cerber family
Exela Stealer
Exelastealer family
Grants admin privileges
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Downloads MZ/PE file
Modifies Windows Firewall
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
A potential corporate email address has been identified in the URL: httpswww.youtube.com@ripple9cbrd1
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Clipboard Data
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Network Service Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
| N/A | N/A | C:\Windows\system32\ARP.EXE | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
Hide Artifacts: Hidden Files and Directories
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Logs\CBS\CBS.log | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
| File opened for modification | C:\Windows\CbsTemp | C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe | N/A |
Launches sc.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\sc.exe | N/A |
Browser Information Discovery
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Permission Groups Discovery: Local Groups
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
System Network Connections Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Collects information from the system
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\system32\NETSTAT.EXE | N/A |
Gathers system information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\systeminfo.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" | C:\Windows\system32\LogonUI.exe | N/A |
| Key created | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (data) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 | C:\Windows\system32\LogonUI.exe | N/A |
| Set value (int) | \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" | C:\Windows\system32\LogonUI.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{3700ADE7-DCBA-437E-B136-085372B91936} | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\LogonUI.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4d4 0x3d4
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@ripple9
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x48,0x110,0x90,0x7ff8baf546f8,0x7ff8baf54708,0x7ff8baf54718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\SYSTEM32\taskkill.exe
"taskkill" /F /IM explorer.exe
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""
C:\Windows\system32\attrib.exe
attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist"
C:\Windows\system32\tasklist.exe
tasklist
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 1956
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3556"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3556
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 664"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 664
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2952"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2952
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2752"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2752
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3856"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3856
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3844"
C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3844
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\system32\cmd.exe
cmd.exe /c chcp
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe Get-Clipboard
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\chcp.com
chcp
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"
C:\Windows\system32\systeminfo.exe
systeminfo
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv 4eXnmB1hKEiR3Nmy1O6StA.0.2
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding
C:\Windows\system32\HOSTNAME.EXE
hostname
C:\Windows\System32\Wbem\WMIC.exe
wmic logicaldisk get caption,description,providername
C:\Windows\system32\net.exe
net user
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user
C:\Windows\system32\query.exe
query user
C:\Windows\system32\quser.exe
"C:\Windows\system32\quser.exe"
C:\Windows\system32\net.exe
net localgroup
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\system32\net.exe
net localgroup administrators
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 localgroup administrators
C:\Windows\system32\net.exe
net user guest
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user guest
C:\Windows\system32\net.exe
net user administrator
C:\Windows\system32\net1.exe
C:\Windows\system32\net1 user administrator
C:\Windows\System32\Wbem\WMIC.exe
wmic startup get caption,command
C:\Windows\system32\tasklist.exe
tasklist /svc
C:\Windows\system32\ipconfig.exe
ipconfig /all
C:\Windows\system32\ROUTE.EXE
route print
C:\Windows\system32\ARP.EXE
arp -a
C:\Windows\system32\NETSTAT.EXE
netstat -ano
C:\Windows\system32\sc.exe
sc query type= service state= all
C:\Windows\system32\netsh.exe
netsh firewall show state
C:\Windows\system32\netsh.exe
netsh firewall show config
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\spoof.bat""
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /ID 01/29/2023
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SV vmVN8iZ5yQbIv6M
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SS JO1u5oOsLErmoac
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF ABrmfFrA1p3LsdU
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SU AUTO
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SK Rz61XB17YrkAGjd
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SF qrY6Ar04AGTD6zv
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BV Ds10My4or5r2UNM
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BS tOdl0QAd3RCTKhR
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BT Ct96DgixOvmtOZa
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLC lzDyaah2e7KXr9x
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CV kPRV0kKIRXSlfLc
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CS WTrxdou87yXJi82
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CM 2P5VOmV5ADey7sx
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CA Ux1Yeg0CEmHqGHX
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSK HvaPGxbKG7foq6i
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PSN dVWLvYTlaO89ubk
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PAT GZJXvXYzZ6q50d4
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /PPN Y3g6suxNDuzF7Fg
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BSH 3 E7BHNOc9hBp4ahH
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BMH 3 lWEZezjxH1bTMqc
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BPH 3 mbtkQ9lsu15SfMN
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BVH 3 XeWzaEx3WZTmbwd
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSH 4 6MtxZSd1sXjyQYI
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CMH 4 hxWAyA0XaOd8BTf
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CVH 4 KKg2vSYOCQTEZYX
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CAH 4 yby8RPNckuuQmgV
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /CSKH 4 T2yoqw04vJvq383
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BTH 3 sDnh5qTnhdEJtNx
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BLCH 3 GkZiyuJYnqB2q4j
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IVN soStYSPmk8qPjhu
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /IV 1.6.7
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SM 0Wf3eu602hxrrTs
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SP O4T6YxYqppaqii9
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BM X9k6krQ1Zt33mAx
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /BP JwuVVwtcGpuqcet
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /SCO 1 yseWoolbVGPGQ36
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 1 gNoqCeijA1XPgKx
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 3 JkxNCBSrK2ZVs5m
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 4 4OprouoJ9uvWZ0H
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE
AMIDEWINx64.EXE /OS 5 el7n7zPaO5dgGhX
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE"
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE
"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE"
C:\Windows\System32\shutdown.exe
"C:\Windows\System32\shutdown.exe" /r /t 0
C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39e8055 /state1:0x41c64e6d
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| US | 8.8.8.8:53 | ucedd84a6bd60b3a517b4cac6a85.dl.dropboxusercontent.com | udp |
| GB | 162.125.64.15:443 | ucedd84a6bd60b3a517b4cac6a85.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | 18.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.64.125.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | storage.bunnycdn.com | udp |
| DE | 109.61.89.54:443 | storage.bunnycdn.com | tcp |
| US | 8.8.8.8:53 | 54.89.61.109.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.youtube.com | udp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| GB | 142.250.187.206:443 | www.youtube.com | tcp |
| US | 8.8.8.8:53 | consent.youtube.com | udp |
| GB | 142.250.200.46:443 | consent.youtube.com | tcp |
| US | 8.8.8.8:53 | nav.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | nav.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | 206.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 46.200.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | data-edge.smartscreen.microsoft.com | udp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| GB | 51.140.244.186:443 | data-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| US | 8.8.8.8:53 | 227.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 203.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:53237 | tcp | |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:53244 | tcp | |
| N/A | 127.0.0.1:53247 | tcp | |
| N/A | 127.0.0.1:53249 | tcp | |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 45.112.123.126:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | 233.128.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 126.123.112.45.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store1.gofile.io | udp |
| FR | 45.112.123.227:443 | store1.gofile.io | tcp |
| US | 8.8.8.8:53 | 227.123.112.45.in-addr.arpa | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| N/A | 127.0.0.1:53429 | tcp | |
| US | 8.8.8.8:53 | 20.49.80.91.in-addr.arpa | udp |
| US | 8.8.8.8:53 | udp | |
| N/A | 52.168.117.174:443 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/2352-1-0x00007FF8DEDDB000-0x00007FF8DEDDC000-memory.dmp
memory/2352-0-0x0000000000A40000-0x00000000026C0000-memory.dmp
memory/2352-4-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-3-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-2-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-6-0x0000000000A40000-0x00000000026C0000-memory.dmp
memory/2352-7-0x0000000000A40000-0x00000000026C0000-memory.dmp
memory/2352-9-0x000001E43A200000-0x000001E43A201000-memory.dmp
memory/2352-10-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-11-0x000001E4562B0000-0x000001E456362000-memory.dmp
memory/2352-12-0x0000000000A40000-0x00000000026C0000-memory.dmp
memory/2352-13-0x000001E456710000-0x000001E456732000-memory.dmp
memory/2352-14-0x000001E456790000-0x000001E4569A4000-memory.dmp
memory/2352-15-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-18-0x000001E457210000-0x000001E457244000-memory.dmp
memory/2352-19-0x000001E457260000-0x000001E45727A000-memory.dmp
memory/2352-21-0x000001E457250000-0x000001E457264000-memory.dmp
memory/2352-20-0x000001E457240000-0x000001E457248000-memory.dmp
memory/2352-23-0x000001E457280000-0x000001E4572B2000-memory.dmp
memory/2352-26-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 32d05d01d96358f7d334df6dab8b12ed |
| SHA1 | 7b371e4797603b195a34721bb21f0e7f1e2929da |
| SHA256 | 287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e |
| SHA512 | e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | b5fffb9ed7c2c7454da60348607ac641 |
| SHA1 | 8d1e01517d1f0532f0871025a38d78f4520b8ebc |
| SHA256 | c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73 |
| SHA512 | 9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7 |
\??\pipe\LOCAL\crashpad_1956_QILCSRJZAESJGFDG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
| MD5 | 6e466bd18b7f6077ca9f1d3c125ac5c2 |
| SHA1 | 32a4a64e853f294d98170b86bbace9669b58dfb8 |
| SHA256 | 74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc |
| SHA512 | 9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 310c044ca44eea175892a83b46cc6343 |
| SHA1 | a664b485d5d9db1fcbe06a142edd9c4d369c9fa5 |
| SHA256 | 92f0240cc8022d202094a8766aac541848d43b4b55a9c5d112e92e026abd69e2 |
| SHA512 | 5493ede481df557b928bd4ad5616afded25353c19448be5752a89f29ba55f20bdc04c414e9be92c295ed3528e5d77edd55841256543a44fd15651a8465371be5 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico
| MD5 | e5e3377341056643b0494b6842c0b544 |
| SHA1 | d53fd8e256ec9d5cef8ef5387872e544a2df9108 |
| SHA256 | e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25 |
| SHA512 | 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef |
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
| MD5 | d1291397afba61f29aa4edf736846e0a |
| SHA1 | 7689fa6f0981abf689cf530db90b5362290f3417 |
| SHA256 | 26f760c4a2ed24f038075e77622205d8052316eed2bdf5ec9176f7656d6549b0 |
| SHA512 | 9d8f4d07e84f462c3e696dbdfd00170e0dc114101da76476af40c8a65bd80060aa031dd001ab0cdb8908ae24287034a3b970696c46ee519aeac8a22044a5a12a |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\ucrtbase.dll
| MD5 | 3b337c2d41069b0a1e43e30f891c3813 |
| SHA1 | ebee2827b5cb153cbbb51c9718da1549fa80fc5c |
| SHA256 | c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7 |
| SHA512 | fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\python311.dll
| MD5 | db09c9bbec6134db1766d369c339a0a1 |
| SHA1 | c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b |
| SHA256 | b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79 |
| SHA512 | 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\VCRUNTIME140.dll
| MD5 | f12681a472b9dd04a812e16096514974 |
| SHA1 | 6fd102eb3e0b0e6eef08118d71f28702d1a9067c |
| SHA256 | d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8 |
| SHA512 | 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2 |
memory/3968-231-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39442\python3.DLL
| MD5 | 34e49bb1dfddf6037f0001d9aefe7d61 |
| SHA1 | a25a39dca11cdc195c9ecd49e95657a3e4fe3215 |
| SHA256 | 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281 |
| SHA512 | edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\libffi-8.dll
| MD5 | decbba3add4c2246928ab385fb16a21e |
| SHA1 | 5f019eff11de3122ffa67a06d52d446a3448b75e |
| SHA256 | 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d |
| SHA512 | 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\pyexpat.pyd
| MD5 | fe0e32bfe3764ed5321454e1a01c81ec |
| SHA1 | 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb |
| SHA256 | b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92 |
| SHA512 | d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\libssl-1_1.dll
| MD5 | 6cd33578bc5629930329ca3303f0fae1 |
| SHA1 | f2f8e3248a72f98d27f0cfa0010e32175a18487f |
| SHA256 | 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0 |
| SHA512 | c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e |
memory/3968-308-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp
memory/3968-309-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp
memory/3968-310-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp
memory/3968-314-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp
memory/3968-317-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp
memory/3968-316-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp
memory/3968-315-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp
memory/3968-311-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp
memory/3968-320-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp
memory/3968-325-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp
memory/3968-329-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp
memory/3968-331-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp
memory/3968-333-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp
memory/3968-339-0x00007FF8D2290000-0x00007FF8D22A1000-memory.dmp
memory/3968-341-0x00007FF8D2000000-0x00007FF8D201E000-memory.dmp
memory/3968-340-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp
memory/3968-338-0x00007FF8D2020000-0x00007FF8D202A000-memory.dmp
memory/3968-342-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp
memory/3968-337-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp
memory/3968-336-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp
memory/3968-335-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp
memory/3968-334-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp
memory/3968-332-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp
memory/3968-330-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp
memory/3968-343-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp
memory/3968-328-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp
memory/3968-327-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp
memory/3968-326-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp
memory/3968-324-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp
memory/3968-323-0x00007FF8D23A0000-0x00007FF8D23B4000-memory.dmp
memory/3968-322-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp
memory/3968-321-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp
memory/3968-305-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp
memory/3968-303-0x00007FF8D8000000-0x00007FF8D800D000-memory.dmp
memory/3968-302-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39442\libcrypto-1_1.dll
| MD5 | 86cfc84f8407ab1be6cc64a9702882ef |
| SHA1 | 86f3c502ed64df2a5e10b085103c2ffc9e3a4130 |
| SHA256 | 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307 |
| SHA512 | b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-utility-l1-1-0.dll
| MD5 | b5c0e86861a795b607b3dddf29ceab01 |
| SHA1 | 4ece72b0a9d8f42da935f9affe3280b48805d9c1 |
| SHA256 | 837167faa319cab764615fcfdb375008aed60c399b139dc0b3b0338a106f3b18 |
| SHA512 | 6ec88fbbbdd3377650bc575da6f1d1a8f94b445bceb6d96894a511b690cd3af63be5df448bc6bcac0e3200086f90cd1707c5b281bacfbbdf7a02f984f3ddf32b |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-time-l1-1-0.dll
| MD5 | c4af0dc7d97105deac352f569beb603d |
| SHA1 | f52d7ee9ae432dbf5b42d5fb2a816411138d7e03 |
| SHA256 | b66ae7e1d0da45a758b2ec9d2727f8f59a2d0a59bf43be347369381338c6afb3 |
| SHA512 | 8961b1acab372511d45b4cb08f6672bebc436f19c854f73058bb28e56ddd57dfd18aab785b39e0b1254ce9e2989e6db744e1de503429932fce2b0f53f000d91f |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-string-l1-1-0.dll
| MD5 | 03f1e99c4258416b4c6800081b3701e2 |
| SHA1 | 502d6654cc0a331b8c45eb760db39edbc3ee93c9 |
| SHA256 | abf8a6ad52f6c71458dc2c159eb8ce7a297494177f8e05fd52a1e7bceb493426 |
| SHA512 | 7a1fc6488c4eee4a32963b1e78b76ac1c4d4c196c8b2743ae4cc89805fa02f554210d0fe5a87afa258abe3c24c710315facdea997e7aa2effcf8664b8531c459 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-stdio-l1-1-0.dll
| MD5 | ce04551e4a578993207eed8f49e045dc |
| SHA1 | f2ea2b8901458263879e76f67c4154559252aa5b |
| SHA256 | f6ba90e21a1e31ff2be7292c2a03d20570788fd829e075ab4a6d37a9ca2ba194 |
| SHA512 | 872af73065241877679e96dd6c5e8458417436241262829a378768aa47cb290f45aab67ddf205bccd6846a2189a0bd26a31fb01f1d7886fe93067687055f4fe5 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-runtime-l1-1-0.dll
| MD5 | be6d51793bc63716fb45cb49958b0f6a |
| SHA1 | e2563b2c324b58bad602c46bc4d6148ce5319c10 |
| SHA256 | edd8206ef8caf25e955e9fba2c9c8ebf73d8ec3fd0f562372f7ed8b8f7004c2f |
| SHA512 | 31fa876b8dc54d882db0d8a3c7e6784b893b6c8b4a04688261720d75402cb4229f07c70df4dabb032b63940d8e3ba95978d439b5f0f9a21c62a8adbcc92bcabe |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-process-l1-1-0.dll
| MD5 | fa9b5cec8eed4fef73ec60d7f4c1eb1e |
| SHA1 | 03f19b2886688de1fb2016d614fe514f8b508250 |
| SHA256 | 09f19b41a8d71cd5174efdae2a7649022780434d7c4416d6121153359aa85918 |
| SHA512 | 744288d8903fdceed87cc5b7e0e286fab59584b57acdd943b04c5f6a39391a1662961a686344c1fdce36aea039adf8b1fcfc883e06011dd592077931716cdff7 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-math-l1-1-0.dll
| MD5 | e6184d65799033dbee51667790130016 |
| SHA1 | b00461d14ffa2beab0887bcb716f331090cce8c9 |
| SHA256 | eecac10f830ad0dcbdf0f0dc1422ef5cfed490a877429a4674aecc560869a5e5 |
| SHA512 | 987c14f8c22ae0d6c1005cc7b0d9a240283c2120e8ded030a407f25fb7786f7283980850ca243859f0148dbeb7bfaec01c8208865b81046999252d07e5f42d53 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-locale-l1-1-0.dll
| MD5 | 3cca955cde8362605fc268e4b12accaa |
| SHA1 | 6f3c214ef223f35495c0cb0ee359b9d975c14e72 |
| SHA256 | 34c6e58abcce5bccace50df3bd6c3e2d3f4e8413b14aae8e707ddfddccdeba6d |
| SHA512 | 5b7fe7deb6066c53bd41479172eac2736301f5cf32921f13d2ce6ad2811925e7bc1c436627698050be86ddf18852eeac927be4efc2182d857b31f637adc6c206 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-heap-l1-1-0.dll
| MD5 | e3ede68927c68aa73ac95722d24334ce |
| SHA1 | dbe71e1a56f9b7569b4a568bb67e37c38011b879 |
| SHA256 | 5dd42e524920f4cb467031eb9e0e440bbe73de0fb39f71e65736a2ab2f6fcfe8 |
| SHA512 | d935058d8409b518d82336dc0b1521bf411ef77ef49485ede15baf5d1ac527f46ad813ebdb889c0f9999d553a879150d5ba41ce3a0b11d5ca08907e378fc9b8d |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-filesystem-l1-1-0.dll
| MD5 | 3491700e847fb9e9c4413fc82a0ad285 |
| SHA1 | 03694cd43a06bb2fff6a1d85f73bd7b87198e07e |
| SHA256 | ed969fae3cf64f46b5f4d2447980befd6f0a7fd05802529dbc793f3c014bc46c |
| SHA512 | 07e81eabcef621ec6a84e1932e299e0b865c06e6f9907017bbed0121771712b007a18771099131f24da134f3cbff0a7af30ca4e1c262b117e8bacf055cd54002 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-environment-l1-1-0.dll
| MD5 | 16a97489dab15db9b9713c53726f3411 |
| SHA1 | c15ad01807955374283805104233bd56760b25c9 |
| SHA256 | 9c06541d13c7088f313aab0be5af20b72e583f34e442df3d2fc29953640d4812 |
| SHA512 | 54ffa278e4d0975830c1a8eff9b7fc41d487cd9e8390d0e14f58cff62efadfc5816bcda3ca11e2b1cbaeecb20546839593f7c6ea9500eef433f299861d205822 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-convert-l1-1-0.dll
| MD5 | 4bb011d3e58e958e94ca23ae05a8e958 |
| SHA1 | 741af22136c1d6dce03c75c68e977c05d76ac027 |
| SHA256 | 06b0fd7e6d7cbe35177af8fc17863f247bd5caee64543e3a9a125253d51af777 |
| SHA512 | 07668515aa4099c390ce30ef3415e412113483da792d7cd02bb3ddce561719e808d6be81b90d599f4a7fa50ba27382c8d84ecb45292200bba7094a5204ff7715 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-conio-l1-1-0.dll
| MD5 | 5bc2660d94760af50f96b1999de6cfab |
| SHA1 | 75dec9b15bf9181f0e8015992b678bac718d8c0b |
| SHA256 | 03bebf73df97beed5da608cae73324df2aaec092277d53ce8c119031cf8e21fd |
| SHA512 | 7e9c67b5e46b35ba3f733110cf7fe35ac9dc1b41a4f7633180cd69631d1b82bcac99f8b94b6f36a373f72bc4fd7eeaac21a8fb51830914a32e19d738208ca636 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-util-l1-1-0.dll
| MD5 | 8222b0f8bcf884433a55996253963a96 |
| SHA1 | 35914b003bbe6527e2479d7f897024915821500f |
| SHA256 | 7f18dc2971d15434bfe03c4842dced10b466e849d782a1c8e398d96c2e2b12e2 |
| SHA512 | 5e67b25af8a1f23450cf8807135fea1ec39dfe8ff7cd3858e492ae9e016a23967ed6009da8868cd9dc87d583c3b7e6fb66d00bd48a7bba6b0eea638716514cc6 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-timezone-l1-1-0.dll
| MD5 | 10d466341e7ece8cf75b5d026105741b |
| SHA1 | 31d1e9b9a4511156695b5aa33d65b6a36f8139c2 |
| SHA256 | 5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82 |
| SHA512 | 8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-sysinfo-l1-1-0.dll
| MD5 | e496d42d228b5e90c7b96350dbb1159c |
| SHA1 | 746ba35a931e05aebda957608a6e28c1699237aa |
| SHA256 | 1ff617fb9d681551fb456aabaae078c0ac7f96580ac1144ea441826a6d98caef |
| SHA512 | ce555cb7fc0625d7568b002306e203e013f03127aad7383ce26774cb1f1fa820f5fa6145dc9f5930b4d0791631bdbce2ee2e4ee3efa7720b1b2c413ff782e197 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-synch-l1-2-0.dll
| MD5 | 2914ea20c9b8d79b1e98ea6b6dd85450 |
| SHA1 | 2e25617bb4f3f6391658b5778f5248d9e6762c6b |
| SHA256 | 047d09b49dae9a101eb55277aa37c31390ea6c7187379b448122d77bd77bf005 |
| SHA512 | c0731aaecbca9b70151e7630e0dbc7d744d534effe56ad703df881f09c7820cb143873dbf95d57357d51be44d53a3b9862d0c6483ca6c70aad01a3f11350abc9 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-synch-l1-1-0.dll
| MD5 | 87c57eddf837c1e7aaaddb451d3d981e |
| SHA1 | 5287af84ca9cdfa928355c3c899a43051169a2fd |
| SHA256 | e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44 |
| SHA512 | 0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-string-l1-1-0.dll
| MD5 | 2ebacbbda70b888b1bcc5e816d14f3a2 |
| SHA1 | ebf1763b0cee267040312deccb3dad61af1b9cf4 |
| SHA256 | 96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304 |
| SHA512 | af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-rtlsupport-l1-1-0.dll
| MD5 | 8aad6a3a2fe9052ef218d5c8ce1995e1 |
| SHA1 | 33748750e57cdc165fcdd186ae53003649607221 |
| SHA256 | e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4 |
| SHA512 | 841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-profile-l1-1-0.dll
| MD5 | fb731a1f96c9e34347cba5bb18e54581 |
| SHA1 | 88a62edfbbd806b1043b4a1266c4708e1d47be1d |
| SHA256 | c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e |
| SHA512 | be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processthreads-l1-1-1.dll
| MD5 | a6776c201baae1dd6f88048d7747d14c |
| SHA1 | 646119d2e440e6dad0ffb0fe449ab4fc27f09fbe |
| SHA256 | ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112 |
| SHA512 | a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processthreads-l1-1-0.dll
| MD5 | abaabc1df36c7a0674f20fb83247fd71 |
| SHA1 | 345db0ffea0cb2531b79d464ad69347ac71ee2b9 |
| SHA256 | ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a |
| SHA512 | 7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processenvironment-l1-1-0.dll
| MD5 | 6d0762a2ba4263d0901ca7aaa0725c0c |
| SHA1 | e36d2d049116bd2d84121cdfa179098ac03650b4 |
| SHA256 | 2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805 |
| SHA512 | 94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-namedpipe-l1-1-0.dll
| MD5 | 7e751952f122f4e8be1317087dc9dc71 |
| SHA1 | f65884c8cfbb8ad565b3df3a51af11b1617c7092 |
| SHA256 | d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799 |
| SHA512 | 960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-memory-l1-1-0.dll
| MD5 | 41e0b7cb0eecba317cf321b1ada084d7 |
| SHA1 | 4ce1f13188fc00eb29c726717eae489c524c1c8a |
| SHA256 | db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383 |
| SHA512 | f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-localization-l1-2-0.dll
| MD5 | 4c26932f8f1f490017add31f5ec0a533 |
| SHA1 | 0da01a7c89b506fe3fd939344bb51b976efb3207 |
| SHA256 | dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23 |
| SHA512 | eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-libraryloader-l1-1-0.dll
| MD5 | 259b4186004bb41e706dd781e29f5c5b |
| SHA1 | 85751d31fe233ed51c46466f214f497d01be8d87 |
| SHA256 | b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f |
| SHA512 | f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-interlocked-l1-1-0.dll
| MD5 | 0b65672b91c6a12d769dd777f810b149 |
| SHA1 | 2d527b45dcbe653a91e10365891c7e589f5e51e0 |
| SHA256 | c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e |
| SHA512 | f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-heap-l1-1-0.dll
| MD5 | 993b5bc35dac959bed58b77fe42ac77a |
| SHA1 | 2abad159cbab86ff423d6446143427daab751366 |
| SHA256 | b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b |
| SHA512 | ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-handle-l1-1-0.dll
| MD5 | 4166d703abc9c6de65d5b269d3a5425e |
| SHA1 | 16bcd7191312b94bdf38368d188e5a5cc479a36c |
| SHA256 | 0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056 |
| SHA512 | f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l2-1-0.dll
| MD5 | 50abf0a7ee67f00f247bada185a7661c |
| SHA1 | 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1 |
| SHA256 | f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7 |
| SHA512 | c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l1-2-0.dll
| MD5 | 4a060eec454c222a5381cd359dc00b81 |
| SHA1 | 21e1bc115d04a74779e955ea16a16bd71454d9bb |
| SHA256 | e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df |
| SHA512 | 16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l1-1-0.dll
| MD5 | 4b328f140a3ae7fedb21ca50cc23d938 |
| SHA1 | 9e71b4c2cf030a644d2050188c4b77e638c0ee14 |
| SHA256 | e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345 |
| SHA512 | 4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-fibers-l1-1-0.dll
| MD5 | 201ff3cd2ffe7d222f46574d4ac40a70 |
| SHA1 | b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6 |
| SHA256 | b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a |
| SHA512 | 3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-errorhandling-l1-1-0.dll
| MD5 | 12ea48ce605ebb204a21ae7d86db3417 |
| SHA1 | 5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66 |
| SHA256 | 189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c |
| SHA512 | 39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81 |
memory/3968-259-0x00007FF8D8010000-0x00007FF8D801F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-debug-l1-1-0.dll
| MD5 | 7ad2034acd0f296fe9eed320e5ad7591 |
| SHA1 | fe1b217e3f4567905968f7a3d48a7611e3cf3f7b |
| SHA256 | 0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4 |
| SHA512 | 06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-datetime-l1-1-0.dll
| MD5 | 854458ad55c39a9dfd1e350a51be02b8 |
| SHA1 | 5013cf58de5a0b55e026ace967e9842b3b131c2a |
| SHA256 | f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef |
| SHA512 | faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-console-l1-1-0.dll
| MD5 | 9313c86e7bae859f0174a1c8b6aba58b |
| SHA1 | dce67fd1da5da8dc4ba406c544e55a83d6536cc9 |
| SHA256 | af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3 |
| SHA512 | 2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4 |
memory/3968-253-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI39442\_ctypes.pyd
| MD5 | b4c41a4a46e1d08206c109ce547480c7 |
| SHA1 | 9588387007a49ec2304160f27376aedca5bc854d |
| SHA256 | 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9 |
| SHA512 | 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33 |
C:\Users\Admin\AppData\Local\Temp\_MEI39442\base_library.zip
| MD5 | 3b3654276bbb89fcba4df6a0a0fad8d6 |
| SHA1 | 668cd7e62cb6449e820ce1c24484e7ab9c4ca9a4 |
| SHA256 | de67ef0597974ce98ac33c99d230f370284031ef62249d55c5d6210066874938 |
| SHA512 | ecade71b589213ba9bcf8f997e4ab1d1c7c2c78fb88d5f2d562f376986c005e9b98ffdbbd0988f6b5f50adff4cc46be1c076b377a6e6152014d5552effec4973 |
memory/3968-355-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp
memory/3968-394-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp
memory/3968-395-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2etr05wj.gcj.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3968-411-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp
memory/3968-413-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp
memory/3968-414-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp
memory/3968-416-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp
memory/3968-415-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp
memory/3968-454-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp
memory/3968-453-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp
memory/3968-455-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp
memory/3968-446-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp
memory/3968-437-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp
memory/3968-440-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp
memory/3968-439-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp
memory/3968-438-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp
memory/3968-436-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp
memory/3968-435-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp
memory/3968-428-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp
memory/3968-427-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp
memory/3968-476-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp
memory/3968-469-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp
memory/3968-457-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp
memory/3968-552-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp
memory/3968-567-0x00007FF8D2020000-0x00007FF8D202A000-memory.dmp
memory/3968-569-0x00007FF8D2000000-0x00007FF8D201E000-memory.dmp
memory/3968-568-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp
memory/3968-572-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp
memory/3968-571-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp
memory/3968-570-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp
memory/3968-566-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp
memory/3968-565-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp
memory/3968-564-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp
memory/3968-563-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp
memory/3968-562-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp
memory/3968-561-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp
memory/3968-560-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp
memory/3968-559-0x00007FF8D23A0000-0x00007FF8D23B4000-memory.dmp
memory/3968-558-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp
memory/3968-557-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp
memory/3968-556-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp
memory/3968-555-0x00007FF8D2290000-0x00007FF8D22A1000-memory.dmp
memory/3968-554-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp
memory/3968-553-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp
memory/3968-551-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp
memory/3968-550-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp
memory/3968-549-0x00007FF8D8000000-0x00007FF8D800D000-memory.dmp
memory/3968-548-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp
memory/3968-547-0x00007FF8D8010000-0x00007FF8D801F000-memory.dmp
memory/3968-546-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp
memory/3968-545-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp
memory/2352-596-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp
memory/2352-597-0x0000000000A40000-0x00000000026C0000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-12-08 02:56
Reported
2024-12-08 03:26
Platform
win11-20241007-en
Max time kernel
1790s
Max time network
1770s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
Browser Information Discovery
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{DF6B8E13-EE6C-43B8-BF8D-C3FBC3C6BF78} | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{E4DE1913-B4EC-4A44-A4C2-784489BD059C} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\AUDIODG.EXE | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C0
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd309c3cb8,0x7ffd309c3cc8,0x7ffd309c3cd8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3532 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3768 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5768 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.dropbox.com | udp |
| GB | 162.125.64.18:443 | www.dropbox.com | tcp |
| GB | 162.125.64.15:443 | uc82265aa1bf70b82034d0969a7c.dl.dropboxusercontent.com | tcp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.136.234:443 | discord.gg | tcp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | tcp |
| US | 35.190.80.1:443 | a.nel.cloudflare.com | udp |
| N/A | 224.0.0.251:5353 | udp |
Files
memory/1772-0-0x00000000006B0000-0x0000000002330000-memory.dmp
memory/1772-1-0x00007FFD5626A000-0x00007FFD5626B000-memory.dmp
memory/1772-2-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp
memory/1772-3-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp
memory/1772-4-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp
memory/1772-6-0x00000000006B0000-0x0000000002330000-memory.dmp
memory/1772-7-0x00000000006B0000-0x0000000002330000-memory.dmp
memory/1772-9-0x0000024623E50000-0x0000024623E51000-memory.dmp
memory/1772-10-0x000002463ECE0000-0x000002463ED92000-memory.dmp
memory/1772-11-0x00000000006B0000-0x0000000002330000-memory.dmp
memory/1772-12-0x00007FFD5626A000-0x00007FFD5626B000-memory.dmp
memory/1772-13-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp
memory/1772-14-0x000002463EFC0000-0x000002463EFE2000-memory.dmp
memory/1772-15-0x000002463F030000-0x000002463F244000-memory.dmp
memory/1772-18-0x000002463FE40000-0x000002463FE74000-memory.dmp
memory/1772-19-0x000002463FE70000-0x000002463FE8A000-memory.dmp
memory/1772-21-0x000002463F560000-0x000002463F574000-memory.dmp
memory/1772-20-0x000002463F550000-0x000002463F558000-memory.dmp
memory/1772-23-0x000002463FE90000-0x000002463FEC2000-memory.dmp
memory/1772-26-0x000002463FED0000-0x000002463FF16000-memory.dmp
memory/1772-28-0x000002463FF60000-0x000002463FF7E000-memory.dmp
memory/1772-29-0x000002463FF80000-0x000002463FF8B000-memory.dmp
memory/1772-27-0x000002463FF50000-0x000002463FF5D000-memory.dmp
memory/1772-30-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 051a939f60dced99602add88b5b71f58 |
| SHA1 | a71acd61be911ff6ff7e5a9e5965597c8c7c0765 |
| SHA256 | 2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10 |
| SHA512 | a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f |
\??\pipe\LOCAL\crashpad_1992_DNURZWDCIOEEBKGX
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 003b92b33b2eb97e6c1a0929121829b8 |
| SHA1 | 6f18e96c7a2e07fb5a80acb3c9916748fd48827a |
| SHA256 | 8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54 |
| SHA512 | 18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 5a326674e6aff0a91291434bc35ecd23 |
| SHA1 | 995a3afa79206d577ddc0811420a7a93d1027cdd |
| SHA256 | 6f0486475fd5e98b60d25f8bcad7f0ae9480a855b8ca87e59ec117693bf62b92 |
| SHA512 | faf2c777887b712fdd297effae6f0c0418f46de791afcb38256b9ab99a119b140741f392015bc3e84128914f1411442c07091c8c6ded8f6595ab0577a48f3b9c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 15468e1db5b44a83d531e9fd6cb0ca8c |
| SHA1 | 30a27fda01fef7706f12e5dfc64b494d75e2a227 |
| SHA256 | 0cc18bf9f60d11612e0c1afff676763e4c886dac618637f27148c7a1b56671e5 |
| SHA512 | de86450e9ec259c45c2f0ad6de63f3ee72115bdf78b9543e7dc671a8488bd1824a00e129d35335dc16219281061fb5324ff7b95184559146120008e92d3c0527 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | fe3a905fe1830565955d73db59f30f16 |
| SHA1 | 67fad75e048fb6f50a26c1dd6bd7f47cb3222546 |
| SHA256 | 66ea10051aaba5527da7c341a22b405c549d8866a0cb514f38081414dd83d78b |
| SHA512 | 76e65b1cbac524cba3ff0455e58e71f3e1602e48dd83b339feda8f3294a461121b01fcf51cd76a69de875c5e5a920f8e6dbadedb857650ecb0dd35a72ffff159 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 2ae94c806fa6c7ca409c21bb0e35ce59 |
| SHA1 | 6cfb69dd603ab24b93b71abfccc2166d94599df3 |
| SHA256 | e42eda301d3bdcef3d62edef466763c169fd79e9bb49a7090ef99fcde8b3666e |
| SHA512 | fe204124347debd9d9f9a424ddd2d81a1444b5337d5bc5e099f98cefff783460efcc5f8563ad376361ef0f5b93b5f3f9f72a9d35d27de69fc5baaacc06c9da88 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
| MD5 | 6d6bf36b98e64069d4f73a1dd35b1b64 |
| SHA1 | 390bf7f93308fbfe005e298f39f664fdb35a8708 |
| SHA256 | 2921102d2301c87be9c6d1970b47a4e3744a6ca085f81ea2e97d9645f539dd50 |
| SHA512 | 8591c03430c86ee1ec14e8d6f20c29087e5096597cc01bd57dfe35394fc8ca6fbc2866f5915270b47fc43f85164804feb8532c6401c1639843dbba1a75f6759d |