discordrat | dac982d8d07391f73495e886eb7277ad8445be16b3a8dc3d0a5b3b9fb0a13f8c

Analysis

max time kernel
1792s
max time network
1754s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
03-03-2024 14:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-built.rar
Size

26KB
MD5

af6ba1335e0280e3e81800867ef4b052
SHA1

de53c6ceebe7804aeadd1e7f242dfe9de194d704
SHA256

dac982d8d07391f73495e886eb7277ad8445be16b3a8dc3d0a5b3b9fb0a13f8c
SHA512

5881e64faa31108a0c15ed249f2a92c2486847d7ad7fe0690b4a96a0a97ca04a2d9a55c79537097789a5400a7fe12565a5d82a063970bdd5abc2944e422008fe
SSDEEP

384:0UYBxLr1xkQzUHfTY5JgUIszmOXVRjL4bSb6yj7V2kUMOTEvsFOViblaRGZyy2ek:zYzkQzsYJVRjkba6yj5LOgU6ibk3PAm

Score

10^/10

discordrat discovery persistence pyinstaller rat rootkit stealer upx

Malware Config

Extracted

Family

discordrat

Attributes

discord_token
MTIxMzc4NjIyMjY3NDA1OTMwNA.Ga_JWI.Tfk53S1SynerFLVaAliLbWMY1LaRnEWzOfbeNY
server_id
1213786686736048158

Signatures

Discord RAT
A RAT written in C# using Discord as a C2.
stealer rootkit rat persistence discordrat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 6 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	spotify.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	SpotifySetup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Synaptics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Spotify.exe
Key value queried	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Control Panel\International\Geo\Nation	Spotify.exe

Executes dropped EXE 19 IoCs

pid	Process
2492	Client-built.exe
4340	Client-built.exe
2116	spotify.exe
1180	Panelv4.exe
1324	SpotifySetup.exe
184	Panelv4.exe
4800	._cache_SpotifySetup.exe
2200	Synaptics.exe
4436	._cache_Synaptics.exe
3252	SpWebInst0.exe
5140	Spotify.exe
5232	Spotify.exe
5380	Spotify.exe
5664	Spotify.exe
5784	Spotify.exe
5812	Spotify.exe
3616	Client-built.exe
3576	Client-built.exe
5628	Client-built.exe

Loads dropped DLL 64 IoCs

pid	Process
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
2200	Synaptics.exe
2200	Synaptics.exe
2200	Synaptics.exe
2200	Synaptics.exe
2200	Synaptics.exe
5140	Spotify.exe
5140	Spotify.exe
5232	Spotify.exe
5232	Spotify.exe
5380	Spotify.exe
5380	Spotify.exe
5380	Spotify.exe
5380	Spotify.exe
5380	Spotify.exe
5380	Spotify.exe
5784	Spotify.exe
5784	Spotify.exe

UPX packed file 64 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/184-625-0x00007FFF8ED90000-0x00007FFF8F469000-memory.dmp	upx
behavioral1/files/0x0007000000023381-633.dat	upx
behavioral1/memory/184-635-0x00007FFFA7D30000-0x00007FFFA7D55000-memory.dmp	upx
behavioral1/files/0x000700000002336a-665.dat	upx
behavioral1/files/0x0007000000023365-715.dat	upx
behavioral1/memory/184-717-0x00007FFFAC070000-0x00007FFFAC07D000-memory.dmp	upx
behavioral1/memory/184-719-0x00007FFFA8A50000-0x00007FFFA8A5D000-memory.dmp	upx
behavioral1/memory/184-718-0x00007FFFAC040000-0x00007FFFAC04D000-memory.dmp	upx
behavioral1/memory/184-716-0x00007FFFA84F0000-0x00007FFFA8509000-memory.dmp	upx
behavioral1/memory/184-714-0x00007FFFA8460000-0x00007FFFA8479000-memory.dmp	upx
behavioral1/memory/184-736-0x00007FFF98690000-0x00007FFF986C3000-memory.dmp	upx
behavioral1/memory/184-743-0x00007FFF8FED0000-0x00007FFF903F9000-memory.dmp	upx
behavioral1/memory/184-762-0x00007FFF985C0000-0x00007FFF9868D000-memory.dmp	upx
behavioral1/files/0x0007000000023364-794.dat	upx
behavioral1/memory/184-804-0x00007FFFA7580000-0x00007FFFA7592000-memory.dmp	upx
behavioral1/memory/184-810-0x00007FFF984E0000-0x00007FFF98504000-memory.dmp	upx
behavioral1/memory/184-811-0x00007FFF92010000-0x00007FFF92186000-memory.dmp	upx
behavioral1/memory/184-812-0x00007FFFA7CA0000-0x00007FFFA7CB6000-memory.dmp	upx
behavioral1/files/0x0007000000023384-809.dat	upx
behavioral1/memory/184-815-0x00007FFFA35C0000-0x00007FFFA35D8000-memory.dmp	upx
behavioral1/memory/184-817-0x00007FFF98490000-0x00007FFF984B7000-memory.dmp	upx
behavioral1/memory/184-818-0x00007FFF981C0000-0x00007FFF982DB000-memory.dmp	upx
behavioral1/memory/184-862-0x00007FFFA2BE0000-0x00007FFFA2BEC000-memory.dmp	upx
behavioral1/memory/184-870-0x00007FFFA25C0000-0x00007FFFA25CC000-memory.dmp	upx
behavioral1/memory/184-871-0x00007FFFA2580000-0x00007FFFA258B000-memory.dmp	upx
behavioral1/memory/184-872-0x00007FFFA12E0000-0x00007FFFA12EC000-memory.dmp	upx
behavioral1/memory/184-873-0x00007FFF99570000-0x00007FFF9957C000-memory.dmp	upx
behavioral1/memory/184-874-0x00007FFF981B0000-0x00007FFF981BC000-memory.dmp	upx
behavioral1/memory/184-877-0x00007FFF92BE0000-0x00007FFF92BEC000-memory.dmp	upx
behavioral1/memory/184-878-0x00007FFF92BD0000-0x00007FFF92BDC000-memory.dmp	upx
behavioral1/memory/184-879-0x00007FFF92BC0000-0x00007FFF92BCD000-memory.dmp	upx
behavioral1/memory/184-881-0x00007FFF92B90000-0x00007FFF92B9C000-memory.dmp	upx
behavioral1/memory/184-880-0x00007FFF92BA0000-0x00007FFF92BB2000-memory.dmp	upx
behavioral1/memory/184-876-0x00007FFF92BF0000-0x00007FFF92BFB000-memory.dmp	upx
behavioral1/memory/184-886-0x00007FFF90B30000-0x00007FFF90DB3000-memory.dmp	upx
behavioral1/memory/184-894-0x00007FFFA66A0000-0x00007FFFA66AB000-memory.dmp	upx
behavioral1/memory/184-895-0x00007FFF99390000-0x00007FFF9939E000-memory.dmp	upx
behavioral1/memory/184-900-0x00007FFF92B50000-0x00007FFF92B79000-memory.dmp	upx
behavioral1/memory/184-899-0x00007FFF8ED90000-0x00007FFF8F469000-memory.dmp	upx
behavioral1/memory/184-891-0x00007FFFA7D20000-0x00007FFFA7D2B000-memory.dmp	upx
behavioral1/memory/184-890-0x00007FFF92B20000-0x00007FFF92B4E000-memory.dmp	upx
behavioral1/memory/184-875-0x00007FFF92C00000-0x00007FFF92C0B000-memory.dmp	upx
behavioral1/memory/184-869-0x00007FFFA28E0000-0x00007FFFA28EB000-memory.dmp	upx
behavioral1/memory/184-819-0x00007FFFA3410000-0x00007FFFA341B000-memory.dmp	upx
behavioral1/memory/184-902-0x00007FFFA7D30000-0x00007FFFA7D55000-memory.dmp	upx
behavioral1/memory/184-904-0x00007FFFA84F0000-0x00007FFFA8509000-memory.dmp	upx
behavioral1/memory/184-905-0x00007FFFA0FF0000-0x00007FFFA101D000-memory.dmp	upx
behavioral1/memory/184-906-0x00007FFFAC070000-0x00007FFFAC07D000-memory.dmp	upx
behavioral1/memory/184-907-0x00007FFF98770000-0x00007FFF987A5000-memory.dmp	upx
behavioral1/memory/184-908-0x00007FFFA8460000-0x00007FFFA8479000-memory.dmp	upx
behavioral1/memory/184-909-0x00007FFFAC040000-0x00007FFFAC04D000-memory.dmp	upx
behavioral1/memory/184-910-0x00007FFFA8A50000-0x00007FFFA8A5D000-memory.dmp	upx
behavioral1/memory/184-911-0x00007FFF98690000-0x00007FFF986C3000-memory.dmp	upx
behavioral1/memory/184-912-0x00007FFF8FED0000-0x00007FFF903F9000-memory.dmp	upx
behavioral1/memory/184-913-0x00007FFF985C0000-0x00007FFF9868D000-memory.dmp	upx
behavioral1/memory/184-914-0x00007FFFA7CA0000-0x00007FFFA7CB6000-memory.dmp	upx
behavioral1/memory/184-916-0x00007FFF984E0000-0x00007FFF98504000-memory.dmp	upx
behavioral1/memory/184-918-0x00007FFFA35C0000-0x00007FFFA35D8000-memory.dmp	upx
behavioral1/memory/184-921-0x00007FFF98490000-0x00007FFF984B7000-memory.dmp	upx
behavioral1/memory/184-922-0x00007FFF981C0000-0x00007FFF982DB000-memory.dmp	upx
behavioral1/memory/184-926-0x00007FFFA28E0000-0x00007FFFA28EB000-memory.dmp	upx
behavioral1/memory/184-927-0x00007FFFA25C0000-0x00007FFFA25CC000-memory.dmp	upx
behavioral1/memory/184-930-0x00007FFF99570000-0x00007FFF9957C000-memory.dmp	upx
behavioral1/memory/184-932-0x00007FFF981B0000-0x00007FFF981BC000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	SpotifySetup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized"	Spotify.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
353	api.ipify.org
355	api.ipify.org

Detects Pyinstaller 3 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023322-514.dat	pyinstaller
behavioral1/files/0x0007000000023322-519.dat	pyinstaller
behavioral1/files/0x0007000000023322-618.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies Internet Explorer settings 1 TTPs 13 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}	Spotify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify"	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights	Spotify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe"	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}	Spotify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify"	Spotify.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe"	Spotify.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3"	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop	Spotify.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3"	Spotify.exe

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\spotify	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\spotify\shell	Spotify.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\URL Protocol	Spotify.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open	Spotify.exe
Key deleted	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\spotify\shell\open\ddeexec	Spotify.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	SpotifySetup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec	Spotify.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\spotify\shell\open\ddeexec	Spotify.exe
Key created	\REGISTRY\USER\S-1-5-21-275798769-4264537674-1142822080-1000_Classes\spotify\shell\open	Spotify.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\",0"	Spotify.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command	Spotify.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\" --protocol-uri=\"%1\""	Spotify.exe
Key created	\REGISTRY\MACHINE\Software\Classes\spotify	Spotify.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell	Spotify.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\spotify.rar:Zone.Identifier	firefox.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4476	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe
184	Panelv4.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2624	7zFM.exe
4120	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	2624	7zFM.exe
Token: 35	2624	7zFM.exe
Token: SeSecurityPrivilege	2624	7zFM.exe
Token: SeDebugPrivilege	2492	Client-built.exe
Token: SeDebugPrivilege	4340	Client-built.exe
Token: SeDebugPrivilege	2208	firefox.exe
Token: SeDebugPrivilege	2208	firefox.exe
Token: SeDebugPrivilege	2208	firefox.exe
Token: SeRestorePrivilege	4120	7zFM.exe
Token: 35	4120	7zFM.exe
Token: SeSecurityPrivilege	4120	7zFM.exe
Token: SeDebugPrivilege	184	Panelv4.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3600	WMIC.exe
Token: SeSecurityPrivilege	3600	WMIC.exe
Token: SeTakeOwnershipPrivilege	3600	WMIC.exe
Token: SeLoadDriverPrivilege	3600	WMIC.exe
Token: SeSystemProfilePrivilege	3600	WMIC.exe
Token: SeSystemtimePrivilege	3600	WMIC.exe
Token: SeProfSingleProcessPrivilege	3600	WMIC.exe
Token: SeIncBasePriorityPrivilege	3600	WMIC.exe
Token: SeCreatePagefilePrivilege	3600	WMIC.exe
Token: SeBackupPrivilege	3600	WMIC.exe
Token: SeRestorePrivilege	3600	WMIC.exe
Token: SeShutdownPrivilege	3600	WMIC.exe
Token: SeDebugPrivilege	3600	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3600	WMIC.exe
Token: SeRemoteShutdownPrivilege	3600	WMIC.exe
Token: SeUndockPrivilege	3600	WMIC.exe
Token: SeManageVolumePrivilege	3600	WMIC.exe
Token: 33	3600	WMIC.exe
Token: 34	3600	WMIC.exe
Token: 35	3600	WMIC.exe
Token: 36	3600	WMIC.exe
Token: SeShutdownPrivilege	5140	Spotify.exe
Token: SeCreatePagefilePrivilege	5140	Spotify.exe
Token: SeShutdownPrivilege	5140	Spotify.exe
Token: SeCreatePagefilePrivilege	5140	Spotify.exe
Token: SeShutdownPrivilege	5140	Spotify.exe
Token: SeCreatePagefilePrivilege	5140	Spotify.exe
Token: SeShutdownPrivilege	5140	Spotify.exe
Token: SeCreatePagefilePrivilege	5140	Spotify.exe
Token: SeDebugPrivilege	2208	firefox.exe
Token: SeDebugPrivilege	2208	firefox.exe

Suspicious use of FindShellTrayWindow 19 IoCs

pid	Process
2624	7zFM.exe
2624	7zFM.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
4120	7zFM.exe
4120	7zFM.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe

Suspicious use of SendNotifyMessage 13 IoCs

pid	Process
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe
5140	Spotify.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
2208	firefox.exe
4476	EXCEL.EXE
4476	EXCEL.EXE
4476	EXCEL.EXE
4476	EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3376 wrote to memory of 2624	3376	cmd.exe	90
PID 3376 wrote to memory of 2624	3376	cmd.exe	90
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 4436 wrote to memory of 2208	4436	firefox.exe	103
PID 2208 wrote to memory of 4828	2208	firefox.exe	104
PID 2208 wrote to memory of 4828	2208	firefox.exe	104
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3232	2208	firefox.exe	105
PID 2208 wrote to memory of 3548	2208	firefox.exe	106

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Client-built.rar
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Client-built.rar"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:2624

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2492

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4340

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4436
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2208
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.0.855721821\1933666677" -parentBuildID 20221007134813 -prefsHandle 1900 -prefMapHandle 1892 -prefsLen 20749 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c0c45f9a-dab2-4e0b-8326-7a3d8b6d3f32} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 1992 2bb53dd7758 gpu
    3⤵
    PID:4828
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.1.379244565\678434123" -parentBuildID 20221007134813 -prefsHandle 2364 -prefMapHandle 2360 -prefsLen 20785 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {54042cd0-98a2-4e95-9463-a360a4df260f} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 2392 2bb53cfc058 socket
    3⤵
    PID:3232
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.2.176678706\2032217201" -childID 1 -isForBrowser -prefsHandle 3088 -prefMapHandle 3084 -prefsLen 20888 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d6ec7681-f546-4602-b543-af757650a471} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 3100 2bb57e9f458 tab
    3⤵
    PID:3548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.3.821206949\2091358563" -childID 2 -isForBrowser -prefsHandle 3560 -prefMapHandle 3556 -prefsLen 26066 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a47c105a-8bf8-43a8-80de-a925bbd0264b} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 3572 2bb58492158 tab
    3⤵
    PID:4740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.4.561070786\1635464063" -childID 3 -isForBrowser -prefsHandle 4304 -prefMapHandle 4300 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a68fdd46-d8ba-45fb-baa3-818bcfd943a0} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 4176 2bb592d9258 tab
    3⤵
    PID:4392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.5.748244019\1162507007" -childID 4 -isForBrowser -prefsHandle 5168 -prefMapHandle 5148 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e5eb39ba-0391-48a4-9f1c-99ea104107db} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 5180 2bb59fb0a58 tab
    3⤵
    PID:2568
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.6.456914403\2056915636" -childID 5 -isForBrowser -prefsHandle 5308 -prefMapHandle 5312 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f97c4bfb-6211-4c38-bae6-a3f4a863e6b1} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 5300 2bb5a344f58 tab
    3⤵
    PID:4384
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.7.332860230\399724082" -childID 6 -isForBrowser -prefsHandle 5500 -prefMapHandle 5504 -prefsLen 26125 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9f8d65fc-dcb3-4677-9224-e995094251af} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 5492 2bb5a344358 tab
    3⤵
    PID:4240
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.8.1438492717\417006901" -childID 7 -isForBrowser -prefsHandle 6148 -prefMapHandle 6112 -prefsLen 26550 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87d3222a-9c27-476a-af4e-a6a348916f6b} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 6160 2bb5bc6b558 tab
    3⤵
    PID:1724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.9.805550196\411060822" -childID 8 -isForBrowser -prefsHandle 5900 -prefMapHandle 6368 -prefsLen 26725 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {84a61dc9-d52f-42b7-99d0-2d1a3c4d984c} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 10164 2bb5ca84c58 tab
    3⤵
    PID:5104
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.10.1861009891\1691108216" -childID 9 -isForBrowser -prefsHandle 5300 -prefMapHandle 5192 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f0c2f5cf-a332-430b-a883-07c411e1b3cc} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 5676 2bb5b499258 tab
    3⤵
    PID:5108
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.11.494705826\748420011" -childID 10 -isForBrowser -prefsHandle 5196 -prefMapHandle 9876 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c2e1b60b-d660-44fa-bfac-1afc09b80d9e} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 9824 2bb5b49a458 tab
    3⤵
    PID:2704
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.12.26832943\1311579034" -childID 11 -isForBrowser -prefsHandle 9644 -prefMapHandle 9640 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3234c910-98e9-4d4e-9f9d-1b76b05e1652} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 9652 2bb5b499858 tab
    3⤵
    PID:3116
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.13.912165863\1135027831" -childID 12 -isForBrowser -prefsHandle 5240 -prefMapHandle 5276 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {17a19a13-ee92-4d4c-bf3b-55598e86f9ba} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 10196 2bb5ca82858 tab
    3⤵
    PID:4592
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="2208.14.1736833607\940648418" -childID 13 -isForBrowser -prefsHandle 9824 -prefMapHandle 9772 -prefsLen 26765 -prefMapSize 233444 -jsInitHandle 1148 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ca27b7c7-58aa-486e-835b-31e4c5fb8ab3} 2208 "\\.\pipe\gecko-crash-server-pipe.2208" 9452 2bb5648ab58 tab
    3⤵
    PID:2628

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\spotify.rar"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4120

C:\Users\Admin\Desktop\spotify.exe
"C:\Users\Admin\Desktop\spotify.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:2116
- C:\Users\Admin\Desktop\Panelv4.exe
  "C:\Users\Admin\Desktop\Panelv4.exe"
  2⤵
  - Executes dropped EXE
  PID:1180
- - C:\Users\Admin\Desktop\Panelv4.exe
    "C:\Users\Admin\Desktop\Panelv4.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c "C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid"
      4⤵
      PID:4476
    - - C:\Windows\System32\wbem\WMIC.exe
        
        C:\\Windows\\System32\\wbem\\WMIC.exe csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
- C:\Users\Admin\Desktop\SpotifySetup.exe
  "C:\Users\Admin\Desktop\SpotifySetup.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Modifies registry class
  PID:1324
- - C:\Users\Admin\Desktop\._cache_SpotifySetup.exe
    "C:\Users\Admin\Desktop\._cache_SpotifySetup.exe"
    3⤵
    - Executes dropped EXE
    PID:4800
  - - C:\Users\Admin\AppData\Roaming\Spotify\SpWebInst0.exe
      SpWebInst0.exe /webinstall
      4⤵
      Executes dropped EXE
      PID:3252
    - - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        Spotify.exe
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        Modifies Internet Explorer settings
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:5140
      - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win64 --annotation=product=spotify --annotation=version=1.2.32.997 --initial-client-data=0x394,0x398,0x39c,0x390,0x3a0,0x7fff9116cf38,0x7fff9116cf44,0x7fff9116cf50
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5232
      - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        "C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --log-severity=disable --user-agent-product="Chrome/121.0.6167.184 Spotify/1.2.32.997" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --mojo-platform-channel-handle=1696 --field-trial-handle=1700,i,11962985718345222226,10657778386352788872,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:2
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5380
      - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        "C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --log-severity=disable --user-agent-product="Chrome/121.0.6167.184 Spotify/1.2.32.997" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --mojo-platform-channel-handle=3036 --field-trial-handle=1700,i,11962985718345222226,10657778386352788872,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8
        6⤵
        Executes dropped EXE
        
        PID:5664
      - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        "C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --log-severity=disable --user-agent-product="Chrome/121.0.6167.184 Spotify/1.2.32.997" --lang=en --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --mojo-platform-channel-handle=3992 --field-trial-handle=1700,i,11962985718345222226,10657778386352788872,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:8
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:5784
      - C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
        
        "C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=renderer --log-severity=disable --user-agent-product="Chrome/121.0.6167.184 Spotify/1.2.32.997" --disable-spell-checking --user-data-dir="C:\Users\Admin\AppData\Local\Spotify" --first-renderer-process --autoplay-policy=no-user-gesture-required --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=4044 --field-trial-handle=1700,i,11962985718345222226,10657778386352788872,262144 --disable-features=BackForwardCache,CalculateNativeWinOcclusion,DocumentPictureInPictureAPI --variations-seed-version /prefetch:1
        6⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5812
- - C:\ProgramData\Synaptics\Synaptics.exe
    "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Modifies registry class
    PID:2200
  - - C:\Users\Admin\Desktop\._cache_Synaptics.exe
      "C:\Users\Admin\Desktop\._cache_Synaptics.exe" InjUpdate
      4⤵
      Executes dropped EXE
      PID:4436

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4476

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3616

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3576

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\on1px6pk.default-release\cache2\doomed\5783

Filesize
10KB

MD5
9d6dda58147a6c61f812975d42455711

SHA1
b29e5e0bfa5299a387f3d41af46d6d19a7b6b587

SHA256
b0e427e1d739d8e547912aceeaa11749c065a787c7f17de0aeca4908ebf67c31

SHA512
27b6949eaf76abcdff0d585fa6bcc4706a2f8273a19bdca0a90ee78a443e5cf221fe452c03cd038baa6a1a1e51a9962a936ecb41558e4b5b6f1ecc80b8e0df03

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
5cb9748d07b6aa39391f9560d44ed719

SHA1
83f7ab01ea46a54a602bfbd169ed6b8d6e8228a9

SHA256
9e867e7ec2a5f13f5f1ea63ef3a1c3327d5dc178c5da66470ac7a4dbf6c943f1

SHA512
deb07401e2f7e92ed626916eb3b44b9516cf6ab096539a60dfec3b73fe682c08f456f7bbbbe1dfdacca25bc207220585dc60dea3236b2750e06af9e5b2f94ca2

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\Code Cache\js\index-dir\the-real-index

Filesize
96B

MD5
1b6d55443fed60821166f921fb6332d5

SHA1
ad98ee9bfa3dfbb4bf36438f2882b46a25d25969

SHA256
de3ad886bba2ac38bac2a04f91738048e29922d461a25b8af3ade7073577bfee

SHA512
8456e068b1b6d5f95cb9f18a1bb0aa02e7bb026accffe273278a8a6f177ab231f9ab30ec9bcb8a026d2f85bb2f67c834b50f89f0d0914d2ebfa14fdd9df6ad7b

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\DawnCache\data_0

Filesize
8KB

MD5
cf89d16bb9107c631daabf0c0ee58efb

SHA1
3ae5d3a7cf1f94a56e42f9a58d90a0b9616ae74b

SHA256
d6a5fe39cd672781b256e0e3102f7022635f1d4bb7cfcc90a80fffe4d0f3877e

SHA512
8cb5b059c8105eb91e74a7d5952437aaa1ada89763c5843e7b0f1b93d9ebe15ed40f287c652229291fac02d712cf7ff5ececef276ba0d7ddc35558a3ec3f77b0

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\DawnCache\data_1

Filesize
264KB

MD5
d0d388f3865d0523e451d6ba0be34cc4

SHA1
8571c6a52aacc2747c048e3419e5657b74612995

SHA256
902f30c1fb0597d0734bc34b979ec5d131f8f39a4b71b338083821216ec8d61b

SHA512
376011d00de659eb6082a74e862cfac97a9bb508e0b740761505142e2d24ec1c30aa61efbc1c0dd08ff0f34734444de7f77dd90a6ca42b48a4c7fad5f0bddd17

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\DawnCache\data_2

Filesize
8KB

MD5
0962291d6d367570bee5454721c17e11

SHA1
59d10a893ef321a706a9255176761366115bedcb

SHA256
ec1702806f4cc7c42a82fc2b38e89835fde7c64bb32060e0823c9077ca92efb7

SHA512
f555e961b69e09628eaf9c61f465871e6984cd4d31014f954bb747351dad9cea6d17c1db4bca2c1eb7f187cb5f3c0518748c339c8b43bbd1dbd94aeaa16f58ed

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\DawnCache\data_3

Filesize
8KB

MD5
41876349cb12d6db992f1309f22df3f0

SHA1
5cf26b3420fc0302cd0a71e8d029739b8765be27

SHA256
e09f42c398d688dce168570291f1f92d079987deda3099a34adb9e8c0522b30c

SHA512
e9a4fc1f7cb6ae2901f8e02354a92c4aaa7a53c640dcf692db42a27a5acc2a3bfb25a0de0eb08ab53983132016e7d43132ea4292e439bb636aafd53fb6ef907e

Download Submit
C:\Users\Admin\AppData\Local\Spotify\Browser\Local Storage\leveldb\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Spotify\public.ldb\000002.dbtmp

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Spotify\public.ldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\VCRUNTIME140.dll

Filesize
116KB

MD5
be8dbe2dc77ebe7f88f910c61aec691a

SHA1
a19f08bb2b1c1de5bb61daf9f2304531321e0e40

SHA256
4d292623516f65c80482081e62d5dadb759dc16e851de5db24c3cbb57b87db83

SHA512
0da644472b374f1da449a06623983d0477405b5229e386accadb154b43b8b083ee89f07c3f04d2c0c7501ead99ad95aecaa5873ff34c5eeb833285b598d5a655

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\VCRUNTIME140_1.dll

Filesize
48KB

MD5
f8dfa78045620cf8a732e67d1b1eb53d

SHA1
ff9a604d8c99405bfdbbf4295825d3fcbc792704

SHA256
a113f192195f245f17389e6ecbed8005990bcb2476ddad33f7c4c6c86327afe5

SHA512
ba7f8b7ab0deb7a7113124c28092b543e216ca08d1cf158d9f40a326fb69f4a2511a41a59ea8482a10c9ec4ec8ac69b70dfe9ca65e525097d93b819d498da371

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_asyncio.pyd

Filesize
37KB

MD5
b72e9a2f4d4389175e96cd4086b27aac

SHA1
2acfa17bb063ee9cf36fadbac802e95551d70d85

SHA256
f9924bbead1aca98422ba421f5139a4c147559aae5928dfd2f6aada20cb6bb42

SHA512
b55f40451fa9bdd62c761823613fcfe734aaa28e26fb02a9620ad39ab7539c9257eac8cc10d4a3f2390c23a4d951cc02d695498530a4c1d91b4e51e625316e06

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_bz2.pyd

Filesize
48KB

MD5
f991618bfd497e87441d2628c39ea413

SHA1
98819134d64f44f83a18985c2ec1e9ee8b949290

SHA256
333c06fad79094d43465d128d68078296c925d1ea2b6b5bf13072a8d5cb65e7e

SHA512
3a9ecb293abedcdba3493feb7d19f987735ced5a5194abaa1d1e00946e7ea0f878dd71868eb3d9bfec80432df862367661b825c9e71409c60ec73d1708a63ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_cffi_backend.cp312-win_amd64.pyd

Filesize
71KB

MD5
886da52cb1d06bd17acbd5c29355a3f5

SHA1
45dee87aefb1300ec51f612c3b2a204874be6f28

SHA256
770d04ebe9f4d8271659ba9bf186b8ae422fdd76f7293dbc84be78d9d6dd92cc

SHA512
d6c7a90b8fa017f72f499943d73e4015f2eec0e46188c27848892a99be35e0ecbda1f692630863b89109b04636e813ddad2051f323a24b4d373192a6b67cf978

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_ctypes.pyd

Filesize
59KB

MD5
76288ffffdce92111c79636f71b9bc9d

SHA1
15c10dcd31dab89522bf5b790e912dc7e6b3183b

SHA256
192cc2ac818c78cd21e9f969a95c0ff777d4cd5f79ae51ab7c366d2b8540f6a1

SHA512
29efc143cd72bf886e9bf54463706484f22222f024bd7e8cb206c32f40b76d823efd36061b05bbd6bcf562f83d95449acb3f1440c95e63750c643c15a10816c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_decimal.pyd

Filesize
105KB

MD5
c2f5d61323fb7d08f90231300658c299

SHA1
a6b15204980e28fc660b5a23194348e6aded83fc

SHA256
a8ea1e613149d04e7ce637413aad6df636556916902718f64e57fdff44f959bb

SHA512
df22676b5268175562574078459820f11eedb06f2845c86398c54861e9e3fb92547e7341b497fb0e79e9d3abba655e6593b1049bf78818c0ba7b9c96e3748606

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_hashlib.pyd

Filesize
35KB

MD5
caaea46ee25211cbdc762feb95dc1e4d

SHA1
1f900cc99c02f4300d65628c1b22ddf8f39a94d4

SHA256
3ef6e0e5bf3f1ea9713f534c496a96eded9d3394a64324b046a61222dab5073b

SHA512
68c2b1634fcca930c1651f550494a2ef187cf52dce8ff28f410ebed4d84487e3b08f6f70223a83b5313c564dcd293748f3c22f2a4218218e634e924c8390cf9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_lzma.pyd

Filesize
86KB

MD5
f07f0cfe4bc118aebcde63740635a565

SHA1
44ee88102830434bb9245934d6d4456c77c7b649

SHA256
cc5302895aa164d5667d0df3ebeeee804384889b01d38182b3f7179f3c4ff8c0

SHA512
fcd701903ccd454a661c27835b53f738d947f38e9d67620f52f12781a293e42ae6b96c260600396883d95dd5f536dba2874aaee083adbcc78d66873cefc8e99d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_multiprocessing.pyd

Filesize
27KB

MD5
0c942dacb385235a97e373bdbe8a1a5e

SHA1
cf864c004d710525f2cf1bec9c19ddf28984ca72

SHA256
d5161d4e260b2bb498f917307f1c21381d738833efc6e8008f2ebfb9447c583b

SHA512
ca10c6842634cec3cada209b61dd5b60d8ea63722e3a77aa05e8c61f64b1564febe9612b554a469927dbce877b6c29c357b099e81fa7e73ceeae04b8998aa5a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_overlapped.pyd

Filesize
33KB

MD5
ed9cff0d68ba23aad53c3a5791668e8d

SHA1
a38c9886d0de7224e36516467803c66a2e71c7d9

SHA256
e88452d26499f51d48fe4b6bd95fc782bad809f0cb009d249aacf688b9a4e43f

SHA512
6020f886702d9ff6530b1f0dad548db6ad34171a1eb677cb1ba14d9a8943664934d0cfe68b642b1dd942a70e3ae375071591a66b709c90bd8a13303a54d2198b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_queue.pyd

Filesize
26KB

MD5
8347192a8c190895ec8806a3291e70d9

SHA1
0a634f4bd15b7ce719d91f0c1332e621f90d3f83

SHA256
b1ad27547e8f7ab2d1ce829ca9bdcc2b332dc5c2ef4fe224ccb76c78821c7a19

SHA512
de6858ed68982844c405ca8aecf5a0aa62127807b783a154ba5d844b44f0f8f42828dc097ac4d0d1aa8366cdcab44b314effcb0020b65db4657df83b1b8f5fed

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_socket.pyd

Filesize
44KB

MD5
7e92d1817e81cbafdbe29f8bec91a271

SHA1
08868b9895196f194b2e054c04edccf1a4b69524

SHA256
19573ccc379190277674a013f35bf055f6dbb57adfce79152152a0de3ff8c87c

SHA512
0ed41a3ce83b8f4a492555a41881d292ece61d544f0a4df282f3cc37822255a7a32647724568c9a3b04d13fd3cc93eb080e54ac2ce7705b6b470454366be1cbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_sqlite3.pyd

Filesize
57KB

MD5
29a6551e9b7735a4cb4a61c86f4eb66c

SHA1
f552a610d64a181b675c70c3b730aa746e1612d0

SHA256
78c29a6479a0a2741920937d13d404e0c69d21f6bd76bdfec5d415857391b517

SHA512
54a322bfe5e34f0b6b713e22df312cfbde4a2b52240a920b2fa3347939cf2a1fecbeac44d7c1fa2355ee6dc714891acd3ee827d73131fd1e39fba390c3a444e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_ssl.pyd

Filesize
65KB

MD5
8696f07039706f2e444f83bb05a65659

SHA1
6c6fff6770a757e7c4b22e6e22982317727bf65b

SHA256
5405af77bc6ad0c598490b666c599c625195f7bf2a63db83632e3a416c73e371

SHA512
93e9f8fc1ae8a458eb4d9e7d7294b5c2230cb753386842e72d07cb7f43f248d204d13d93aedae95ec1a7aa6a81a7c09fdba56a0bc31924a1722c423473d97758

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_uuid.pyd

Filesize
24KB

MD5
7a00ff38d376abaaa1394a4080a6305b

SHA1
d43a9e3aa3114e7fc85c851c9791e839b3a0ee13

SHA256
720e9b68c41c8d9157865e4dd243fb1731f627f3af29c43250804a5995a82016

SHA512
ce39452df539eeeff390f260c062a0c902557fda25a7be9a58274675b82b30bddb7737b242e525f7d501db286f4873b901d94e1cd09aa8864f052594f4b34789

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\_wmi.pyd

Filesize
28KB

MD5
f3767430bbc7664d719e864759b806e4

SHA1
f27d26e99141f15776177756de303e83422f7d07

SHA256
787caad25cb4e2df023ead5e5a3fcd160b1c59a2e4ae1fc7b25c5087964defe8

SHA512
b587dfff4ba86142663de6ef8710ac7ab8831ca5fc989820b6a197bcd31ac5fdcb0b5982bf9a1fc13b331d0e53dc1b7367b54bb47910f3d1e18f8193449acb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\base_library.zip

Filesize
1.3MB

MD5
630153ac2b37b16b8c5b0dbb69a3b9d6

SHA1
f901cd701fe081489b45d18157b4a15c83943d9d

SHA256
ec4e6b8e9f6f1f4b525af72d3a6827807c7a81978cb03db5767028ebea283be2

SHA512
7e3a434c8df80d32e66036d831cbd6661641c0898bd0838a07038b460261bf25b72a626def06d0faa692caf64412ca699b1fa7a848fe9d969756e097cba39e41

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libcrypto-3.dll

Filesize
1.6MB

MD5
e68a459f00b05b0bd7eafe3da4744aa9

SHA1
41565d2cc2daedd148eeae0c57acd385a6a74254

SHA256
3fcf6956df6f5dc92b2519062b40475b94786184388540a0353f8a0868413648

SHA512
6c4f3747af7be340a3db91e906b949684a39cafc07f42b9fcc27116f4f4bf405583fc0db3684312b277d000d8e6a566db2c43601fa2af499700319c660ef1108

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libffi-8.dll

Filesize
29KB

MD5
bb1feaa818eba7757ada3d06f5c57557

SHA1
f2de5f06dc6884166de165d34ef2b029bb0acf8b

SHA256
a7ac89b42d203ad40bad636ad610cf9f6da02128e5a20b8b4420530a35a4fb29

SHA512
95dd1f0c482b0b0190e561bc08fe58db39fd8bb879a2dec0cabd40d78773161eb76441a9b1230399e3add602685d0617c092fff8bf0ab6903b537a9382782a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\libssl-3.dll

Filesize
222KB

MD5
9b8d3341e1866178f8cecf3d5a416ac8

SHA1
8f2725b78795237568905f1a9cd763a001826e86

SHA256
85dd8c17928e78c20cf915c1985659fe99088239793f2bd46acb31a3c344c559

SHA512
815abc0517f94982fc402480bba6e0749f44150765e7f8975e4fcbfce62c4a5ff741e39e462d66b64ba3b804bd5b7190b67fff037d11bb314c7d581cfa6097a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\psutil\_psutil_windows.pyd

Filesize
31KB

MD5
d2ab09582b4c649abf814cdce5d34701

SHA1
b7a3ebd6ff94710cf527baf0bb920b42d4055649

SHA256
571115cca942bc76010b379df5d28afcb0f0d0de65a3bac89a95c6a86838b983

SHA512
022ccaeb99dc08997d917f85c6bc3aefdad5074c995008942a2f35f46ba07d73bb5bc7bc971ec71cb0e60dcb096b2c990866fe29c57670d069e7bdc3b14f6172

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\pyexpat.pyd

Filesize
87KB

MD5
edcb8f65306461e42065ac6fc3bae5e7

SHA1
4faa04375c3d2c2203be831995403e977f1141eb

SHA256
1299da117c98d741e31c8fb117b0f65ae039a4122934a93d0bbb8dfbddd2dcd7

SHA512
221e6e1eb9065f54a48040b48f7b6109853306f04506ccf9ecb2f5813a5bd9675c38565a59e72770bf33d132977aa1558cc290720e39a4f3a74a0e7c2a3f88fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\python3.dll

Filesize
66KB

MD5
6271a2fe61978ca93e60588b6b63deb2

SHA1
be26455750789083865fe91e2b7a1ba1b457efb8

SHA256
a59487ea2c8723277f4579067248836b216a801c2152efb19afee4ac9785d6fb

SHA512
8c32bcb500a94ff47f5ef476ae65d3b677938ebee26e80350f28604aaee20b044a5d55442e94a11ccd9962f34d22610b932ac9d328197cf4d2ffbc7df640efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\python312.dll

Filesize
1.8MB

MD5
2889fb28cd8f2f32997be99eb81fd7eb

SHA1
adfeb3a08d20e22dde67b60869c93291ca688093

SHA256
435430e3abfde589d8535bc24a4b1d4147a4971dbe59e9377603974c07a1b637

SHA512
aaa33b8178a8831008ea6ad39b05189d55aa228a20a2315e45df6e2ff590c94478cfc76c9adb762689edb021ecdf98df3e7074d8d65c1c477273056b7509f8ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\select.pyd

Filesize
25KB

MD5
c16b7b88792826c2238d3cf28ce773dd

SHA1
198b5d424a66c85e2c07e531242c52619d932afa

SHA256
b81be8cc053734f317ff4de3476dd8c383cc65fe3f2f1e193a20181f9ead3747

SHA512
7b1b2494fe0ef71869072d3c41ba1f2b67e3b9dcc36603d1503bb914d8b8e803dc1b66a3cbf0e45c43e4a5b7a8f44504a35d5e8e1090d857b28b7eba1b89c08a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\sqlite3.dll

Filesize
630KB

MD5
8776a7f72e38d2ee7693c61009835b0c

SHA1
677a127c04ef890e372d70adc2ab388134753d41

SHA256
c467fcc7377b4a176e8963f54ffff5c96d1eb86d95c4df839af070d6d7dbf954

SHA512
815bf905fa9a66c05e5c92506d2661c87559c6205c71daa205368dbfd3d56b8a302a4d31729bc6d4c1d86cbcf057638aa17bde0d85ccc59ce1cbcb9e64349732

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI11802\unicodedata.pyd

Filesize
295KB

MD5
4253cde4d54e752ae54ff45217361471

SHA1
06aa069c348b10158d2412f473c243b24d6fc7bc

SHA256
67634e2df60da6b457e4ebfbae3edb1f48d87752221600a5814b5e8f351166e6

SHA512
3b714a57747eddf39fc3a84ab3ca37cc0b8103dd3f987331ffb2d1d46f9a34f3793bb0493c55e02ab873314c8990eaebdd0284ad087a651c06a7f862b1a61c80

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
442KB

MD5
85430baed3398695717b0263807cf97c

SHA1
fffbee923cea216f50fce5d54219a188a5100f41

SHA256
a9f4281f82b3579581c389e8583dc9f477c7fd0e20c9dfc91a2e611e21e3407e

SHA512
06511f1f6c6d44d076b3c593528c26a602348d9c41689dbf5ff716b671c3ca5756b12cb2e5869f836dedce27b1a5cfe79b93c707fd01f8e84b620923bb61b5f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
8.0MB

MD5
a01c5ecd6108350ae23d2cddf0e77c17

SHA1
c6ac28a2cd979f1f9a75d56271821d5ff665e2b6

SHA256
345d44e3aa3e1967d186a43d732c8051235c43458169a5d7d371780a6475ee42

SHA512
b046dd1b26ec0b810ee441b7ad4dc135e3f1521a817b9f3db60a32976352e8f7e53920e1a77fc5b4130aac260d79deef7e823267b4414e9cc774d8bffca56a72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms

Filesize
5KB

MD5
f75811f667a44a84d665e1e71b0f9fc6

SHA1
8159d480a5e2e13bd262c28769c0ddbc72c5b194

SHA256
d8845e0716c7a4efab62e7a18ac3e7267dfe647b4feb5555ee328860d908ec0d

SHA512
ad7c04b2cdc0d5e0fc2cc3238ae079c6782fdca921f0c49211f13613a0dc0d56f7319f3dc7ef0f9a079c00bcee1ab495b0e03c800cc67e57255006e8ce4885ce

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\SiteSecurityServiceState.txt

Filesize
540B

MD5
f84aa3df7dd47e06d0f3ca858926c8f0

SHA1
60fd2d42ba75c915f9b964ad36f472e54aaae6ab

SHA256
9c207c976e8823e51d5a6ae79a72e0a49fcc8815ceca1402c53b8f4a10a28158

SHA512
8e765b71ebcc22c787e7eb123ff9b4a15abc2a98c0d34bc5d0311c0df56349dbde1eb5f9bcfe3ff524c4e5582ab61628e51ef2a54177b1cc6ab2fd48f1ad8dd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\bookmarkbackups\bookmarks-2024-03-03_11_CCpZVMvoZkGDpI3NsstdiA==.jsonlz4

Filesize
945B

MD5
50a70a8bf59da6baf28287acbd719907

SHA1
613c5fb4908c603026a6d1089e2d3b10e48c728c

SHA256
9e785279d1028bde50501523b5da6ebe1dc70046dd1209fdbea49f4a0386185e

SHA512
df5177bed3498c2bad8a4645d3d4767344644156856599fcca4a777c753e4739dc669fe31eb281f0c3933c4b732455493e43b4ab110abde4774128b91ddab2b0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\broadcast-listeners.json

Filesize
204B

MD5
72c95709e1a3b27919e13d28bbe8e8a2

SHA1
00892decbee63d627057730bfc0c6a4f13099ee4

SHA256
9cf589357fceea2f37cd1a925e5d33fd517a44d22a16c357f7fb5d4d187034aa

SHA512
613ca9dd2d12afe31fb2c4a8d9337eeecfb58dabaeaaba11404b9a736a4073dfd9b473ba27c1183d3cc91d5a9233a83dce5a135a81f755d978cea9e198209182

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
23a3dd5eebc7c472be74eee8db4e2c60

SHA1
f0dace9e0653d7539e3d813135bd7b4f1708f102

SHA256
f874e346f6f1ca109178017a4ba1e46a9e264a8f88eb67e593aa6065f403e7c2

SHA512
f5585ea9284924feff399059964d34d7b48b5629c612e3fedbd225397e8e2ec90125f1ba1ccee5be04142738836e11ce97a0e6864ef08cefff1e236d7580c95a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\985313a3-bcdd-4df3-9737-c9191c26029a

Filesize
10KB

MD5
905eada8f252bc7cb8cba5935507a5ff

SHA1
c6bfaf2680c71738b82e0ee5e5944e4fb5ecd1cd

SHA256
a30b803b29e74de48eb776b150d431c733af50113c9c5e99bc7d53bab6660818

SHA512
549a1ff83e4ed0f1d254529bedc97518ca58e3a67fb4c1517b200bdc0c4f2f864e01d70e73ec44001e677cae6ccd66551fb52e75bf4a346b56e1b829cc60a783

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\datareporting\glean\pending_pings\e7c085de-fa99-4292-a853-502d0e0c0d85

Filesize
746B

MD5
0319bf3ca49ec9aa494bcd23ad0cb8ed

SHA1
22d89ad4715c47b296d8e952b7dfd17cbe44fc98

SHA256
50ee44de9d443fdc16356dc090cc36f4cf0d9417d217908cfa0827842e501af0

SHA512
af4b7ad951ee2de3631ab6955fe8fc86c4a83b3716e0979b89466be45c10315106e8c24f438bf52fde23af1c8d7b7fe8be974eae4ee3ecc5d40ad969095c2f7e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.dll

Filesize
997KB

MD5
fe3355639648c417e8307c6d051e3e37

SHA1
f54602d4b4778da21bc97c7238fc66aa68c8ee34

SHA256
1ed7877024be63a049da98733fd282c16bd620530a4fb580dacec3a78ace914e

SHA512
8f4030bb2464b98eccbea6f06eb186d7216932702d94f6b84c56419e9cf65a18309711ab342d1513bf85aed402bc3535a70db4395874828f0d35c278dd2eac9c

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-gmpopenh264\1.8.1.2\gmpopenh264.info

Filesize
116B

MD5
3d33cdc0b3d281e67dd52e14435dd04f

SHA1
4db88689282fd4f9e9e6ab95fcbb23df6e6485db

SHA256
f526e9f98841d987606efeaff7f3e017ba9fd516c4be83890c7f9a093ea4c47b

SHA512
a4a96743332cc8ef0f86bc2e6122618bfc75ed46781dadbac9e580cd73df89e74738638a2cccb4caa4cbbf393d771d7f2c73f825737cdb247362450a0d4a4bc1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\LICENSE.txt

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\manifest.json

Filesize
372B

MD5
8be33af717bb1b67fbd61c3f4b807e9e

SHA1
7cf17656d174d951957ff36810e874a134dd49e0

SHA256
e92d3394635edfb987a7528e0ccd24360e07a299078df2a6967ca3aae22fa2dd

SHA512
6125f60418e25fee896bf59f5672945cd8f36f03665c721837bb50adf5b4dfef2dddbfcfc817555027dcfa90e1ef2a1e80af1219e8063629ea70263d2fc936a7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll

Filesize
11.8MB

MD5
33bf7b0439480effb9fb212efce87b13

SHA1
cee50f2745edc6dc291887b6075ca64d716f495a

SHA256
8ee42d9258e20bbc5bfdfae61605429beb5421ffeaaa0d02b86d4978f4b4ac4e

SHA512
d329a1a1d98e302142f2776de8cc2cd45a465d77cb21c461bdf5ee58c68073a715519f449cb673977288fe18401a0abcce636c85abaec61a4a7a08a16c924275

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.lib

Filesize
1KB

MD5
688bed3676d2104e7f17ae1cd2c59404

SHA1
952b2cdf783ac72fcb98338723e9afd38d47ad8e

SHA256
33899a3ebc22cb8ed8de7bd48c1c29486c0279b06d7ef98241c92aef4e3b9237

SHA512
7a0e3791f75c229af79dd302f7d0594279f664886fea228cfe78e24ef185ae63aba809aa1036feb3130066deadc8e78909c277f0a7ed1e3485df3cf2cd329776

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\gmp-widevinecdm\4.10.2557.0\widevinecdm.dll.sig

Filesize
1KB

MD5
937326fead5fd401f6cca9118bd9ade9

SHA1
4526a57d4ae14ed29b37632c72aef3c408189d91

SHA256
68a03f075db104f84afdd8fca45a7e4bff7b55dc1a2a24272b3abe16d8759c81

SHA512
b232f6cf3f88adb346281167ac714c4c4c7aac15175087c336911946d12d63d3a3a458e06b298b41a7ec582ef09fe238da3a3166ff89c450117228f7485c22d2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
951b65c081a8d1069298afd5df57f5e7

SHA1
9351f794385eaf1c823f9c335fed45251d56562b

SHA256
70f90e803f222de1bd7476ee7544dfba63d67a483a6a0eb777340380f208560c

SHA512
68abdd612a8ffef707bc4420176e05acbca8568164fbcd313108306ba907cb1c61e0294683e462586e25dd62e4fe8c0e19c1c2bf151b87ec7d85e5773376d394

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
7KB

MD5
14a2f59b05161e91db4c33ca9077b26d

SHA1
7fd2153e34b9bfd66ac1a79fd49c7c22368c124b

SHA256
7a17b9e680b4e9d31cd87b1d084a9ebb8a5a11d73f7f3d59448c15a86f746beb

SHA512
55daf3e629c08bd6b98f93e1000542c57ff34a929c4ba1584eef3dc42d9c7a8191e0fa9696248c41f396c1cc918049029ae648255be7e7b745e80ebcd8ca7bde

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
7KB

MD5
7e8d9c02818effd464b11b2d43c36967

SHA1
96e7feef1700b783ae82c11ffab89ffb5a706bdb

SHA256
b8441c333afd34f50a43b78ea214367c6227ff9eae43bd38fe048642e39edae4

SHA512
d035cd3ea6fef1f61a444c80f3c7ce7d16decc7871c7bdc73cebbc604e171b53daa4dc0852a819327c77a3d132ad93c7e91d9a2d44e6a6161903982737d4819a

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs-1.js

Filesize
6KB

MD5
f4fa8f3a41005dce521ccfbfd7448805

SHA1
1e840a1f781205045847d42d1cf55c00b54c46d6

SHA256
5520dd324dd92a18bddeada5d8384d1caffef5d8647229a4df0691db14592382

SHA512
81b24a26435bc4789d4e0d779f44ab23b270523584f427859c459e8f7d4e164a08696fd9b27e995076b4151dfb77fe8702f1652fddef22bfd3d6d226b89ef501

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\prefs.js

Filesize
8KB

MD5
83d252499013ba6cf3b72c548c229a6b

SHA1
bafc96ae16e26a4e12af42ebc8b8f7041d291b0a

SHA256
c3d3d3a3e5856fe8363b5c7ba78fddc68e63dc72b5723344dec15db5222c07df

SHA512
c727c8604e1491ee218cbdd72635ccf2605837925bb3d5fb48e6842cb485f3594613f3765ffcfd631351690ce666a8be3152816a8cc419ce5fa60366e64654b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionCheckpoints.json

Filesize
90B

MD5
c4ab2ee59ca41b6d6a6ea911f35bdc00

SHA1
5942cd6505fc8a9daba403b082067e1cdefdfbc4

SHA256
00ad9799527c3fd21f3a85012565eae817490f3e0d417413bf9567bb5909f6a2

SHA512
71ea16900479e6af161e0aad08c8d1e9ded5868a8d848e7647272f3002e2f2013e16382b677abe3c6f17792a26293b9e27ec78e16f00bd24ba3d21072bd1cae2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
4KB

MD5
11c52adf5ae7f9f192dc5396aed6065f

SHA1
77e9b11520ab4bad2b934ded4ae73fc8368bd518

SHA256
538c73d3463f061d278551c8823a96f64d4126fa18e746c628bd449c20fab552

SHA512
0f106f867cad514169d513fc4b5a6b3ded2e082c33893baa9ee14f7a9c892eaef99525e18b3c972ada4edf224daffe9ed1c21a132217651287855adfa1e9dc70

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
c32e1e5955da6744d10cc8e7ac2994c7

SHA1
f9c7dc2b51108a8b60d87e8b29ecaab925c8bc85

SHA256
1de60e36f3cbcfca95048d049f4528ed03d318646cc415d2fe817acd13c02a5c

SHA512
d969e4e4de7b0282636455a2a914630aff8a5ee918e202e772d4cdd58576c16509e6462df9a279ce8dd5b1df29c1e15a521a22279cb090af14f79c739b7b9dfe

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
13KB

MD5
79da58a4d68be8812e7c322ef105d48e

SHA1
0be9cc793f88c309922094883a77fb85f306a0cf

SHA256
61515c02a5e00813988052d129cdb05e792dae76fb81e66622b531ab2a7a1436

SHA512
43d5caf5a624389cff98c6a139b5217dc5b72f8f375e86e41a29b1fb5fbb4e61ba111893628f5c866b00a1a03357c0803a6ca107c3fab33028e0e48724f3ee14

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
e6aaf8e48a44cd607b4ad1cc9dc8f00e

SHA1
aaf08915bd41319ecbfb8b39c166292e94d7bd28

SHA256
1b7a20dc831a8a8a6d620abfed8ee2cd158e297774020dcc895e5a1f2d330d8f

SHA512
5e8367fe413460e5687cf5c7b14b439ba1a5f7ee263251c3bc5864ad240280bf41a31b0260336ff1d45482b7bcbf4b1e5a7f61474af892b080129fd6621b88aa

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
9KB

MD5
951db32b8fba32bd930656117b2f87be

SHA1
9508e2398c24c683c0a8eecc7cbabf2ded224bc7

SHA256
2c8fb7ace79ecdb7f8d8b814b26a4cda7beac43098ca99e1970bcd7b7c9aeb95

SHA512
ca3b1ed5c8e661f023a9c87dbf082c0642b6328204c1d0b6e1514a7c8030892f93b70d3a8feba4d861b427dd97d50ec7c18c808b3f712e98d08b17e29f014ee6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
12KB

MD5
b250ded6e8966337175a24f122ccae61

SHA1
e62470500ea45ac66252b8b7e10e64dea8626e68

SHA256
40760e36da7834167504d6d087b01ed4ca1a9ca815d370bff8beb2e6b1804fba

SHA512
c74695bd8e145c1541f39a58eead7d7a780427accf0fdca883cf089ae116c6de2716eda15828acdffb7337625c896ae6be279444090b81f718b4073cd17f72e9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\targeting.snapshot.json

Filesize
3KB

MD5
7f63c5625d440023dffbab201c1ae6d0

SHA1
b89f36cf1343029b3effc5c32275e22ff1426384

SHA256
bd617a26628394bfdaae3aec8d0e5669f825e1103ed11b3256bd02fd26ac3e56

SHA512
45004873ee212f8ae4000b19daf60fc42e3cd4bc6d904c688058fc813fcc9d9acdb39ba943b110b987d9e78225b983412d6188b35ada9710bfbcc082b9815f43

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\on1px6pk.default-release\xulstore.json

Filesize
141B

MD5
1995825c748914809df775643764920f

SHA1
55c55d77bb712d2d831996344f0a1b3e0b7ff98a

SHA256
87835b1bd7d0934f997ef51c977349809551d47e32c3c9224899359ae0fce776

SHA512
c311970610d836550a07feb47bd0774fd728130d0660cbada2d2d68f2fcfbe84e85404d7f5b8ab0f71a6c947561dcffa95df2782a712f4dcb7230ea8ba01c34c

Download Submit
C:\Users\Admin\Desktop\._cache_SpotifySetup.exe

Filesize
976KB

MD5
226e3b0d49a2252895b30276ae73f411

SHA1
113d495905f25e40f5de77085e3e9c358f25b5bb

SHA256
419e316e8195ff0434fe7c342704b6b4eb75381668578a93578e0a5ce7a4d90b

SHA512
7878e50a09544480cddc31e27141a25164d80ba18b9da673af6e943474769771fea138cceae6f2e422899e6500a1b0beaeb417965eee6a6c1d601b8f73bbce8f

Download Submit
C:\Users\Admin\Desktop\Client-built.exe

Filesize
78KB

MD5
4991d2329a8d72c5722bc72ff4ec0869

SHA1
26ec1cb78f5e2fad041f059ce50e6badc8657bb4

SHA256
14fe8c5eed822a6727ad7b1e33eda83fda4cd7e102d22a2a930179fde3429a72

SHA512
771edb7cce6d028dc4f229387dd4309bc0ce21d0dad78f71744c8332071a1f0f4fd33238481128d39a3db8ad7dad4727360119611dcdf0b9f406d84eaff12501

Download Submit
C:\Users\Admin\Desktop\Panelv4.exe

Filesize
3.2MB

MD5
13e8e30da54fa26261a3ad2b09cd4ef0

SHA1
9cd8062e92a3bee9b41cf1e96bd67499901d22ae

SHA256
843afa9dab727f1c83f8a97596ea54352f0963718224f0e376465da06d955bed

SHA512
35b9a8ef0c6ed24b31721f9bfaf3cc6b762eb7ea02112fed98cf996ecd0be7e93537c54c7335aceeb2b6b1c4d2b52494c74e3af3f4a142997ca88f8c118298d9

Download Submit
C:\Users\Admin\Desktop\Panelv4.exe

Filesize
2.1MB

MD5
9d032d370619a65c26af2e5f0adf9d84

SHA1
473bf8e3ceea21a9d7177eef772bf1f21e52f903

SHA256
19199718ff5c18824927ee4d3077166a378029168c6aadfd75c3da9912e0ff61

SHA512
b92d76f2eeb72ee252120dab6eaacc3ef78669ee685f9612f9fc35e4e7d24ef925ba3b637d0c9bc1a6dc7f4eaf37597551de8dde61c89b43c825e9bea26b6d7b

Download Submit
C:\Users\Admin\Desktop\Panelv4.exe

Filesize
1.6MB

MD5
97455ca2e74cdcde4694d2cad6b7c6f3

SHA1
c3a12fe230d68af7cad21c6aee6cbccbaf7cd4c9

SHA256
993bf1c4056ecb8bfa5144c3e880d3163d186d6bf98452553c4ea78e1566b544

SHA512
55020426297b587876ed1c471f21990bdea6c9262c43546767a2014142d082efbb2a971dbdaaa5f365fc59fbdae6bd4dd7cb2e6741c4bfd3ab0983d3c9455c4c

Download Submit
C:\Users\Admin\Desktop\SpotifySetup.exe

Filesize
1.7MB

MD5
e144affa1952126ab52cced5cee8ca7f

SHA1
cec4e6c8365f1fa1be071d6f4cb2e82fd3695710

SHA256
704dde88ab6dc90897a2faf6f81160f2ff76abe27baf1a0e9529c8da190b7884

SHA512
83998ca524308f21aeabd6590a6ad0638b8c7163e9bf218bc44773991e6373ab2d8d3b9ba2e9cdf2df39cfe7a3dcaa268825470febd9e80c0dbec59c64ba7242

Download Submit
C:\Users\Admin\Desktop\SpotifySetup.exe

Filesize
1.6MB

MD5
85ce8560bb8217f430a3783dc2c18f40

SHA1
4787771892e84fef23920f4c14e7f086e13305a2

SHA256
e73ecb78939c6cf647e3f16d87bf4b1348bd6a76e10212dbb87248816e1fd264

SHA512
07032e08ed8d5820aa779ce8de16c3fc67f402781258c3b72dbb5009f55eee1f9dee39d33e26901c82facfdef50f28168c560ea3f52b29f92bc9cf6db44e3d37

Download Submit
C:\Users\Admin\Desktop\spotify.exe

Filesize
4.6MB

MD5
a36d3688589552a3b18d3eb0dd18f7dc

SHA1
9437313cf0960406be12d03d6957ab3db183011c

SHA256
e944949a3a0acc1a0c1d80f776489172dd59ce1a0b740bbedf3becaaa71a41ce

SHA512
35589ea949dccd221440e61c5e9a62f935fcce2736b3c96088855a5a2b848faea1c2fae0d32545e78db4926a8761998f207af7d166dda8783956c294fa452887

Download Submit
C:\Users\Admin\Desktop\spotify.exe

Filesize
5.9MB

MD5
b0f91f30e103e10f3bbde3bed882e66c

SHA1
c818c5d80a66d0691b3fbffcb131925519b0c35f

SHA256
9228c5a1e48979c9c8de03a1bb3f85a5aef197b0d6d6ff1eb08410f4f29448bf

SHA512
b60c26076d193daf06df86fa88f8599f309f4ad5729e61416547dd64fdf3dd8a9b378f567dcc5fa8e611dcdf4d386a037a935441d6ac93bba7a74651bae90e93

Download Submit
C:\Users\Admin\Downloads\spotify.Uyvzf01Y.rar.part

Filesize
64KB

MD5
5548a0d4d0da954fb672a60a2d7232e2

SHA1
effda80da5f15a24f45c4ec52fa9fda0948d1fb4

SHA256
bef6708da7ed8ca6ffe8fe1e6828570f5da07ef5e0985f0f07a38d879ec000af

SHA512
7125a8b2da4c6c63a82b2ffdbfe68fdcc5ff7a277a8a84aee0d95654d60e42a6e507753c28d2462c93da5db0d6cf2f336c66d2d2e0f0cca54b6be019fc9eb923

Download Submit
C:\Users\Admin\Downloads\spotify.rar

Filesize
16.3MB

MD5
9251b7cc5152b6dc843eae277442144c

SHA1
251d7b320a6b3fa88f1d666b11cf4f4fbdc9e617

SHA256
70768da8d114fcb3ecd308204d803e2ea29f5cbaf7b62c4559e9a1e0368cd839

SHA512
019da68bba90455817e0fb708f8f482cc0d0e397dc20ff9d7df87776f1b17e247bc345fa6a514c12bc443b97e16597d48bf286a6a714ac78fe37e82cf7dacb55

Download Submit
memory/184-811-0x00007FFF92010000-0x00007FFF92186000-memory.dmp

Filesize
1.5MB

Download
memory/184-869-0x00007FFFA28E0000-0x00007FFFA28EB000-memory.dmp

Filesize
44KB

Download
memory/184-906-0x00007FFFAC070000-0x00007FFFAC07D000-memory.dmp

Filesize
52KB

Download
memory/184-907-0x00007FFF98770000-0x00007FFF987A5000-memory.dmp

Filesize
212KB

Download
memory/184-908-0x00007FFFA8460000-0x00007FFFA8479000-memory.dmp

Filesize
100KB

Download
memory/184-909-0x00007FFFAC040000-0x00007FFFAC04D000-memory.dmp

Filesize
52KB

Download
memory/184-910-0x00007FFFA8A50000-0x00007FFFA8A5D000-memory.dmp

Filesize
52KB

Download
memory/184-911-0x00007FFF98690000-0x00007FFF986C3000-memory.dmp

Filesize
204KB

Download
memory/184-912-0x00007FFF8FED0000-0x00007FFF903F9000-memory.dmp

Filesize
5.2MB

Download
memory/184-913-0x00007FFF985C0000-0x00007FFF9868D000-memory.dmp

Filesize
820KB

Download
memory/184-914-0x00007FFFA7CA0000-0x00007FFFA7CB6000-memory.dmp

Filesize
88KB

Download
memory/184-916-0x00007FFF984E0000-0x00007FFF98504000-memory.dmp

Filesize
144KB

Download
memory/184-918-0x00007FFFA35C0000-0x00007FFFA35D8000-memory.dmp

Filesize
96KB

Download
memory/184-921-0x00007FFF98490000-0x00007FFF984B7000-memory.dmp

Filesize
156KB

Download
memory/184-922-0x00007FFF981C0000-0x00007FFF982DB000-memory.dmp

Filesize
1.1MB

Download
memory/184-926-0x00007FFFA28E0000-0x00007FFFA28EB000-memory.dmp

Filesize
44KB

Download
memory/184-927-0x00007FFFA25C0000-0x00007FFFA25CC000-memory.dmp

Filesize
48KB

Download
memory/184-930-0x00007FFF99570000-0x00007FFF9957C000-memory.dmp

Filesize
48KB

Download
memory/184-932-0x00007FFF981B0000-0x00007FFF981BC000-memory.dmp

Filesize
48KB

Download
memory/184-933-0x00007FFF92C00000-0x00007FFF92C0B000-memory.dmp

Filesize
44KB

Download
memory/184-937-0x00007FFF92BC0000-0x00007FFF92BCD000-memory.dmp

Filesize
52KB

Download
memory/184-940-0x00007FFF90B30000-0x00007FFF90DB3000-memory.dmp

Filesize
2.5MB

Download
memory/184-941-0x00007FFF92B50000-0x00007FFF92B79000-memory.dmp

Filesize
164KB

Download
memory/184-942-0x00007FFF92B20000-0x00007FFF92B4E000-memory.dmp

Filesize
184KB

Download
memory/184-939-0x00007FFF92B90000-0x00007FFF92B9C000-memory.dmp

Filesize
48KB

Download
memory/184-938-0x00007FFF92BA0000-0x00007FFF92BB2000-memory.dmp

Filesize
72KB

Download
memory/184-936-0x00007FFF92BD0000-0x00007FFF92BDC000-memory.dmp

Filesize
48KB

Download
memory/184-935-0x00007FFF92BE0000-0x00007FFF92BEC000-memory.dmp

Filesize
48KB

Download
memory/184-934-0x00007FFF92BF0000-0x00007FFF92BFB000-memory.dmp

Filesize
44KB

Download
memory/184-931-0x00007FFF99390000-0x00007FFF9939E000-memory.dmp

Filesize
56KB

Download
memory/184-928-0x00007FFFA2580000-0x00007FFFA258B000-memory.dmp

Filesize
44KB

Download
memory/184-925-0x00007FFFA2BE0000-0x00007FFFA2BEC000-memory.dmp

Filesize
48KB

Download
memory/184-924-0x00007FFFA3410000-0x00007FFFA341B000-memory.dmp

Filesize
44KB

Download
memory/184-923-0x00007FFFA66A0000-0x00007FFFA66AB000-memory.dmp

Filesize
44KB

Download
memory/184-920-0x00007FFFA7D20000-0x00007FFFA7D2B000-memory.dmp

Filesize
44KB

Download
memory/184-919-0x00007FFF984C0000-0x00007FFF984D4000-memory.dmp

Filesize
80KB

Download
memory/184-625-0x00007FFF8ED90000-0x00007FFF8F469000-memory.dmp

Filesize
6.8MB

Download
memory/184-635-0x00007FFFA7D30000-0x00007FFFA7D55000-memory.dmp

Filesize
148KB

Download
memory/184-717-0x00007FFFAC070000-0x00007FFFAC07D000-memory.dmp

Filesize
52KB

Download
memory/184-719-0x00007FFFA8A50000-0x00007FFFA8A5D000-memory.dmp

Filesize
52KB

Download
memory/184-718-0x00007FFFAC040000-0x00007FFFAC04D000-memory.dmp

Filesize
52KB

Download
memory/184-716-0x00007FFFA84F0000-0x00007FFFA8509000-memory.dmp

Filesize
100KB

Download
memory/184-714-0x00007FFFA8460000-0x00007FFFA8479000-memory.dmp

Filesize
100KB

Download
memory/184-736-0x00007FFF98690000-0x00007FFF986C3000-memory.dmp

Filesize
204KB

Download
memory/184-743-0x00007FFF8FED0000-0x00007FFF903F9000-memory.dmp

Filesize
5.2MB

Download
memory/184-762-0x00007FFF985C0000-0x00007FFF9868D000-memory.dmp

Filesize
820KB

Download
memory/184-804-0x00007FFFA7580000-0x00007FFFA7592000-memory.dmp

Filesize
72KB

Download
memory/184-929-0x00007FFFA12E0000-0x00007FFFA12EC000-memory.dmp

Filesize
48KB

Download
memory/184-810-0x00007FFF984E0000-0x00007FFF98504000-memory.dmp

Filesize
144KB

Download
memory/184-812-0x00007FFFA7CA0000-0x00007FFFA7CB6000-memory.dmp

Filesize
88KB

Download
memory/184-815-0x00007FFFA35C0000-0x00007FFFA35D8000-memory.dmp

Filesize
96KB

Download
memory/184-917-0x00007FFF92010000-0x00007FFF92186000-memory.dmp

Filesize
1.5MB

Download
memory/184-817-0x00007FFF98490000-0x00007FFF984B7000-memory.dmp

Filesize
156KB

Download
memory/184-915-0x00007FFFA7580000-0x00007FFFA7592000-memory.dmp

Filesize
72KB

Download
memory/184-903-0x00007FFFAC0B0000-0x00007FFFAC0BF000-memory.dmp

Filesize
60KB

Download
memory/184-901-0x00007FFF8ED90000-0x00007FFF8F469000-memory.dmp

Filesize
6.8MB

Download
memory/184-816-0x00007FFF984C0000-0x00007FFF984D4000-memory.dmp

Filesize
80KB

Download
memory/184-818-0x00007FFF981C0000-0x00007FFF982DB000-memory.dmp

Filesize
1.1MB

Download
memory/184-904-0x00007FFFA84F0000-0x00007FFFA8509000-memory.dmp

Filesize
100KB

Download
memory/184-902-0x00007FFFA7D30000-0x00007FFFA7D55000-memory.dmp

Filesize
148KB

Download
memory/184-819-0x00007FFFA3410000-0x00007FFFA341B000-memory.dmp

Filesize
44KB

Download
memory/184-905-0x00007FFFA0FF0000-0x00007FFFA101D000-memory.dmp

Filesize
180KB

Download
memory/184-875-0x00007FFF92C00000-0x00007FFF92C0B000-memory.dmp

Filesize
44KB

Download
memory/184-890-0x00007FFF92B20000-0x00007FFF92B4E000-memory.dmp

Filesize
184KB

Download
memory/184-891-0x00007FFFA7D20000-0x00007FFFA7D2B000-memory.dmp

Filesize
44KB

Download
memory/184-899-0x00007FFF8ED90000-0x00007FFF8F469000-memory.dmp

Filesize
6.8MB

Download
memory/184-712-0x00007FFF98770000-0x00007FFF987A5000-memory.dmp

Filesize
212KB

Download
memory/184-900-0x00007FFF92B50000-0x00007FFF92B79000-memory.dmp

Filesize
164KB

Download
memory/184-895-0x00007FFF99390000-0x00007FFF9939E000-memory.dmp

Filesize
56KB

Download
memory/184-690-0x00007FFFA0FF0000-0x00007FFFA101D000-memory.dmp

Filesize
180KB

Download
memory/184-894-0x00007FFFA66A0000-0x00007FFFA66AB000-memory.dmp

Filesize
44KB

Download
memory/184-862-0x00007FFFA2BE0000-0x00007FFFA2BEC000-memory.dmp

Filesize
48KB

Download
memory/184-886-0x00007FFF90B30000-0x00007FFF90DB3000-memory.dmp

Filesize
2.5MB

Download
memory/184-876-0x00007FFF92BF0000-0x00007FFF92BFB000-memory.dmp

Filesize
44KB

Download
memory/184-880-0x00007FFF92BA0000-0x00007FFF92BB2000-memory.dmp

Filesize
72KB

Download
memory/184-881-0x00007FFF92B90000-0x00007FFF92B9C000-memory.dmp

Filesize
48KB

Download
memory/184-879-0x00007FFF92BC0000-0x00007FFF92BCD000-memory.dmp

Filesize
52KB

Download
memory/184-646-0x00007FFFAC0B0000-0x00007FFFAC0BF000-memory.dmp

Filesize
60KB

Download
memory/184-878-0x00007FFF92BD0000-0x00007FFF92BDC000-memory.dmp

Filesize
48KB

Download
memory/184-877-0x00007FFF92BE0000-0x00007FFF92BEC000-memory.dmp

Filesize
48KB

Download
memory/184-874-0x00007FFF981B0000-0x00007FFF981BC000-memory.dmp

Filesize
48KB

Download
memory/184-873-0x00007FFF99570000-0x00007FFF9957C000-memory.dmp

Filesize
48KB

Download
memory/184-872-0x00007FFFA12E0000-0x00007FFFA12EC000-memory.dmp

Filesize
48KB

Download
memory/184-871-0x00007FFFA2580000-0x00007FFFA258B000-memory.dmp

Filesize
44KB

Download
memory/184-870-0x00007FFFA25C0000-0x00007FFFA25CC000-memory.dmp

Filesize
48KB

Download
memory/1324-807-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/1324-626-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/2200-1022-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2200-892-0x0000000000880000-0x0000000000881000-memory.dmp

Filesize
4KB

Download
memory/2200-1491-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2200-1335-0x0000000000400000-0x00000000005B7000-memory.dmp

Filesize
1.7MB

Download
memory/2492-12-0x00007FFF976E0000-0x00007FFF981A1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-8-0x0000017749100000-0x0000017749628000-memory.dmp

Filesize
5.2MB

Download
memory/2492-7-0x0000017748870000-0x0000017748880000-memory.dmp

Filesize
64KB

Download
memory/2492-6-0x00007FFF976E0000-0x00007FFF981A1000-memory.dmp

Filesize
10.8MB

Download
memory/2492-5-0x0000017748900000-0x0000017748AC2000-memory.dmp

Filesize
1.8MB

Download
memory/2492-13-0x0000017748870000-0x0000017748880000-memory.dmp

Filesize
64KB

Download
memory/2492-4-0x000001772E360000-0x000001772E378000-memory.dmp

Filesize
96KB

Download
memory/4340-11-0x00000158F2530000-0x00000158F2540000-memory.dmp

Filesize
64KB

Download
memory/4340-10-0x00007FFF976E0000-0x00007FFF981A1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-14-0x00007FFF976E0000-0x00007FFF981A1000-memory.dmp

Filesize
10.8MB

Download
memory/4340-15-0x00000158F2530000-0x00000158F2540000-memory.dmp

Filesize
64KB

Download
memory/4476-986-0x00007FFF76750000-0x00007FFF76760000-memory.dmp

Filesize
64KB

Download
memory/4476-985-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-993-0x00007FFF74030000-0x00007FFF74040000-memory.dmp

Filesize
64KB

Download
memory/4476-994-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-988-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-987-0x00007FFF76750000-0x00007FFF76760000-memory.dmp

Filesize
64KB

Download
memory/4476-983-0x00007FFF76750000-0x00007FFF76760000-memory.dmp

Filesize
64KB

Download
memory/4476-984-0x00007FFF76750000-0x00007FFF76760000-memory.dmp

Filesize
64KB

Download
memory/4476-991-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-997-0x00007FFF74030000-0x00007FFF74040000-memory.dmp

Filesize
64KB

Download
memory/4476-990-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-989-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-981-0x00007FFF76750000-0x00007FFF76760000-memory.dmp

Filesize
64KB

Download
memory/4476-992-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/4476-982-0x00007FFFB66D0000-0x00007FFFB68C5000-memory.dmp

Filesize
2.0MB

Download
memory/5664-1293-0x00007FFFB5580000-0x00007FFFB5581000-memory.dmp

Filesize
4KB

Download
memory/5664-1291-0x00007FFFB65E0000-0x00007FFFB65E1000-memory.dmp

Filesize
4KB

Download
memory/5664-1450-0x000002644ED90000-0x000002644EE3C000-memory.dmp

Filesize
688KB

Download
memory/5812-1372-0x000001C1AEF10000-0x000001C1AEFBC000-memory.dmp

Filesize
688KB

Download