51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b

Resubmissions

08-12-2024 15:39

241208-s3lswsspaq 9

08-12-2024 13:44

241208-q18hrszndn 10

Analysis

max time kernel
37s
max time network
39s
platform
windows11-21h2_x64
resource
win11-20241023-en
resource tags

arch:x64arch:x86image:win11-20241023-enlocale:en-usos:windows11-21h2-x64system
submitted
08-12-2024 15:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RippleSpoofer.exe
Size

15.6MB
MD5

76ed914a265f60ff93751afe02cf35a4
SHA1

4f8ea583e5999faaec38be4c66ff4849fcf715c6
SHA256

51bd245f8cb24c624674cd2bebcad4152d83273dab4d1ee7d982e74a0548890b
SHA512

83135f8b040b68cafb896c4624bd66be1ae98857907b9817701d46952d4be9aaf7ad1ab3754995363bb5192fa2c669c26f526cafc6c487b061c2edcceebde6ac
SSDEEP

393216:QAiUmWQEnjaa4cqmAa4ICSSF1a0HPRV8gtFlSiZh5ZlZ:bhnGhMAXSmHXFA+

Score

9^/10

discovery evasion pyinstaller themida trojan upx

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	RippleSpoofer.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	RippleSpoofer.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/memory/4208-6-0x00000000006E0000-0x0000000002360000-memory.dmp	themida
behavioral1/memory/4208-7-0x00000000006E0000-0x0000000002360000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RippleSpoofer.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4208	RippleSpoofer.exe

UPX packed file 16 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x001900000002ab9b-306.dat	upx
behavioral1/files/0x001900000002ab9b-307.dat	upx
behavioral1/memory/412-310-0x00007FF83D980000-0x00007FF83DF68000-memory.dmp	upx
behavioral1/memory/412-318-0x00007FF84BE00000-0x00007FF84BE24000-memory.dmp	upx
behavioral1/files/0x001900000002ab99-362.dat	upx
behavioral1/memory/412-363-0x00007FF84BDD0000-0x00007FF84BDE9000-memory.dmp	upx
behavioral1/memory/412-365-0x00007FF847100000-0x00007FF847119000-memory.dmp	upx
behavioral1/memory/412-368-0x00007FF83E470000-0x00007FF83E5E3000-memory.dmp	upx
behavioral1/memory/412-369-0x00007FF847070000-0x00007FF84709E000-memory.dmp	upx
behavioral1/memory/412-374-0x00007FF84BE00000-0x00007FF84BE24000-memory.dmp	upx
behavioral1/memory/412-373-0x00007FF83C1A0000-0x00007FF83C515000-memory.dmp	upx
behavioral1/memory/412-371-0x00007FF846C80000-0x00007FF846D38000-memory.dmp	upx
behavioral1/memory/412-377-0x00007FF846C60000-0x00007FF846C72000-memory.dmp	upx
behavioral1/memory/412-384-0x00007FF846240000-0x00007FF84625B000-memory.dmp	upx
behavioral1/memory/412-383-0x00007FF83E470000-0x00007FF83E5E3000-memory.dmp	upx
behavioral1/memory/412-385-0x00007FF847070000-0x00007FF84709E000-memory.dmp	upx

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x001f00000002aadf-215.dat	pyinstaller
behavioral1/files/0x001f00000002aadf-216.dat	pyinstaller
behavioral1/files/0x001f00000002aadf-303.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 6 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	RippleSpoofer.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemVersion	RippleSpoofer.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
4432	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-4248760313-3670024077-2384670640-1000\{EB9F991A-2934-49AF-B94D-29678F29AECF}	RippleSpoofer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
3152	msedge.exe
3152	msedge.exe
400	msedge.exe
400	msedge.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe
4208	RippleSpoofer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
400	msedge.exe
400	msedge.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4208	RippleSpoofer.exe
Token: 33	2524	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2524	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe
400	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4208 wrote to memory of 400	4208	RippleSpoofer.exe	82
PID 4208 wrote to memory of 400	4208	RippleSpoofer.exe	82
PID 400 wrote to memory of 2012	400	msedge.exe	83
PID 400 wrote to memory of 2012	400	msedge.exe	83
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 2864	400	msedge.exe	84
PID 400 wrote to memory of 3152	400	msedge.exe	85
PID 400 wrote to memory of 3152	400	msedge.exe	85
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86
PID 400 wrote to memory of 1420	400	msedge.exe	86

C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe
"C:\Users\Admin\AppData\Local\Temp\RippleSpoofer.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://justpaste.it/9fxdx
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff82eee3cb8,0x7ff82eee3cc8,0x7ff82eee3cd8
    3⤵
    PID:2012
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1956,17877293236018895582,5468998047684928084,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=2120 /prefetch:2
    3⤵
    PID:2864
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1956,17877293236018895582,5468998047684928084,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3152
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1956,17877293236018895582,5468998047684928084,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2712 /prefetch:8
    3⤵
    PID:1420
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17877293236018895582,5468998047684928084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3220 /prefetch:1
    3⤵
    PID:840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1956,17877293236018895582,5468998047684928084,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
    3⤵
    PID:4916
- C:\Windows\SYSTEM32\taskkill.exe
  "taskkill" /F /IM explorer.exe
  2⤵
  - Kills process with taskkill
  PID:4432
- C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
  "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
  2⤵
  PID:2744
- - C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe
    "C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe"
    3⤵
    PID:412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "ver"
      4⤵
      PID:960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004D4 0x00000000000004BC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2524

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4784

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7bed1eca5620a49f52232fd55246d09a

SHA1
e429d9d401099a1917a6fb31ab2cf65fcee22030

SHA256
49c484f08c5e22ee6bec6d23681b26b0426ee37b54020f823a2908ab7d0d805e

SHA512
afc8f0b5b95d593f863ad32186d1af4ca333710bcfba86416800e79528616e7b15f8813a20c2cfa9d13688c151bf8c85db454a9eb5c956d6e49db84b4b222ee8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
5431d6602455a6db6e087223dd47f600

SHA1
27255756dfecd4e0afe4f1185e7708a3d07dea6e

SHA256
7502d9453168c86631fb40ec90567bf80404615d387afc7ec2beb7a075bcc763

SHA512
868f6dcf32ef80459f3ea122b0d2c79191193b5885c86934a97bfec7e64250e10c23e4d00f34c6c2387a04a15f3f266af96e571bbe37077fb374d6d30f35b829

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
19aa6d3d57dbeacbc36f04eed593f299

SHA1
857ca789f2f22c56eab4c51db2ea5e1b2575b08c

SHA256
253170727fc67a039593e1eda1dc2b8857357c396cd841d3d90633633f898156

SHA512
b23ef61bb948f3e6e84b66ae9cc4c98bd8c189d2e2f284311e59ed645cf01d8e7c69ea9a3c182018ffc514bea8a1a089eeb4509b0cc5b63d28ac8f175a693f0f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
180B

MD5
c859422b3034efd3e0095bddc7c2ddd9

SHA1
084d290add1638d99781fff06c088e7bbaf4370b

SHA256
99dd1fc25da40886aef6d09861631289ac8fdfe5ac18e7003d6eee96da236734

SHA512
b5fe0eb34061ecaea9c805ffbbe690e5cec753b8192d5de3e7ad88a11400bccec6806ab57ee7926a797a037785d8f4ffa69b91134382a059ce7890925fa06936

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c0ffa3d3e01c5c0254dc1a7ee6e873d9

SHA1
a48ecf3a30386b83994ece01881229859d38eed1

SHA256
26ac9d084044cf24eb4c99f220f2b62be18a688da1a69637a380f98776f22ac1

SHA512
85727258c88fb4cae6373a777d8beffbbbaf5d5d777ca4a42542af4e477dc3b8b90ccc0e4b8c9aefddc9d4077bc6c31215edbf913ac2fc008c287565ae216256

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1a1950807a581c69176c6415a4e5f36c

SHA1
363c66cf7ae3022aad72e5279a7f1550e84dc63c

SHA256
100cdbb9a0ac844729eb1c59891212b36cc708a2924b685c2e495be7e1bb6a6c

SHA512
bf5f6a06c7cd13105742005da4f1a3ed4b8fab4ce221decc01fb96aa79edb9008f3b534dec91903c3af5b0b953b8a97aa8a09e276e600a9159a45b5dc48c71dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6261e720ee9f234365df1e02533f8a46

SHA1
1c9dcd49fb670d6c0692433a3e7c627858565149

SHA256
3492fbd0c6fc67ea945256e4835428421e873deee201e6337fb11b6665318d8d

SHA512
91da56bd1cfad24adddf95629a87827caff86235190077302fee0f8b7e755f5bd197b3aec9ffd3a134c65333def4dd20733811be4fc1ab070c648a5e4d4159eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\amifldrv64.sys

Filesize
18KB

MD5
785045f8b25cd2e937ddc6b09debe01a

SHA1
029c678674f482ababe8bbfdb93152392457109d

SHA256
37073e42ffa0322500f90cd7e3c8d02c4cdd695d31c77e81560abec20bfb68ba

SHA512
40bbeb41816146c7172aa3cf27dace538908b7955171968e1cddcd84403b2588e0d8437a3596c2714ccdf4476eefa3d4e61d90ea118982b729f50b03df1104a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\amigendrv64.sys

Filesize
36KB

MD5
9accebd928a8926fecf317f53cd1c44e

SHA1
d7d71135cc3cf7320f8e63cefb6298dd44e5b1d4

SHA256
811e5d65df60dfb8c6e1713da708be16d9a13ef8dfcd1022d8d1dda52ed057b2

SHA512
2563402cc8e1402d9ac3a76a72b7dab0baa4ecd03629cc350e7199c7e1e1da4000e665bd02ac3a75fd9883fa678b924c8b73d88d8c50bf9d2ae59254a057911e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

Filesize
2.2MB

MD5
80654b54fc5cb64fb8a9f1305efcfb6a

SHA1
7de81fd4c66d6b94da561ef3f0d883a25712379c

SHA256
531a154862c2e2fde5d9bb7456467171007c7fa11c7a1c0ccd3f98f5ac953452

SHA512
faf20ee0b683f01ea4c75e602225fdc9d5cb0484f4ebe866645053de025f0f17732133581ab34d48b1df04aaa7bc652d64f79d58127339080ca2598c371d2c33

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

Filesize
2.1MB

MD5
c47c57ce06c540957ed62881724bdb6c

SHA1
efb378a295fe92af982b6420a50d6c097b48ca61

SHA256
af9d72dbd351e92a327bd1484cf9ebc287971ab718665f217fdf984bacfef76b

SHA512
7790e7bd74d1f7ac8aef0bcf8b9166df7eee32f150bd49be3abd219b286e07fe41737b7e54001358f046cc4eb3f855c8cd74c35d85bb4eb880770b777341dacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\mac.exe

Filesize
1.5MB

MD5
c02f4bc775c9941a1134d7b6f333ad4c

SHA1
642ae9436963badf584a1368ac329457ba4a74a2

SHA256
809585c2521eb22c78fca78b6be41d5b5953b28e15b1aea52367a72434b3f3f8

SHA512
3c246ab395141cf94503a8661b493dd6d96bed0c1920ebffe2c1d50967dee55678db7dbac847b2cac99a9aa6281748e0dd6d849f1be0a23270a269baf62d5c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid.EXE

Filesize
228KB

MD5
4d867033b27c8a603de4885b449c4923

SHA1
f1ace1a241bab6efb3c7059a68b6e9bbe258da83

SHA256
22a2484d7fa799e6e71e310141614884f3bc8dad8ac749b6f1c475b5398a72f3

SHA512
b5d6d4a58d8780a43e69964f80525905224fa020c0032e637cd25557097e331f63d156cceaaacfe1a692ca8cea8d8bd1b219468b6b8e4827c90febe1535a5702

Download Submit
C:\Users\Admin\AppData\Local\Temp\TempAppFiles\volumeid64.EXE

Filesize
165KB

MD5
81a45f1a91448313b76d2e6d5308aa7a

SHA1
0d615343d5de03da03bce52e11b233093b404083

SHA256
fb0d02ea26bb1e5df5a07147931caf1ae3d7d1d9b4d83f168b678e7f3a1c0ecd

SHA512
675662f84dfcbf33311f5830db70bff50b6e8a34a4a926de6369c446ea2b1cf8a63e9c94e5a5c2e1d226248f0361a1698448f82118ac4de5a92b64d8fdf8815d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\VCRUNTIME140.dll

Filesize
96KB

MD5
f12681a472b9dd04a812e16096514974

SHA1
6fd102eb3e0b0e6eef08118d71f28702d1a9067c

SHA256
d66c3b47091ceb3f8d3cc165a43d285ae919211a0c0fcb74491ee574d8d464f8

SHA512
7d3accbf84de73fb0c5c0de812a9ed600d39cd7ed0f99527ca86a57ce63f48765a370e913e3a46ffc2ccd48ee07d823dafdd157710eef9e7cc1eb7505dc323a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\base_library.zip

Filesize
1024KB

MD5
5befd5ac329f5fb9254475794f7c3353

SHA1
3d91a73c53414362528ba35993513abece491790

SHA256
8931ba1176ffb57b51047f9e9d10c56dbab6941bc581e11275cfb7bf5539fa21

SHA512
b29fc7210f2a7302b5729bf61013fbf07fc314140286f1b9d18a65beb6136dd7bd320466d79a32a47cd77297a81610ef657f1b955a3ce4f01d8bac6e72751fe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\pyexpat.pyd

Filesize
86KB

MD5
fe0e32bfe3764ed5321454e1a01c81ec

SHA1
7690690df0a73bdcc54f0f04b674fc8a9a8f45fb

SHA256
b399bff10812e9ea2c9800f74cb0e5002f9d9379baf1a3cef9d438caca35dc92

SHA512
d1777f9e684a9e4174e18651e6d921ae11757ecdbeb4ee678c6a28e0903a4b9ab9f6e1419670b4d428ee20f86c7d424177ed9daf4365cf2ee376fcd065c1c92d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\python311.dll

Filesize
1.1MB

MD5
6ae8ca2e729214e491827c1a71eb617b

SHA1
7a4d7d445b09ec0d59920857884f377e6bef3e1a

SHA256
cb35a2756a75621450d577d8c0c473ac0c5365512373066aa48f46a40eb4ba81

SHA512
2205f6f05ef37a3683f31d1594530a3c47a4c8cf6da32fd32de3bfc1a4d5c46f5f984526322fcb5f99d2363cb8ead9281be1f85ab71e50ae396f525bffb69e33

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\python311.dll

Filesize
1.2MB

MD5
7d547eb6fe4b96e2ee2ab9a74e7ff543

SHA1
fd17f697200fc8b7e2a87c458f85c467a3e5b5e8

SHA256
949d18d15cda3f28baaf734c88d329b9195c3ccb227f9216edc8d97c8a59d65a

SHA512
9aa042fed1cbf2f32ad86096baded3dd66dc637fa4bb79ff9d8d860d7302e1bd047ee57dd22d540b055c237e0d33f7555c3676877badeef8ffa009abfa9b7cb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\ucrtbase.dll

Filesize
1.1MB

MD5
3b337c2d41069b0a1e43e30f891c3813

SHA1
ebee2827b5cb153cbbb51c9718da1549fa80fc5c

SHA256
c04daeba7e7c4b711d33993ab4c51a2e087f98f4211aea0dcb3a216656ba0ab7

SHA512
fdb3012a71221447b35757ed2bdca6ed1f8833b2f81d03aabebd2cd7780a33a9c3d816535d03c5c3edd5aaf11d91156842b380e2a63135e3c7f87193ad211499

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI27442\ucrtbase.dll

Filesize
1.1MB

MD5
06ee5c9062a3555df0c192ea6d8bcd29

SHA1
7c59c8e54591a7e4327f2c056e9fd9f0efd8fd86

SHA256
d6389c7c52eb8c5da113cb1d37a5a2846bc76090df84a8ce2f262ae2997122a9

SHA512
c152c53d6916c99a8eb1c55540a9f15264a53ebfe670b086c56607b9e199be1adcc44056140e8bfb2533619d4c6f8b7660a7e6b7a9045cd0327b7f85e43e2391

Download Submit
memory/412-365-0x00007FF847100000-0x00007FF847119000-memory.dmp

Filesize
100KB

Download
memory/412-310-0x00007FF83D980000-0x00007FF83DF68000-memory.dmp

Filesize
5.9MB

Download
memory/412-388-0x0000024E80A00000-0x0000024E80D75000-memory.dmp

Filesize
3.5MB

Download
memory/412-385-0x00007FF847070000-0x00007FF84709E000-memory.dmp

Filesize
184KB

Download
memory/412-383-0x00007FF83E470000-0x00007FF83E5E3000-memory.dmp

Filesize
1.4MB

Download
memory/412-384-0x00007FF846240000-0x00007FF84625B000-memory.dmp

Filesize
108KB

Download
memory/412-377-0x00007FF846C60000-0x00007FF846C72000-memory.dmp

Filesize
72KB

Download
memory/412-371-0x00007FF846C80000-0x00007FF846D38000-memory.dmp

Filesize
736KB

Download
memory/412-372-0x0000024E80A00000-0x0000024E80D75000-memory.dmp

Filesize
3.5MB

Download
memory/412-373-0x00007FF83C1A0000-0x00007FF83C515000-memory.dmp

Filesize
3.5MB

Download
memory/412-374-0x00007FF84BE00000-0x00007FF84BE24000-memory.dmp

Filesize
144KB

Download
memory/412-369-0x00007FF847070000-0x00007FF84709E000-memory.dmp

Filesize
184KB

Download
memory/412-368-0x00007FF83E470000-0x00007FF83E5E3000-memory.dmp

Filesize
1.4MB

Download
memory/412-363-0x00007FF84BDD0000-0x00007FF84BDE9000-memory.dmp

Filesize
100KB

Download
memory/412-318-0x00007FF84BE00000-0x00007FF84BE24000-memory.dmp

Filesize
144KB

Download
memory/4208-10-0x000001CFA7F60000-0x000001CFA8012000-memory.dmp

Filesize
712KB

Download
memory/4208-6-0x00000000006E0000-0x0000000002360000-memory.dmp

Filesize
28.5MB

Download
memory/4208-3-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-28-0x000001CFAA510000-0x000001CFAA52E000-memory.dmp

Filesize
120KB

Download
memory/4208-27-0x000001CFAA500000-0x000001CFAA50D000-memory.dmp

Filesize
52KB

Download
memory/4208-20-0x000001CFAA400000-0x000001CFAA408000-memory.dmp

Filesize
32KB

Download
memory/4208-2-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-1-0x00007FF854B1A000-0x00007FF854B1B000-memory.dmp

Filesize
4KB

Download
memory/4208-0-0x00000000006E0000-0x0000000002360000-memory.dmp

Filesize
28.5MB

Download
memory/4208-4-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-23-0x000001CFAA440000-0x000001CFAA472000-memory.dmp

Filesize
200KB

Download
memory/4208-29-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-21-0x000001CFAA410000-0x000001CFAA424000-memory.dmp

Filesize
80KB

Download
memory/4208-7-0x00000000006E0000-0x0000000002360000-memory.dmp

Filesize
28.5MB

Download
memory/4208-9-0x000001CF8E900000-0x000001CF8E901000-memory.dmp

Filesize
4KB

Download
memory/4208-19-0x000001CFAA420000-0x000001CFAA43A000-memory.dmp

Filesize
104KB

Download
memory/4208-178-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-11-0x00000000006E0000-0x0000000002360000-memory.dmp

Filesize
28.5MB

Download
memory/4208-12-0x000001CFA8240000-0x000001CFA8262000-memory.dmp

Filesize
136KB

Download
memory/4208-13-0x000001CFA9750000-0x000001CFA9964000-memory.dmp

Filesize
2.1MB

Download
memory/4208-14-0x00007FF854B1A000-0x00007FF854B1B000-memory.dmp

Filesize
4KB

Download
memory/4208-15-0x00007FF854B00000-0x00007FF854BBD000-memory.dmp

Filesize
756KB

Download
memory/4208-18-0x000001CFAA3D0000-0x000001CFAA404000-memory.dmp

Filesize
208KB

Download
memory/4208-26-0x000001CFAA480000-0x000001CFAA4C6000-memory.dmp

Filesize
280KB

Download