Malware Analysis Report

2025-01-02 14:51

Sample ID 241208-de16catqdl
Target RippleSpoofer.exe
SHA256 51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
Tags
themida discovery evasion trojan cerber exelastealer collection defense_evasion persistence phishing privilege_escalation pyinstaller ransomware spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

Threat Level: Known bad

The file RippleSpoofer.exe was found to be: Known bad.

Malicious Activity Summary

themida discovery evasion trojan cerber exelastealer collection defense_evasion persistence phishing privilege_escalation pyinstaller ransomware spyware stealer upx

Cerber

Exela Stealer

Cerber family

Exelastealer family

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Modifies Windows Firewall

Downloads MZ/PE file

A potential corporate email address has been identified in the URL: httpswww.youtube.com@ripple9cbrd1

Reads user/profile data of web browsers

Checks computer location settings

Themida packer

Clipboard Data

Loads dropped DLL

Executes dropped EXE

Checks BIOS information in registry

Checks whether UAC is enabled

Network Service Discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Suspicious use of NtSetInformationThreadHideFromDebugger

Hide Artifacts: Hidden Files and Directories

UPX packed file

Enumerates processes with tasklist

Drops file in Windows directory

Launches sc.exe

Detects Pyinstaller

System Location Discovery: System Language Discovery

Permission Groups Discovery: Local Groups

System Network Connections Discovery

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Browser Information Discovery

System Network Configuration Discovery: Wi-Fi Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

Runs net.exe

Collects information from the system

Modifies registry class

Suspicious use of WriteProcessMemory

Gathers network information

Suspicious behavior: LoadsDriver

Kills process with taskkill

Modifies data under HKEY_USERS

Suspicious behavior: EnumeratesProcesses

Suspicious use of SendNotifyMessage

Enumerates system info in registry

Gathers system information

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Views/modifies file attributes

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-12-08 02:56

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-12-08 02:56

Reported

2024-12-08 02:59

Platform

win10v2004-20241007-en

Max time kernel

196s

Max time network

189s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{75809EB7-1411-4909-8541-AEB8DDC25FB5} C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3227495264-2217614367-4027411560-1000\{6DAB8BC6-63F2-4538-B2CB-44FAFCCC61E0} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1480 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1480 wrote to memory of 4028 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 1064 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 3228 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 2200 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4028 wrote to memory of 856 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3d8 0x2b4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2876 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5164 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5304 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3432 /prefetch:1

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat" "

C:\Windows\system32\chcp.com

chcp 65001

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1

C:\Windows\system32\mode.com

mode con: cols=70 lines=18

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5896 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5912 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5560 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6152 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb67d46f8,0x7ffdb67d4708,0x7ffdb67d4718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6300 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5256 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5800 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6444 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5280 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1492 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2116,5806433600048573064,11856635482725133387,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6628 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 182.129.81.91.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 uc886fb88901ce097047f641f282.dl.dropboxusercontent.com udp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
GB 162.125.64.15:443 uc886fb88901ce097047f641f282.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 justpaste.it udp
PL 83.168.108.45:443 justpaste.it tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
PL 83.168.108.45:443 justpaste.it tcp
US 8.8.8.8:53 stats.justpaste.it udp
PL 83.168.108.85:443 stats.justpaste.it tcp
US 8.8.8.8:53 85.108.168.83.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 storage.bunnycdn.com udp
DE 109.61.89.54:443 storage.bunnycdn.com tcp
US 8.8.8.8:53 discord.gg udp
US 162.159.133.234:443 discord.gg tcp
US 162.159.133.234:443 discord.gg tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 54.89.61.109.in-addr.arpa udp
US 8.8.8.8:53 234.133.159.162.in-addr.arpa udp
US 162.159.136.232:443 discord.com tcp
US 8.8.8.8:53 232.136.159.162.in-addr.arpa udp
US 8.8.8.8:53 a.nel.cloudflare.com udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 1.80.190.35.in-addr.arpa udp
US 8.8.8.8:53 133.130.81.91.in-addr.arpa udp
US 8.8.8.8:53 86.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 justpaste.it udp
PL 83.168.108.45:443 justpaste.it tcp
US 8.8.8.8:53 stats.justpaste.it udp
PL 83.168.108.85:443 stats.justpaste.it tcp
DE 109.61.89.54:443 storage.bunnycdn.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
US 8.8.8.8:53 streamable.com udp
US 151.101.129.63:443 streamable.com tcp
US 151.101.129.63:443 streamable.com tcp
US 8.8.8.8:53 ui-statics-cf.streamable.com udp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
FR 13.249.9.22:443 ui-statics-cf.streamable.com tcp
US 8.8.8.8:53 63.129.101.151.in-addr.arpa udp
US 8.8.8.8:53 22.9.249.13.in-addr.arpa udp
US 8.8.8.8:53 133.66.101.151.in-addr.arpa udp
US 8.8.8.8:53 72.204.58.216.in-addr.arpa udp
US 8.8.8.8:53 38.201.222.52.in-addr.arpa udp
US 8.8.8.8:53 api-f.streamable.com udp
US 8.8.8.8:53 socket.streamable.com udp
US 151.101.1.95:443 api-f.streamable.com tcp
US 52.45.107.72:443 socket.streamable.com tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
US 8.8.8.8:53 statics.streamable.com udp
US 8.8.8.8:53 cdn-cf-east.streamable.com udp
GB 143.244.38.136:443 statics.streamable.com tcp
FR 3.165.113.89:443 cdn-cf-east.streamable.com tcp
US 151.101.1.95:443 api-f.streamable.com tcp
US 8.8.8.8:53 crt.rootg2.amazontrust.com udp
FR 3.164.163.127:80 crt.rootg2.amazontrust.com tcp
FR 3.164.163.127:80 crt.rootg2.amazontrust.com tcp
US 8.8.8.8:53 95.1.101.151.in-addr.arpa udp
US 8.8.8.8:53 72.107.45.52.in-addr.arpa udp
US 8.8.8.8:53 36.32.239.216.in-addr.arpa udp
US 8.8.8.8:53 136.38.244.143.in-addr.arpa udp
US 8.8.8.8:53 89.113.165.3.in-addr.arpa udp
US 8.8.8.8:53 127.163.164.3.in-addr.arpa udp
US 8.8.8.8:53 socket.streamable.com udp
US 34.195.223.21:443 socket.streamable.com tcp
US 8.8.8.8:53 21.223.195.34.in-addr.arpa udp

Files

memory/1480-0-0x0000000000DE0000-0x0000000002A60000-memory.dmp

memory/1480-3-0x00007FFDDD3D0000-0x00007FFDDD3D2000-memory.dmp

memory/1480-4-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-2-0x00007FFD80030000-0x00007FFD80031000-memory.dmp

memory/1480-1-0x00007FFD80000000-0x00007FFD80002000-memory.dmp

memory/1480-6-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-7-0x0000000000DE0000-0x0000000002A60000-memory.dmp

memory/1480-8-0x0000000000DE0000-0x0000000002A60000-memory.dmp

memory/1480-10-0x0000020B6BF20000-0x0000020B6BF21000-memory.dmp

memory/1480-11-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-12-0x0000000000DE0000-0x0000000002A60000-memory.dmp

memory/1480-13-0x0000020B6F600000-0x0000020B6F6B2000-memory.dmp

memory/1480-15-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-16-0x0000020B6F8A0000-0x0000020B6F8C2000-memory.dmp

memory/1480-17-0x0000020B6F930000-0x0000020B6FB44000-memory.dmp

memory/1480-18-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-21-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-22-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-23-0x0000020B70770000-0x0000020B707A4000-memory.dmp

memory/1480-24-0x0000020B707C0000-0x0000020B707DA000-memory.dmp

memory/1480-26-0x0000020B707B0000-0x0000020B707C4000-memory.dmp

memory/1480-25-0x0000020B707A0000-0x0000020B707A8000-memory.dmp

memory/1480-28-0x0000020B707E0000-0x0000020B70812000-memory.dmp

memory/1480-30-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-32-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

memory/1480-33-0x00007FFDDD330000-0x00007FFDDD525000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 36988ca14952e1848e81a959880ea217
SHA1 a0482ef725657760502c2d1a5abe0bb37aebaadb
SHA256 d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6
SHA512 d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

\??\pipe\LOCAL\crashpad_4028_YMDHNHORYKWHYPEM

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 fab8d8d865e33fe195732aa7dcb91c30
SHA1 2637e832f38acc70af3e511f5eba80fbd7461f2c
SHA256 1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea
SHA512 39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 ca8e3cfc5d52a9a1412718addce860aa
SHA1 8ea69b356cfb9612fbadc9d44ffdc8333df8acca
SHA256 b617a29c819f6f5ceba2e04d842901d1f779bb0bc9cbb422c13d884ee0416242
SHA512 ebe6f8ef30bf1c06037c723a4f1f2ca6667ae1eae8b07e15695d5fd2592833c8207e7fe3f5a221dde31f43653c4c33198da8a1f78c3e1c2cf9e70c7db6cf684b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 2355202485d7db90fcfec87775a3881d
SHA1 a6df1fdce608fe5cb6df5dde70ac95197861c557
SHA256 04faee146680fd239fa18e4e149ae523e86203ea11a265ae47af9267ffc7b73e
SHA512 80a45655dade0c84f2eba0fa7c5e2c20ce428d24d36fa22aa88a65ff3ab640a709c1da5fe4b2c2fc1b15c1a2434f10b18001b982802fbb15a7e6daf1dae938e6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 bbcf2e68c41c5ea17630903542f4f8d3
SHA1 d0b1ad10cfaa179d7da89d46173ba4d8bd2042ad
SHA256 26bcc98fb844ff0645ba9e53b2ea052d6c749f075413ecf0cdfc06510ae08d35
SHA512 20ea9102c240e34b9b7b29e99c16e7e3e7950ccdb47a038be0ceca74fc8d271dad841f592222c8cd73f8abafb88015d4608b21e5003175b94e7f6196a2be2ff6

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\cleaner.bat

MD5 5264f00456cbe53023be7b5e80963fa7
SHA1 bfba30d1b1cd84f9d15a6a8b18d22d9e318df512
SHA256 feda308f941e53aef81effefd1249ab4d75a698fa4ae16bf4b148f87d6c27e9c
SHA512 14e369da936d049b3f2c1cd4249508061024bdba2c0c7c840e12a6edf4f5d58d8d510a401240b24ccddce5baab74903c8cc2ff71841c7d716b821a8d30c0e442

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 b262863f0acbff4e8406337d316c667f
SHA1 de066ad17b1f6c89e1fa1febc20cf60f01260b3d
SHA256 68062b31b8f55d9e2e96015ca9731dd4da5775f01e45e5d878d29c63f189ceb5
SHA512 965bcf6c7eab64caea464f9c7d303a0082c887109df1b2276b0be2f0ca6dc111e93d527bf725da7093433a6ce2ac3fb58e0d526dcd6b690e60fa58550878596c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe584ce3.TMP

MD5 0e63cb8e50755be72ad301069a021478
SHA1 d0924bf2c7c3566fd24a4c5b6281d302c198e433
SHA256 bfcb0220c355dc0c251257383c95a8d6bf15223bbacd10460a8a3c08e4e8e10b
SHA512 1c0eaaf5821fd448968ec06cf6ddc034b00272979e99f8ecf0ac49de70e91ae546eccafb562ac486aacf80289ec007896b04a5cafc5f5f9ff0bd59a235402aab

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 434bb4a5735a87db50a36b6d14844ef7
SHA1 0676b0b0264c75acb5a1911d0a3037e65505d921
SHA256 1f5e1e15fc553b434f516182a476d59a3f61c36056e6c5ddec8874559db47a01
SHA512 869f75dde0224d1d74ef99a3509d7ab9e96f55453641a6195705af7ab380031e09158b7ce99c63a1bfab5b960a191514e073e9aa38293887edeea4f75b35e1b4

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 5d40717635ff5caa866d98ab3d4cbade
SHA1 3d8ebc391a1249975f019567b3fa173d4bcd4429
SHA256 b6a70b2139f14c471d7839971acd005a7a976f99aed4a2f2dcb785023f0a76fb
SHA512 406d08957136db6269859ea06d6fa49b5d1535b36096881b24446d7c0bc258ed6eceddb624f1fd58452045af4f9d2c9523a3c29f43faf348771a0c072ed0e84f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f51895773e83275d41ed2d6d993fb623
SHA1 c7cee0a33d5e16cc588efe9b2061666f69ea1b7f
SHA256 798ca7552cff8ca7c5250f6960a5554f90ede01bfc371478bbc18044a3ed5cbd
SHA512 f7e7a9e53a01e7efae27101cb211e0939e817af2e426a98e4edbca89f26b36f1169fbb2a0c615ca003b60e9a56292a55fdf09216f5b9cc20441eb74a068d5345

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 a275d3b7f842ab5b89b7475a45aac370
SHA1 c47d34ba31fc4ea59d3d84e87aa4864e571dbe39
SHA256 3e677dcd7a54d6611d9b4a4a59342b9c34eba4a21f1a5a5434153fdd762c059e
SHA512 20e70554bcbdb2a9386e8702cfb6d67ecfea4f196efb4f681b9baeb3d79f929c2f3358a83600929abd27537fc4a682f2b214c795b1f8a4e810d82e6bdbe002e9

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 4f3275cb72e545fa35b6d92deac1e9ba
SHA1 fcba88fdb15c7ea92e143ae8c7e92da763c5be62
SHA256 5823faed6da96055d3466d3b8bc1c7e726e7e9e7e8fde6f273e187659621fd04
SHA512 07d8fe3b451a8fa3d68649e8eb552da5ca1f3db39449136e3e68393349dd8e323ad288d9cf2cb3b4fe0d02c5de8b14cbe03bc704086b3d2c20d06b94d23392a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000021

MD5 fe192be72a7f010f687779df8e76fc02
SHA1 880d592c372207f7c575e96498494026cb9f49a5
SHA256 d0c8a0b0e0b4ccc02aa259eb93d4078ca2002a4b1dc1ee28222f609e6638adb8
SHA512 dbf33c9d94b8c8155fa089eec9d3e589fd54be16a7343f8c1bc9e777c4002ab9751a8c1e90ffac67418e94fa423691f3963b8f743df221acbb5319cc2644830e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 15d8e69db128404a0f21fd6f50d4c474
SHA1 dff351e9dbd6222c26a258939d6d1085b5e56b7c
SHA256 f1dfc410db9ff45667a27eb870b1346d858f58fa54ffc9ab06569dcb26efa205
SHA512 4190949ae8d86790d871e85c7119159d8151961f371388fd0625e25dffac8965b8a3f7495ec9ca3254ba3ab748550e55c652d4966010d9f6d40ce9f175535ca6

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000023

MD5 26b9ea94b02bdc57ae7b3cd8151b6f29
SHA1 34b21217c43084e3a16a9dab23bdb935150891b1
SHA256 cd88d8151802ee864080bfa768a6f58bce5b654846efb89fc9d3f1a10acab22a
SHA512 c2c7f4268a023db891cc0c6313085995b340347079a926fac2c4474ef40aa4fc128760078215ceae1d6df9b59bb77891910712fb1b0e48b7240fc88e85f52842

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

MD5 db0d0cbdc5d789f0d0841f7c44733eee
SHA1 e60184b856bb840e5aef8d2a50299d45f6856828
SHA256 23f4daee07aadcf12da3c6cc6f4d571397d08b3121a624f94aa940ed457a0150
SHA512 3ea1ae5271cf05d06a01f332b0f9463cab9589c4e7291524cd7be96e0bcdfbf8f6944f23125d46fe39e5e233e2f2bf33e061622fb83783cbbc402ac58c9648a8

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 1b0a8f7ee3700f574331e103ffd12bda
SHA1 ae1818d748336819bf08249baa6a22d385b1fbb1
SHA256 8bfc3fd2e8d6aefd3711e6087360624613bdf2ad007f0971556695fdeff647b3
SHA512 ee6fe625b3eb08f2e494d11f8f2f6758b7067bf2c7a9b9aa386e8ef71765f3364ea8417129e32fa9528f4fe08bc6b5b252e52b8bb645da5b8c2dba2fb049fc58

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 a026022a1eb610b9e54ea896aaad1755
SHA1 700f99ae74526a23236062e75bda3af0e5880911
SHA256 c35d43b124a667e4d0c19695b00e25dd17c3ddeaea145e560190fbdcfddcb2c8
SHA512 1c2c15e08c9d0954fbb370e30717dc3f472e5be3d10c0f35b6d9ac8e9c9e3155695226332de2b128a68b4c004eba84994447368a8f9daba5d8e905567ee1b052

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 af62db1f7d850a806a055986b1c35c41
SHA1 fa5030ab4f575ac816adf9e929f1863716d2604d
SHA256 b34d600ad80cb5abe41b9566dd9a3123635dbc35b870107ee02914c7c48bd592
SHA512 abf770f262d629ee223b9da134bc888f303d76b652debb18f0338b5434291c7f1e7209972734a031324dc8e57228a7d5d79adef2240f5cd76576052cd1cc0dba

Analysis: behavioral2

Detonation Overview

Submitted

2024-12-08 02:56

Reported

2024-12-08 02:59

Platform

win10ltsc2021-20241023-en

Max time kernel

161s

Max time network

162s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

Signatures

Cerber

ransomware cerber
Description Indicator Process Target
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
Mutant created AFUWIN.{5b5b8120-cd0e-11d9-b61b-0001294c3bd8} C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A

Cerber family

cerber

Exela Stealer

stealer exelastealer

Exelastealer family

exelastealer

Grants admin privileges

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Downloads MZ/PE file

Modifies Windows Firewall

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\netsh.exe N/A

A potential corporate email address has been identified in the URL: httpswww.youtube.com@ripple9cbrd1

phishing

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2319007114-3335580451-2147236418-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Clipboard Data

collection
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE N/A

Reads user/profile data of web browsers

spyware stealer

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Network Service Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A
N/A N/A C:\Windows\system32\ARP.EXE N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

Hide Artifacts: Hidden Files and Directories

defense_evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\cmd.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Logs\CBS\CBS.log C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
File opened for modification C:\Windows\CbsTemp C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\system32\sc.exe N/A

Browser Information Discovery

discovery

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Permission Groups Discovery: Local Groups

discovery

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

System Network Connections Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Collects information from the system

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Gathers network information

Description Indicator Process Target
N/A N/A C:\Windows\system32\ipconfig.exe N/A
N/A N/A C:\Windows\system32\NETSTAT.EXE N/A

Gathers system information

Description Indicator Process Target
N/A N/A C:\Windows\system32\systeminfo.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "70" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040" C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10" C:\Windows\system32\LogonUI.exe N/A
Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent C:\Windows\system32\LogonUI.exe N/A
Set value (data) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00 C:\Windows\system32\LogonUI.exe N/A
Set value (int) \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271" C:\Windows\system32\LogonUI.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2319007114-3335580451-2147236418-1000\{3700ADE7-DCBA-437E-B136-085372B91936} C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Runs net.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeDebugPrivilege N/A C:\Windows\SYSTEM32\taskkill.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\LogonUI.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 2352 wrote to memory of 1956 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 3556 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 664 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2952 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1956 wrote to memory of 2752 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4d4 0x3d4

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.youtube.com/@ripple9

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x114,0x118,0x48,0x110,0x90,0x7ff8baf546f8,0x7ff8baf54708,0x7ff8baf54718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2196 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3436 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\SYSTEM32\taskkill.exe

"taskkill" /F /IM explorer.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2172,8857631796865289764,8615421506869108408,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe""

C:\Windows\system32\attrib.exe

attrib +h +s "C:\Users\Admin\AppData\Local\ExelaUpdateService\Exela.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist"

C:\Windows\system32\tasklist.exe

tasklist

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 1956"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 1956

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3556"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3556

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 664"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 664

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2952"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2952

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2752"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2752

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3856"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3856

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3844"

C:\Windows\System32\Conhost.exe

\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3844

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "cmd.exe /c chcp"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell.exe Get-Clipboard"

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\system32\cmd.exe

cmd.exe /c chcp

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe Get-Clipboard

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\chcp.com

chcp

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "echo ####System Info#### & systeminfo & echo ####System Version#### & ver & echo ####Host Name#### & hostname & echo ####Environment Variable#### & set & echo ####Logical Disk#### & wmic logicaldisk get caption,description,providername & echo ####User Info#### & net user & echo ####Online User#### & query user & echo ####Local Group#### & net localgroup & echo ####Administrators Info#### & net localgroup administrators & echo ####Guest User Info#### & net user guest & echo ####Administrator User Info#### & net user administrator & echo ####Startup Info#### & wmic startup get caption,command & echo ####Tasklist#### & tasklist /svc & echo ####Ipconfig#### & ipconfig/all & echo ####Hosts#### & type C:\WINDOWS\System32\drivers\etc\hosts & echo ####Route Table#### & route print & echo ####Arp Info#### & arp -a & echo ####Netstat#### & netstat -ano & echo ####Service Info#### & sc query type= service state= all & echo ####Firewallinfo#### & netsh firewall show state & netsh firewall show config"

C:\Windows\system32\systeminfo.exe

systeminfo

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\System32\sihclient.exe

C:\Windows\System32\sihclient.exe /cv 4eXnmB1hKEiR3Nmy1O6StA.0.2

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.19041.4467_none_7e0f83e07c8c1985\TiWorker.exe -Embedding

C:\Windows\system32\HOSTNAME.EXE

hostname

C:\Windows\System32\Wbem\WMIC.exe

wmic logicaldisk get caption,description,providername

C:\Windows\system32\net.exe

net user

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user

C:\Windows\system32\query.exe

query user

C:\Windows\system32\quser.exe

"C:\Windows\system32\quser.exe"

C:\Windows\system32\net.exe

net localgroup

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup

C:\Windows\system32\net.exe

net localgroup administrators

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 localgroup administrators

C:\Windows\system32\net.exe

net user guest

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user guest

C:\Windows\system32\net.exe

net user administrator

C:\Windows\system32\net1.exe

C:\Windows\system32\net1 user administrator

C:\Windows\System32\Wbem\WMIC.exe

wmic startup get caption,command

C:\Windows\system32\tasklist.exe

tasklist /svc

C:\Windows\system32\ipconfig.exe

ipconfig /all

C:\Windows\system32\ROUTE.EXE

route print

C:\Windows\system32\ARP.EXE

arp -a

C:\Windows\system32\NETSTAT.EXE

netstat -ano

C:\Windows\system32\sc.exe

sc query type= service state= all

C:\Windows\system32\netsh.exe

netsh firewall show state

C:\Windows\system32\netsh.exe

netsh firewall show config

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\randomizer.EXE"

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\21902902190121290mc.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c pause >nul

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TempAppFiles\spoof.bat""

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /ID 01/29/2023

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SV vmVN8iZ5yQbIv6M

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SS JO1u5oOsLErmoac

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SF ABrmfFrA1p3LsdU

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SU AUTO

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SK Rz61XB17YrkAGjd

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SF qrY6Ar04AGTD6zv

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BV Ds10My4or5r2UNM

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BS tOdl0QAd3RCTKhR

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BT Ct96DgixOvmtOZa

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BLC lzDyaah2e7KXr9x

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CV kPRV0kKIRXSlfLc

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CS WTrxdou87yXJi82

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CM 2P5VOmV5ADey7sx

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CA Ux1Yeg0CEmHqGHX

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CSK HvaPGxbKG7foq6i

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /PSN dVWLvYTlaO89ubk

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /PAT GZJXvXYzZ6q50d4

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /PPN Y3g6suxNDuzF7Fg

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BSH 3 E7BHNOc9hBp4ahH

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BMH 3 lWEZezjxH1bTMqc

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BPH 3 mbtkQ9lsu15SfMN

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BVH 3 XeWzaEx3WZTmbwd

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CSH 4 6MtxZSd1sXjyQYI

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CMH 4 hxWAyA0XaOd8BTf

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CVH 4 KKg2vSYOCQTEZYX

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CAH 4 yby8RPNckuuQmgV

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /CSKH 4 T2yoqw04vJvq383

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BTH 3 sDnh5qTnhdEJtNx

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BLCH 3 GkZiyuJYnqB2q4j

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /IVN soStYSPmk8qPjhu

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /IV 1.6.7

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SM 0Wf3eu602hxrrTs

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SP O4T6YxYqppaqii9

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BM X9k6krQ1Zt33mAx

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /BP JwuVVwtcGpuqcet

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /SCO 1 yseWoolbVGPGQ36

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /OS 1 gNoqCeijA1XPgKx

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /OS 3 JkxNCBSrK2ZVs5m

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /OS 4 4OprouoJ9uvWZ0H

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\AMIDEWINx64.EXE

AMIDEWINx64.EXE /OS 5 el7n7zPaO5dgGhX

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE"

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE

"C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE"

C:\Windows\System32\shutdown.exe

"C:\Windows\System32\shutdown.exe" /r /t 0

C:\Windows\system32\LogonUI.exe

"LogonUI.exe" /flags:0x4 /state0:0xa39e8055 /state1:0x41c64e6d

Network

Country Destination Domain Proto
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
US 8.8.8.8:53 ucedd84a6bd60b3a517b4cac6a85.dl.dropboxusercontent.com udp
GB 162.125.64.15:443 ucedd84a6bd60b3a517b4cac6a85.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 18.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 15.64.125.162.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 storage.bunnycdn.com udp
DE 109.61.89.54:443 storage.bunnycdn.com tcp
US 8.8.8.8:53 54.89.61.109.in-addr.arpa udp
US 8.8.8.8:53 www.youtube.com udp
GB 142.250.187.206:443 www.youtube.com tcp
GB 142.250.187.206:443 www.youtube.com tcp
US 8.8.8.8:53 consent.youtube.com udp
GB 142.250.200.46:443 consent.youtube.com tcp
US 8.8.8.8:53 nav.smartscreen.microsoft.com udp
GB 51.140.244.186:443 nav.smartscreen.microsoft.com tcp
US 8.8.8.8:53 206.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 46.200.250.142.in-addr.arpa udp
US 8.8.8.8:53 data-edge.smartscreen.microsoft.com udp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
GB 51.140.244.186:443 data-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 227.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 203.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
N/A 127.0.0.1:53237 tcp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
N/A 127.0.0.1:53244 tcp
N/A 127.0.0.1:53247 tcp
N/A 127.0.0.1:53249 tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 api.gofile.io udp
FR 45.112.123.126:443 api.gofile.io tcp
US 8.8.8.8:53 233.128.159.162.in-addr.arpa udp
US 8.8.8.8:53 126.123.112.45.in-addr.arpa udp
US 8.8.8.8:53 store1.gofile.io udp
FR 45.112.123.227:443 store1.gofile.io tcp
US 8.8.8.8:53 227.123.112.45.in-addr.arpa udp
US 162.159.128.233:443 discord.com tcp
N/A 127.0.0.1:53429 tcp
US 8.8.8.8:53 20.49.80.91.in-addr.arpa udp
US 8.8.8.8:53 udp
N/A 52.168.117.174:443 tcp
US 8.8.8.8:53 udp

Files

memory/2352-1-0x00007FF8DEDDB000-0x00007FF8DEDDC000-memory.dmp

memory/2352-0-0x0000000000A40000-0x00000000026C0000-memory.dmp

memory/2352-4-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-3-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-2-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-6-0x0000000000A40000-0x00000000026C0000-memory.dmp

memory/2352-7-0x0000000000A40000-0x00000000026C0000-memory.dmp

memory/2352-9-0x000001E43A200000-0x000001E43A201000-memory.dmp

memory/2352-10-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-11-0x000001E4562B0000-0x000001E456362000-memory.dmp

memory/2352-12-0x0000000000A40000-0x00000000026C0000-memory.dmp

memory/2352-13-0x000001E456710000-0x000001E456732000-memory.dmp

memory/2352-14-0x000001E456790000-0x000001E4569A4000-memory.dmp

memory/2352-15-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-18-0x000001E457210000-0x000001E457244000-memory.dmp

memory/2352-19-0x000001E457260000-0x000001E45727A000-memory.dmp

memory/2352-21-0x000001E457250000-0x000001E457264000-memory.dmp

memory/2352-20-0x000001E457240000-0x000001E457248000-memory.dmp

memory/2352-23-0x000001E457280000-0x000001E4572B2000-memory.dmp

memory/2352-26-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 32d05d01d96358f7d334df6dab8b12ed
SHA1 7b371e4797603b195a34721bb21f0e7f1e2929da
SHA256 287349738fb9020d95f6468fa4a98684685d0195ee5e63e717e4b09aa99b402e
SHA512 e7f73b1af7c7512899728708b890acd25d4c68e971f84d2d5bc24305f972778d8bced6a3c7e3d9f977cf2fc82e0d9e3746a6ccb0f9668a709ac8a4db290c551c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 b5fffb9ed7c2c7454da60348607ac641
SHA1 8d1e01517d1f0532f0871025a38d78f4520b8ebc
SHA256 c8dddfb100f2783ecbb92cec7f878b30d6015c2844296142e710fb9e10cc7c73
SHA512 9182a7b31363398393df0e9db6c9e16a14209630cb256e16ccbe41a908b80aa362fc1a736bdfa94d3b74c3db636dc51b717fc31d33a9fa26c3889dec6c0076a7

\??\pipe\LOCAL\crashpad_1956_QILCSRJZAESJGFDG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

MD5 6e466bd18b7f6077ca9f1d3c125ac5c2
SHA1 32a4a64e853f294d98170b86bbace9669b58dfb8
SHA256 74fc4f126c0a55211be97a17dc55a73113008a6f27d0fc78b2b47234c0389ddc
SHA512 9bd77ee253ce4d2971a4b07ed892526ed20ff18a501c6ba2a180c92be62e4a56d4bbf20ba3fc4fbf9cf6ce68b3817cb67013ad5f30211c5af44c1e98608cb9e3

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 310c044ca44eea175892a83b46cc6343
SHA1 a664b485d5d9db1fcbe06a142edd9c4d369c9fa5
SHA256 92f0240cc8022d202094a8766aac541848d43b4b55a9c5d112e92e026abd69e2
SHA512 5493ede481df557b928bd4ad5616afded25353c19448be5752a89f29ba55f20bdc04c414e9be92c295ed3528e5d77edd55841256543a44fd15651a8465371be5

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

MD5 e5e3377341056643b0494b6842c0b544
SHA1 d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256 e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA512 83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

MD5 d1291397afba61f29aa4edf736846e0a
SHA1 7689fa6f0981abf689cf530db90b5362290f3417
SHA256 26f760c4a2ed24f038075e77622205d8052316eed2bdf5ec9176f7656d6549b0
SHA512 9d8f4d07e84f462c3e696dbdfd00170e0dc114101da76476af40c8a65bd80060aa031dd001ab0cdb8908ae24287034a3b970696c46ee519aeac8a22044a5a12a

C:\Users\Admin\AppData\Local\Temp\_MEI39442\ucrtbase.dll

MD5 3b337c2d41069b0a1e43e30f891c3813
SHA1 ebee2827b5cb153cbbb51c9718da1549fa80fc5c
SHA256 c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7
SHA512 fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

C:\Users\Admin\AppData\Local\Temp\_MEI39442\python311.dll

MD5 db09c9bbec6134db1766d369c339a0a1
SHA1 c156d9f2d0e80b4cf41794cd9b8b1e8a352e0a0b
SHA256 b1aac1e461174bbae952434e4dac092590d72b9832a04457c94bd9bb7ee8ad79
SHA512 653a7fff6a2b6bffb9ea2c0b72ddb83c9c53d555e798eea47101b0d932358180a01af2b9dab9c27723057439c1eaffb8d84b9b41f6f9cd1c3c934f1794104d45

C:\Users\Admin\AppData\Local\Temp\_MEI39442\VCRUNTIME140.dll

MD5 f12681a472b9dd04a812e16096514974
SHA1 6fd102eb3e0b0e6eef08118d71f28702d1a9067c
SHA256 d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8
SHA512 7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

memory/3968-231-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39442\python3.DLL

MD5 34e49bb1dfddf6037f0001d9aefe7d61
SHA1 a25a39dca11cdc195c9ecd49e95657a3e4fe3215
SHA256 4055d1b9e553b78c244143ab6b48151604003b39a9bf54879dee9175455c1281
SHA512 edb715654baaf499cf788bcacd5657adcf9f20b37b02671abe71bda334629344415ed3a7e95cb51164e66a7aa3ed4bf84acb05649ccd55e3f64036f3178b7856

C:\Users\Admin\AppData\Local\Temp\_MEI39442\libffi-8.dll

MD5 decbba3add4c2246928ab385fb16a21e
SHA1 5f019eff11de3122ffa67a06d52d446a3448b75e
SHA256 4b43c1e42f6050ddb8e184c8ec4fb1de4a6001e068ece8e6ad47de0cc9fd4a2d
SHA512 760a42a3eb3ca13fa7b95d3bd0f411c270594ae3cf1d3cda349fa4f8b06ebe548b60cd438d68e2da37de0bc6f1c711823f5e917da02ed7047a45779ee08d7012

C:\Users\Admin\AppData\Local\Temp\_MEI39442\pyexpat.pyd

MD5 fe0e32bfe3764ed5321454e1a01c81ec
SHA1 7690690df0a73bdcc54f0f04b674fc8a9a8f45fb
SHA256 b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92
SHA512 d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

C:\Users\Admin\AppData\Local\Temp\_MEI39442\libssl-1_1.dll

MD5 6cd33578bc5629930329ca3303f0fae1
SHA1 f2f8e3248a72f98d27f0cfa0010e32175a18487f
SHA256 4150ee603ad2da7a6cb6a895cb5bd928e3a99af7e73c604de1fc224e0809fdb0
SHA512 c236a6ccc8577c85509d378c1ef014621cab6f6f4aa26796ff32d8eec8e98ded2e55d358a7d236594f7a48646dc2a6bf25b42a37aed549440d52873ebca4713e

memory/3968-308-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp

memory/3968-309-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp

memory/3968-310-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp

memory/3968-314-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp

memory/3968-317-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp

memory/3968-316-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp

memory/3968-315-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp

memory/3968-311-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp

memory/3968-320-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp

memory/3968-325-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp

memory/3968-329-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp

memory/3968-331-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp

memory/3968-333-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp

memory/3968-339-0x00007FF8D2290000-0x00007FF8D22A1000-memory.dmp

memory/3968-341-0x00007FF8D2000000-0x00007FF8D201E000-memory.dmp

memory/3968-340-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp

memory/3968-338-0x00007FF8D2020000-0x00007FF8D202A000-memory.dmp

memory/3968-342-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp

memory/3968-337-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp

memory/3968-336-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp

memory/3968-335-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp

memory/3968-334-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp

memory/3968-332-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp

memory/3968-330-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp

memory/3968-343-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp

memory/3968-328-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp

memory/3968-327-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp

memory/3968-326-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp

memory/3968-324-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp

memory/3968-323-0x00007FF8D23A0000-0x00007FF8D23B4000-memory.dmp

memory/3968-322-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp

memory/3968-321-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp

memory/3968-305-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp

memory/3968-303-0x00007FF8D8000000-0x00007FF8D800D000-memory.dmp

memory/3968-302-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39442\libcrypto-1_1.dll

MD5 86cfc84f8407ab1be6cc64a9702882ef
SHA1 86f3c502ed64df2a5e10b085103c2ffc9e3a4130
SHA256 11b89cc5531b2a6b89fbbb406ebe8fb01f0bf789e672131b0354e10f9e091307
SHA512 b33f59497127cb1b4c1781693380576187c562563a9e367ce8abc14c97c51053a28af559cdd8bd66181012083e562c8a8771e3d46adeba269a848153a8e9173c

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-utility-l1-1-0.dll

MD5 b5c0e86861a795b607b3dddf29ceab01
SHA1 4ece72b0a9d8f42da935f9affe3280b48805d9c1
SHA256 837167faa319cab764615fcfdb375008aed60c399b139dc0b3b0338a106f3b18
SHA512 6ec88fbbbdd3377650bc575da6f1d1a8f94b445bceb6d96894a511b690cd3af63be5df448bc6bcac0e3200086f90cd1707c5b281bacfbbdf7a02f984f3ddf32b

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-time-l1-1-0.dll

MD5 c4af0dc7d97105deac352f569beb603d
SHA1 f52d7ee9ae432dbf5b42d5fb2a816411138d7e03
SHA256 b66ae7e1d0da45a758b2ec9d2727f8f59a2d0a59bf43be347369381338c6afb3
SHA512 8961b1acab372511d45b4cb08f6672bebc436f19c854f73058bb28e56ddd57dfd18aab785b39e0b1254ce9e2989e6db744e1de503429932fce2b0f53f000d91f

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-string-l1-1-0.dll

MD5 03f1e99c4258416b4c6800081b3701e2
SHA1 502d6654cc0a331b8c45eb760db39edbc3ee93c9
SHA256 abf8a6ad52f6c71458dc2c159eb8ce7a297494177f8e05fd52a1e7bceb493426
SHA512 7a1fc6488c4eee4a32963b1e78b76ac1c4d4c196c8b2743ae4cc89805fa02f554210d0fe5a87afa258abe3c24c710315facdea997e7aa2effcf8664b8531c459

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-stdio-l1-1-0.dll

MD5 ce04551e4a578993207eed8f49e045dc
SHA1 f2ea2b8901458263879e76f67c4154559252aa5b
SHA256 f6ba90e21a1e31ff2be7292c2a03d20570788fd829e075ab4a6d37a9ca2ba194
SHA512 872af73065241877679e96dd6c5e8458417436241262829a378768aa47cb290f45aab67ddf205bccd6846a2189a0bd26a31fb01f1d7886fe93067687055f4fe5

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-runtime-l1-1-0.dll

MD5 be6d51793bc63716fb45cb49958b0f6a
SHA1 e2563b2c324b58bad602c46bc4d6148ce5319c10
SHA256 edd8206ef8caf25e955e9fba2c9c8ebf73d8ec3fd0f562372f7ed8b8f7004c2f
SHA512 31fa876b8dc54d882db0d8a3c7e6784b893b6c8b4a04688261720d75402cb4229f07c70df4dabb032b63940d8e3ba95978d439b5f0f9a21c62a8adbcc92bcabe

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-process-l1-1-0.dll

MD5 fa9b5cec8eed4fef73ec60d7f4c1eb1e
SHA1 03f19b2886688de1fb2016d614fe514f8b508250
SHA256 09f19b41a8d71cd5174efdae2a7649022780434d7c4416d6121153359aa85918
SHA512 744288d8903fdceed87cc5b7e0e286fab59584b57acdd943b04c5f6a39391a1662961a686344c1fdce36aea039adf8b1fcfc883e06011dd592077931716cdff7

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-math-l1-1-0.dll

MD5 e6184d65799033dbee51667790130016
SHA1 b00461d14ffa2beab0887bcb716f331090cce8c9
SHA256 eecac10f830ad0dcbdf0f0dc1422ef5cfed490a877429a4674aecc560869a5e5
SHA512 987c14f8c22ae0d6c1005cc7b0d9a240283c2120e8ded030a407f25fb7786f7283980850ca243859f0148dbeb7bfaec01c8208865b81046999252d07e5f42d53

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-locale-l1-1-0.dll

MD5 3cca955cde8362605fc268e4b12accaa
SHA1 6f3c214ef223f35495c0cb0ee359b9d975c14e72
SHA256 34c6e58abcce5bccace50df3bd6c3e2d3f4e8413b14aae8e707ddfddccdeba6d
SHA512 5b7fe7deb6066c53bd41479172eac2736301f5cf32921f13d2ce6ad2811925e7bc1c436627698050be86ddf18852eeac927be4efc2182d857b31f637adc6c206

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-heap-l1-1-0.dll

MD5 e3ede68927c68aa73ac95722d24334ce
SHA1 dbe71e1a56f9b7569b4a568bb67e37c38011b879
SHA256 5dd42e524920f4cb467031eb9e0e440bbe73de0fb39f71e65736a2ab2f6fcfe8
SHA512 d935058d8409b518d82336dc0b1521bf411ef77ef49485ede15baf5d1ac527f46ad813ebdb889c0f9999d553a879150d5ba41ce3a0b11d5ca08907e378fc9b8d

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-filesystem-l1-1-0.dll

MD5 3491700e847fb9e9c4413fc82a0ad285
SHA1 03694cd43a06bb2fff6a1d85f73bd7b87198e07e
SHA256 ed969fae3cf64f46b5f4d2447980befd6f0a7fd05802529dbc793f3c014bc46c
SHA512 07e81eabcef621ec6a84e1932e299e0b865c06e6f9907017bbed0121771712b007a18771099131f24da134f3cbff0a7af30ca4e1c262b117e8bacf055cd54002

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-environment-l1-1-0.dll

MD5 16a97489dab15db9b9713c53726f3411
SHA1 c15ad01807955374283805104233bd56760b25c9
SHA256 9c06541d13c7088f313aab0be5af20b72e583f34e442df3d2fc29953640d4812
SHA512 54ffa278e4d0975830c1a8eff9b7fc41d487cd9e8390d0e14f58cff62efadfc5816bcda3ca11e2b1cbaeecb20546839593f7c6ea9500eef433f299861d205822

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-convert-l1-1-0.dll

MD5 4bb011d3e58e958e94ca23ae05a8e958
SHA1 741af22136c1d6dce03c75c68e977c05d76ac027
SHA256 06b0fd7e6d7cbe35177af8fc17863f247bd5caee64543e3a9a125253d51af777
SHA512 07668515aa4099c390ce30ef3415e412113483da792d7cd02bb3ddce561719e808d6be81b90d599f4a7fa50ba27382c8d84ecb45292200bba7094a5204ff7715

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-crt-conio-l1-1-0.dll

MD5 5bc2660d94760af50f96b1999de6cfab
SHA1 75dec9b15bf9181f0e8015992b678bac718d8c0b
SHA256 03bebf73df97beed5da608cae73324df2aaec092277d53ce8c119031cf8e21fd
SHA512 7e9c67b5e46b35ba3f733110cf7fe35ac9dc1b41a4f7633180cd69631d1b82bcac99f8b94b6f36a373f72bc4fd7eeaac21a8fb51830914a32e19d738208ca636

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-util-l1-1-0.dll

MD5 8222b0f8bcf884433a55996253963a96
SHA1 35914b003bbe6527e2479d7f897024915821500f
SHA256 7f18dc2971d15434bfe03c4842dced10b466e849d782a1c8e398d96c2e2b12e2
SHA512 5e67b25af8a1f23450cf8807135fea1ec39dfe8ff7cd3858e492ae9e016a23967ed6009da8868cd9dc87d583c3b7e6fb66d00bd48a7bba6b0eea638716514cc6

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-timezone-l1-1-0.dll

MD5 10d466341e7ece8cf75b5d026105741b
SHA1 31d1e9b9a4511156695b5aa33d65b6a36f8139c2
SHA256 5ce391edb33c7055e724a4c3cecc64d16ba2aa4724cb99cd5aed00b0cecfbc82
SHA512 8778fd10c7360bd87db048a2b2ca6603455fd8cb4d0e18709f106b55db7cc92e7d6dc45385ff9def445b368376462e7d253442728d5e759faa97299b67a59e21

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-sysinfo-l1-1-0.dll

MD5 e496d42d228b5e90c7b96350dbb1159c
SHA1 746ba35a931e05aebda957608a6e28c1699237aa
SHA256 1ff617fb9d681551fb456aabaae078c0ac7f96580ac1144ea441826a6d98caef
SHA512 ce555cb7fc0625d7568b002306e203e013f03127aad7383ce26774cb1f1fa820f5fa6145dc9f5930b4d0791631bdbce2ee2e4ee3efa7720b1b2c413ff782e197

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-synch-l1-2-0.dll

MD5 2914ea20c9b8d79b1e98ea6b6dd85450
SHA1 2e25617bb4f3f6391658b5778f5248d9e6762c6b
SHA256 047d09b49dae9a101eb55277aa37c31390ea6c7187379b448122d77bd77bf005
SHA512 c0731aaecbca9b70151e7630e0dbc7d744d534effe56ad703df881f09c7820cb143873dbf95d57357d51be44d53a3b9862d0c6483ca6c70aad01a3f11350abc9

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-synch-l1-1-0.dll

MD5 87c57eddf837c1e7aaaddb451d3d981e
SHA1 5287af84ca9cdfa928355c3c899a43051169a2fd
SHA256 e65305c73e3540491a0c62103764d50d827a13d749f76cb2af593a800c93cf44
SHA512 0900608072d807082087275bd71061f7118534ea20d4cbd9b0e8190f500cd57feabe0bf7f9fac6438a7c4655ac405dd4ec17fd5f1a48b4f5dc70eb25e6f0e8ae

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-string-l1-1-0.dll

MD5 2ebacbbda70b888b1bcc5e816d14f3a2
SHA1 ebf1763b0cee267040312deccb3dad61af1b9cf4
SHA256 96b11fa8aca734f4b1ddee377c84427d384f8e06affd99c63128797289fc9304
SHA512 af15fc2b1ff31a3550ae4e9ae45f7bbe728d839b288d6dc5f04859e27463ed946d5b2619736223ae401cee504e683b9fe9dffb65754280644dda91527eb46c5e

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-rtlsupport-l1-1-0.dll

MD5 8aad6a3a2fe9052ef218d5c8ce1995e1
SHA1 33748750e57cdc165fcdd186ae53003649607221
SHA256 e44d56d10ee14d4c4767a25839c2ef6826adbea3e15c2705b1d79676a63905b4
SHA512 841c70c63b243dea68c2ac9cd886731b6171dcf76a60932191fb29402585d6bbfcc98d11868fc6032f08c29d8e0040a2b896c32c2fb4697bd54dea2a52589ae6

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-profile-l1-1-0.dll

MD5 fb731a1f96c9e34347cba5bb18e54581
SHA1 88a62edfbbd806b1043b4a1266c4708e1d47be1d
SHA256 c4c1d381f419731c848e4a20aef02a4436758935c9a274896228b9451956cc8e
SHA512 be6c94d6015edae41fa0d6464c7dc5976adbc3617e02b293b9a39e645ec173071f1f282959ddf264a133ce3b3bb9c434eb2e65fc607136f11d8eb07538168ffc

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processthreads-l1-1-1.dll

MD5 a6776c201baae1dd6f88048d7747d14c
SHA1 646119d2e440e6dad0ffb0fe449ab4fc27f09fbe
SHA256 ee99af71c347ff53c4e15109cb597759e657a3e859d9530680eeea8bb0540112
SHA512 a9137af8529fd96dbba22c5179a16d112ec0bfab9792babe0a9f1cca27408eff73ba89f498cb5f941a5aa44555529ee10484e6ca4a3fbf1627523acfde622b45

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processthreads-l1-1-0.dll

MD5 abaabc1df36c7a0674f20fb83247fd71
SHA1 345db0ffea0cb2531b79d464ad69347ac71ee2b9
SHA256 ba55f8481d8a9d225b8c430eb010f675250c5afa64d9eeb15ff31dc159a19f5a
SHA512 7c01b8f46e9fbe08784066a9df03723b3485fa714f22f4ab7e1cbe719b0a91ab1a5d597ef9d567836375de929ea9397ce0685f00b908f3d0aa4d0288eb59f7ba

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-processenvironment-l1-1-0.dll

MD5 6d0762a2ba4263d0901ca7aaa0725c0c
SHA1 e36d2d049116bd2d84121cdfa179098ac03650b4
SHA256 2ee9434cc5f40f4514c7284e14b90db5c7a33000afda834d7c1dc063baa3d805
SHA512 94616b2bfc0497ca2dbbc23c1aa4ecb04113a53d75fa570f6bb5e2561e5cdb940792e2cb290562133d226400c78d91377fdd312ba2858679084c66ff1ae9031d

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-namedpipe-l1-1-0.dll

MD5 7e751952f122f4e8be1317087dc9dc71
SHA1 f65884c8cfbb8ad565b3df3a51af11b1617c7092
SHA256 d078a9a9958a7c816dea989bef24f32befc6651aea5e07f97a7b5d50df73f799
SHA512 960922ac1309bdcf42d6900a0bea30d4096d1411ec6a97f328520d4a59f71fc04e6f4a7b8d2b346012530329f76897607369c8e1ed1fe9c589d7f7682987c043

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-memory-l1-1-0.dll

MD5 41e0b7cb0eecba317cf321b1ada084d7
SHA1 4ce1f13188fc00eb29c726717eae489c524c1c8a
SHA256 db978830b1fbcc0521582a6a79864b0fd83179248fa374926c8097bc02cd6383
SHA512 f0961cde8dc83b845b2b91e42436ed8b42d2fb19caaabf49b300fa9cbbae9fab84009b4714c3899ab4a703315a135a61e508db29239d823a1cc11462ce6ffab7

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-localization-l1-2-0.dll

MD5 4c26932f8f1f490017add31f5ec0a533
SHA1 0da01a7c89b506fe3fd939344bb51b976efb3207
SHA256 dd3843c2e46b4e926c36150d614efe02ca0ebc1f767f64f471568adc35c2ef23
SHA512 eb2b87d187991fdc8e3a6577f20622d2d4a2a994dd375d8c27e1434ce786596533eacfbde8714db9959d88d6bcb91fdc8079c60c23f0eb920ba45c546a44e523

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-libraryloader-l1-1-0.dll

MD5 259b4186004bb41e706dd781e29f5c5b
SHA1 85751d31fe233ed51c46466f214f497d01be8d87
SHA256 b3ba83880986f2522d05a88c52fe69eda9c9fadbc5192a063e36bba777cc877f
SHA512 f8a06252e96f40965668c978c4808305d424de698f47f420643d713751926636f2049dd34c8156ba5bbbf5a5b2f4d5c19a978cf27d3aaebd728d7a3de8f0afa2

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-interlocked-l1-1-0.dll

MD5 0b65672b91c6a12d769dd777f810b149
SHA1 2d527b45dcbe653a91e10365891c7e589f5e51e0
SHA256 c09eb307b2eb747b73c516267a99a23bb73204452326d41bdeb6f43598f6d62e
SHA512 f090bb0b8f3616cf2d77ff25523bc823918e1452f626a1298c95003def1867c785566a4e85ccd7f5a20f14631caec5dd392777db2d00368c3fdf3597e0f51788

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-heap-l1-1-0.dll

MD5 993b5bc35dac959bed58b77fe42ac77a
SHA1 2abad159cbab86ff423d6446143427daab751366
SHA256 b998ff8d173c34505e1d5984134282866de910b09919cf9a322fce760b75c80b
SHA512 ca19e949dcc8460af53c9dad17995a0cbffd971bb731b7fcb53bb9384d227357926231c9fadfaa5aef09055bebae9d5c23ee73eb6eca04d6a52a3df0847e10ab

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-handle-l1-1-0.dll

MD5 4166d703abc9c6de65d5b269d3a5425e
SHA1 16bcd7191312b94bdf38368d188e5a5cc479a36c
SHA256 0a351c2a2889a42886017e7dbcf75f45e3cb24d2f55e72205624272487e4a056
SHA512 f722dba410cab727c753e9cce0bc47663e22f45828f5df0bac5bd6331497a2f15f6d9330b5203d3ff735f1ce6397e63c1b21d3ea6c5ceab817b5f83ec296882b

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l2-1-0.dll

MD5 50abf0a7ee67f00f247bada185a7661c
SHA1 0cddac9ac4db3bf10a11d4b79085ef9cb3fb84a1
SHA256 f957a4c261506484b53534a9be8931c02ec1a349b3f431a858f8215cecfec3f7
SHA512 c2694bb5d103baff1264926a04d2f0fe156b8815a23c3748412a81cc307b71a9236a0e974b5549321014065e393d10228a0f0004df9ba677f03b5d244a64b528

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l1-2-0.dll

MD5 4a060eec454c222a5381cd359dc00b81
SHA1 21e1bc115d04a74779e955ea16a16bd71454d9bb
SHA256 e6b2b05e14a6c6f5381e8f4c7f4fd28a499246fb4c8eafe1f08014b9273d70df
SHA512 16fb1f4ccdad05d07feb62e0cd078401f4023f9fab0fb15e52b927ca413e65eb32c2932ba59dbfa7f7ee0e8a8053748e27f2757e82e600db812271aa44a9433c

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-file-l1-1-0.dll

MD5 4b328f140a3ae7fedb21ca50cc23d938
SHA1 9e71b4c2cf030a644d2050188c4b77e638c0ee14
SHA256 e55b200643e8b078e7f5eb0c97de44fead21b11d06590ebedbcb84214d063345
SHA512 4c349f45ca4db4f1247aa405e5627f22b7ccfe66234d8d970475e71471ebb251f7a0f781a33d0e4ec893f86653b0a1c8508adf576e923d0ce86b43f552204614

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-fibers-l1-1-0.dll

MD5 201ff3cd2ffe7d222f46574d4ac40a70
SHA1 b43f19bbb8fd1c8aa05ba67dea38a7785dbe57b6
SHA256 b83a71978215fdba477c4ea61340168947a1021324d118e6b7159054985f2d1a
SHA512 3f99d7b501c1db470a6d91af856ebbede05522acb5763d928f4fb28c74db2339b46df108745ed8ebd8c6c1298d9495358c245d188f055638b0d6dd568fa596d2

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-errorhandling-l1-1-0.dll

MD5 12ea48ce605ebb204a21ae7d86db3417
SHA1 5fb0ff9ba4105cd76ee4470ae4cad0a39ae68c66
SHA256 189bbbd739526a986e53518865e741cde8c5967aacd5ed687408cec3d8781f1c
SHA512 39b486fb72c9dff4e391673a872e957dbf0545d4d26914d0b0a475624e40b4feec3a9a17549e87ba806b1a90bf6f7784a187c506daa1db5201561cef90ff6e81

memory/3968-259-0x00007FF8D8010000-0x00007FF8D801F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-debug-l1-1-0.dll

MD5 7ad2034acd0f296fe9eed320e5ad7591
SHA1 fe1b217e3f4567905968f7a3d48a7611e3cf3f7b
SHA256 0d859a866d1bcefe1a1bc5adb88dcf2765567ecc31dfb4e472b512d033d88bb4
SHA512 06d017b0ef9d081bc627f7f33d51ef2fe64e2cc5023204771032c4ed7bf26c0c6106b69d78f7bdd880fa59e8e4048b2da8848784bc92d7780155df140c952420

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-datetime-l1-1-0.dll

MD5 854458ad55c39a9dfd1e350a51be02b8
SHA1 5013cf58de5a0b55e026ace967e9842b3b131c2a
SHA256 f918b0c45f59b2cb29f1eb3653d2f2679095e85e082a1198c933a76edf1f33ef
SHA512 faa41a5031033f7e86efebc47777f915e95617f4b05d93833066c206d9c092855d8072c7bd142898f5a2bd1f94b646d98933302ddeb5a9ca0d5930c7b2241b98

C:\Users\Admin\AppData\Local\Temp\_MEI39442\api-ms-win-core-console-l1-1-0.dll

MD5 9313c86e7bae859f0174a1c8b6aba58b
SHA1 dce67fd1da5da8dc4ba406c544e55a83d6536cc9
SHA256 af9675ac90bae8a0d8623f6fdaff9d39e1b8810e8e46a5b044baaa3396e745b3
SHA512 2ec64fce4a86bc52dc6c485fd94d203020617df92698ca91ae25c4901984899e21c7dd92881ec52d6850edfa547701aab9b0cd1b8d076e6779b1a13324cdd3a4

memory/3968-253-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39442\_ctypes.pyd

MD5 b4c41a4a46e1d08206c109ce547480c7
SHA1 9588387007a49ec2304160f27376aedca5bc854d
SHA256 9925ab71a4d74ce0ccc036034d422782395dd496472bd2d7b6d617f4d6ddc1f9
SHA512 30debb8e766b430a57f3f6649eeb04eb0aad75ab50423252585db7e28a974d629eb81844a05f5cb94c1702308d3feda7a7a99cb37458e2acb8e87efc486a1d33

C:\Users\Admin\AppData\Local\Temp\_MEI39442\base_library.zip

MD5 3b3654276bbb89fcba4df6a0a0fad8d6
SHA1 668cd7e62cb6449e820ce1c24484e7ab9c4ca9a4
SHA256 de67ef0597974ce98ac33c99d230f370284031ef62249d55c5d6210066874938
SHA512 ecade71b589213ba9bcf8f997e4ab1d1c7c2c78fb88d5f2d562f376986c005e9b98ffdbbd0988f6b5f50adff4cc46be1c076b377a6e6152014d5552effec4973

memory/3968-355-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp

memory/3968-394-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp

memory/3968-395-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2etr05wj.gcj.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3968-411-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp

memory/3968-413-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp

memory/3968-414-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp

memory/3968-416-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp

memory/3968-415-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp

memory/3968-454-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp

memory/3968-453-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp

memory/3968-455-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp

memory/3968-446-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp

memory/3968-437-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp

memory/3968-440-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp

memory/3968-439-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp

memory/3968-438-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp

memory/3968-436-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp

memory/3968-435-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp

memory/3968-428-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp

memory/3968-427-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp

memory/3968-476-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp

memory/3968-469-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp

memory/3968-457-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp

memory/3968-552-0x00007FF8D2380000-0x00007FF8D2394000-memory.dmp

memory/3968-567-0x00007FF8D2020000-0x00007FF8D202A000-memory.dmp

memory/3968-569-0x00007FF8D2000000-0x00007FF8D201E000-memory.dmp

memory/3968-568-0x00007FF8C95C0000-0x00007FF8C9935000-memory.dmp

memory/3968-572-0x00007FF8D80A0000-0x00007FF8D80AD000-memory.dmp

memory/3968-571-0x00007FF8D1FC0000-0x00007FF8D1FF7000-memory.dmp

memory/3968-570-0x00007FF8C7B50000-0x00007FF8C834B000-memory.dmp

memory/3968-566-0x00007FF8D2130000-0x00007FF8D2162000-memory.dmp

memory/3968-565-0x00007FF8D2170000-0x00007FF8D21BD000-memory.dmp

memory/3968-564-0x00007FF8D22B0000-0x00007FF8D22C9000-memory.dmp

memory/3968-563-0x00007FF8D22D0000-0x00007FF8D22EB000-memory.dmp

memory/3968-562-0x00007FF8C9CF0000-0x00007FF8C9E0C000-memory.dmp

memory/3968-561-0x00007FF8D22F0000-0x00007FF8D2312000-memory.dmp

memory/3968-560-0x00007FF8D2410000-0x00007FF8D2433000-memory.dmp

memory/3968-559-0x00007FF8D23A0000-0x00007FF8D23B4000-memory.dmp

memory/3968-558-0x00007FF8D23C0000-0x00007FF8D23D2000-memory.dmp

memory/3968-557-0x00007FF8D2BB0000-0x00007FF8D2BC5000-memory.dmp

memory/3968-556-0x00007FF8C9E10000-0x00007FF8C9EC8000-memory.dmp

memory/3968-555-0x00007FF8D2290000-0x00007FF8D22A1000-memory.dmp

memory/3968-554-0x00007FF8D23E0000-0x00007FF8D240E000-memory.dmp

memory/3968-553-0x00007FF8C9ED0000-0x00007FF8CA043000-memory.dmp

memory/3968-551-0x00007FF8D2440000-0x00007FF8D246D000-memory.dmp

memory/3968-550-0x00007FF8D2BD0000-0x00007FF8D2BE9000-memory.dmp

memory/3968-549-0x00007FF8D8000000-0x00007FF8D800D000-memory.dmp

memory/3968-548-0x00007FF8D2BF0000-0x00007FF8D2C09000-memory.dmp

memory/3968-547-0x00007FF8D8010000-0x00007FF8D801F000-memory.dmp

memory/3968-546-0x00007FF8D2C10000-0x00007FF8D2C34000-memory.dmp

memory/3968-545-0x00007FF8CA050000-0x00007FF8CA638000-memory.dmp

memory/2352-596-0x00007FF8DEDC0000-0x00007FF8DEE7D000-memory.dmp

memory/2352-597-0x0000000000A40000-0x00000000026C0000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-12-08 02:56

Reported

2024-12-08 03:26

Platform

win11-20241007-en

Max time kernel

1790s

Max time network

1770s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{DF6B8E13-EE6C-43B8-BF8D-C3FBC3C6BF78} C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4018527317-446799424-2810249686-1000\{E4DE1913-B4EC-4A44-A4C2-784489BD059C} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1772 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1772 wrote to memory of 1992 N/A C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1996 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 1596 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 2716 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 1992 wrote to memory of 5040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe

"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004C0

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/Qt5NMSgdzU

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffd309c3cb8,0x7ffd309c3cc8,0x7ffd309c3cd8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1928 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2036 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2828 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3232 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4564 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3532 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=3768 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4664 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5416 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5448 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3464 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1908,2448007472644508691,14722913590813231741,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5768 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.dropbox.com udp
GB 162.125.64.18:443 www.dropbox.com tcp
GB 162.125.64.15:443 uc82265aa1bf70b82034d0969a7c.dl.dropboxusercontent.com tcp
US 8.8.8.8:53 discord.gg udp
US 162.159.136.234:443 discord.gg tcp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
US 35.190.80.1:443 a.nel.cloudflare.com tcp
US 35.190.80.1:443 a.nel.cloudflare.com udp
N/A 224.0.0.251:5353 udp

Files

memory/1772-0-0x00000000006B0000-0x0000000002330000-memory.dmp

memory/1772-1-0x00007FFD5626A000-0x00007FFD5626B000-memory.dmp

memory/1772-2-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp

memory/1772-3-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp

memory/1772-4-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp

memory/1772-6-0x00000000006B0000-0x0000000002330000-memory.dmp

memory/1772-7-0x00000000006B0000-0x0000000002330000-memory.dmp

memory/1772-9-0x0000024623E50000-0x0000024623E51000-memory.dmp

memory/1772-10-0x000002463ECE0000-0x000002463ED92000-memory.dmp

memory/1772-11-0x00000000006B0000-0x0000000002330000-memory.dmp

memory/1772-12-0x00007FFD5626A000-0x00007FFD5626B000-memory.dmp

memory/1772-13-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp

memory/1772-14-0x000002463EFC0000-0x000002463EFE2000-memory.dmp

memory/1772-15-0x000002463F030000-0x000002463F244000-memory.dmp

memory/1772-18-0x000002463FE40000-0x000002463FE74000-memory.dmp

memory/1772-19-0x000002463FE70000-0x000002463FE8A000-memory.dmp

memory/1772-21-0x000002463F560000-0x000002463F574000-memory.dmp

memory/1772-20-0x000002463F550000-0x000002463F558000-memory.dmp

memory/1772-23-0x000002463FE90000-0x000002463FEC2000-memory.dmp

memory/1772-26-0x000002463FED0000-0x000002463FF16000-memory.dmp

memory/1772-28-0x000002463FF60000-0x000002463FF7E000-memory.dmp

memory/1772-29-0x000002463FF80000-0x000002463FF8B000-memory.dmp

memory/1772-27-0x000002463FF50000-0x000002463FF5D000-memory.dmp

memory/1772-30-0x00007FFD56250000-0x00007FFD5630D000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 051a939f60dced99602add88b5b71f58
SHA1 a71acd61be911ff6ff7e5a9e5965597c8c7c0765
SHA256 2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10
SHA512 a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

\??\pipe\LOCAL\crashpad_1992_DNURZWDCIOEEBKGX

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 003b92b33b2eb97e6c1a0929121829b8
SHA1 6f18e96c7a2e07fb5a80acb3c9916748fd48827a
SHA256 8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54
SHA512 18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 5a326674e6aff0a91291434bc35ecd23
SHA1 995a3afa79206d577ddc0811420a7a93d1027cdd
SHA256 6f0486475fd5e98b60d25f8bcad7f0ae9480a855b8ca87e59ec117693bf62b92
SHA512 faf2c777887b712fdd297effae6f0c0418f46de791afcb38256b9ab99a119b140741f392015bc3e84128914f1411442c07091c8c6ded8f6595ab0577a48f3b9c

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 6752a1d65b201c13b62ea44016eb221f
SHA1 58ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA256 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA512 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 15468e1db5b44a83d531e9fd6cb0ca8c
SHA1 30a27fda01fef7706f12e5dfc64b494d75e2a227
SHA256 0cc18bf9f60d11612e0c1afff676763e4c886dac618637f27148c7a1b56671e5
SHA512 de86450e9ec259c45c2f0ad6de63f3ee72115bdf78b9543e7dc671a8488bd1824a00e129d35335dc16219281061fb5324ff7b95184559146120008e92d3c0527

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 fe3a905fe1830565955d73db59f30f16
SHA1 67fad75e048fb6f50a26c1dd6bd7f47cb3222546
SHA256 66ea10051aaba5527da7c341a22b405c549d8866a0cb514f38081414dd83d78b
SHA512 76e65b1cbac524cba3ff0455e58e71f3e1602e48dd83b339feda8f3294a461121b01fcf51cd76a69de875c5e5a920f8e6dbadedb857650ecb0dd35a72ffff159

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 2ae94c806fa6c7ca409c21bb0e35ce59
SHA1 6cfb69dd603ab24b93b71abfccc2166d94599df3
SHA256 e42eda301d3bdcef3d62edef466763c169fd79e9bb49a7090ef99fcde8b3666e
SHA512 fe204124347debd9d9f9a424ddd2d81a1444b5337d5bc5e099f98cefff783460efcc5f8563ad376361ef0f5b93b5f3f9f72a9d35d27de69fc5baaacc06c9da88

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

MD5 6d6bf36b98e64069d4f73a1dd35b1b64
SHA1 390bf7f93308fbfe005e298f39f664fdb35a8708
SHA256 2921102d2301c87be9c6d1970b47a4e3744a6ca085f81ea2e97d9645f539dd50
SHA512 8591c03430c86ee1ec14e8d6f20c29087e5096597cc01bd57dfe35394fc8ca6fbc2866f5915270b47fc43f85164804feb8532c6401c1639843dbba1a75f6759d