Malware Analysis Report

2024-11-30 05:16

Sample ID 240520-cdme5aec78
Target BlockTheSpot-master.zip
SHA256 0fd57864cb820027ecddf4395633514ea6472f775cce6be99c95007b7410e1af
Tags
lumma discovery evasion execution stealer persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

0fd57864cb820027ecddf4395633514ea6472f775cce6be99c95007b7410e1af

Threat Level: Known bad

The file BlockTheSpot-master.zip was found to be: Known bad.

Malicious Activity Summary

lumma discovery evasion execution stealer persistence

Lumma family

Detect Lumma Stealer payload V4

Lumma Stealer

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Blocklisted process makes network request

Downloads MZ/PE file

Modifies file permissions

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Checks BIOS information in registry

Identifies Wine through registry keys

Adds Run key to start application

Command and Scripting Interpreter: PowerShell

Unsigned PE

Program crash

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: CmdExeWriteProcessMemorySpam

Modifies registry class

Kills process with taskkill

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-05-20 01:57

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Lumma family

lumma

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral3

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:00

Platform

win7-20240221-en

Max time kernel

120s

Max time network

127s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1432 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2516 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2576 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 1432 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2684 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 1432 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1432 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1432 wrote to memory of 2676 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 1432 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 1432 wrote to memory of 2696 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\cmd.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe
PID 2696 wrote to memory of 2428 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\reg.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im Spotify.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im spotifywebhelper.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"

C:\Windows\system32\findstr.exe

findstr "PackageFullName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query HKCR\spotify\shell\open\command

C:\Windows\system32\reg.exe

reg query HKCR\spotify\shell\open\command

Network

N/A

Files

memory/2684-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp

memory/2684-5-0x000000001B370000-0x000000001B652000-memory.dmp

memory/2684-7-0x0000000002460000-0x0000000002468000-memory.dmp

memory/2684-6-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

memory/2684-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

memory/2684-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

memory/2684-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

memory/2684-11-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

memory/2684-12-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:00

Platform

win10v2004-20240508-en

Max time kernel

136s

Max time network

99s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"

Signatures

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im Spotify.exe

C:\Windows\system32\taskkill.exe

taskkill /f /im spotifywebhelper.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"

C:\Windows\system32\findstr.exe

findstr "PackageFullName"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c reg query HKCR\spotify\shell\open\command

C:\Windows\system32\reg.exe

reg query HKCR\spotify\shell\open\command

Network

Country Destination Domain Proto
US 8.8.8.8:53 232.168.11.51.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 64.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 17.14.97.104.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/3844-0-0x00007FF8F5A83000-0x00007FF8F5A85000-memory.dmp

memory/3844-1-0x000001B6F9F00000-0x000001B6F9F22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdafwgf2.3u1.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/3844-11-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp

memory/3844-12-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp

memory/3844-13-0x000001B6FA4D0000-0x000001B6FA4E6000-memory.dmp

memory/3844-14-0x000001B6FA4F0000-0x000001B6FA4FA000-memory.dmp

memory/3844-15-0x000001B6FA8D0000-0x000001B6FA8F6000-memory.dmp

memory/3844-18-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:00

Platform

win7-20240508-en

Max time kernel

118s

Max time network

120s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 228

Network

N/A

Files

memory/1756-0-0x0000000000200000-0x0000000000201000-memory.dmp

memory/1756-1-0x0000000000270000-0x0000000000271000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:00

Platform

win10v2004-20240426-en

Max time kernel

138s

Max time network

111s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

Signatures

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Windows\SysWOW64\rundll32.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A
N/A N/A C:\Windows\SysWOW64\rundll32.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1708 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe
PID 1708 wrote to memory of 4656 N/A C:\Windows\system32\rundll32.exe C:\Windows\SysWOW64\rundll32.exe

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

C:\Windows\SysWOW64\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 636

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 77.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/4656-0-0x0000000000010000-0x0000000000011000-memory.dmp

memory/4656-1-0x0000000000020000-0x0000000000021000-memory.dmp

memory/4656-2-0x0000000000BE1000-0x0000000000BE8000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:00

Platform

win7-20240221-en

Max time kernel

140s

Max time network

123s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

Signatures

Detect Lumma Stealer payload V4

Description Indicator Process Target
N/A N/A N/A N/A

Lumma Stealer

stealer lumma

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Suspicious behavior: CmdExeWriteProcessMemorySpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 2292 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2596 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2600 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2700 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2512 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2512 wrote to memory of 2204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 2204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2512 wrote to memory of 2204 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2204 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2204 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2204 wrote to memory of 2716 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2204 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2204 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2204 wrote to memory of 2736 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2292 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2860 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2848 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 2292 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 2312 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 2292 wrote to memory of 1788 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 1788 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 1788 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 1788 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 1788 wrote to memory of 2508 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im Spotify.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"

C:\Windows\system32\findstr.exe

findstr "PackageFullName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -Command (new-object System.Net.WebClient).DownloadFile('http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe','spotify_installer-1.1.4.197.g92d52c4f-13.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "saps -wait -filepath 'C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat' -verb runas -argumentlist 'patch'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat" patch

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /reset /T

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /deny "Admin":W

C:\Windows\system32\findstr.exe

findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe

spotify_installer-1.1.4.197.g92d52c4f-13.exe /extract "C:\Users\Admin\AppData\Roaming\Spotify"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Spotify.lnk'); $S.TargetPath = 'C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe'; $S.Save()"

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2c4,0x2dc,0x7456bf60,0x7456bf70,0x7456bf7c

Network

Country Destination Domain Proto
US 8.8.8.8:53 upgrade.spotify.com udp
US 199.232.210.133:80 upgrade.spotify.com tcp
US 8.8.8.8:53 crashdump.spotify.com udp
US 35.186.224.25:443 crashdump.spotify.com tcp

Files

memory/2596-4-0x000007FEF59EE000-0x000007FEF59EF000-memory.dmp

memory/2596-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

memory/2596-7-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2596-6-0x00000000027A0000-0x00000000027A8000-memory.dmp

memory/2596-8-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2596-9-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2596-10-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2596-11-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

memory/2596-12-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X8RPD37R1T0HRMSXJSXC.temp

MD5 0bc2d49fbde1a64e4623396d6c6ceac9
SHA1 ab99f7c4a499e8641d8551a5473ebc411f5e4a3c
SHA256 4f6ebf37d2baa8945f3f732a16a4086698fed6ee94bd38cc04bb6052266e3216
SHA512 9ab7df93485fad5218beff981c43a5edbee4e6b1a02c5d38ac9016167f48fee95d4d4bff71edc9f3f60a9c155e81acfa663eec491c8a168f10cd6194036392e1

memory/2700-18-0x000000001B500000-0x000000001B7E2000-memory.dmp

memory/2700-19-0x0000000001FF0000-0x0000000001FF8000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\~TMP_2848_42_~

MD5 aeb655492bb35b58a07b8b41d8eef307
SHA1 bbe7e19776c71857f8860854e418e0c67ee33641
SHA256 d85fdba1f42eeda30f0485166555e2b5d4f04b14f66209ccb30f6ba8806e8c26
SHA512 c611a125813365a16d240ae5bbc64261c9086680866f3adbcbf0f727678a4ee8c22b45723759f2c9b4876b1bab3d9572d421c55fd63d152c5e9326ab8d2c3b5a

C:\Users\Admin\AppData\Roaming\Spotify\Apps\chart.spa

MD5 f0e953d82a6f20732e1bcec605d622c4
SHA1 cdfbe5ccfa0e6a21c5cd291e1d5916df4e00a3ec
SHA256 76cabbe6c61468ac893f1075753e186432566b58be7143f01e2cccd1f4ff0be8
SHA512 421c7dcef9955cfaeae03dfef18782ba8d8e41989bb77a51aeeecf1121bdc3298894ffdc208fc6e9c9a9ca2a9fd856210c985450eb00eea6544f6fc815384b73

C:\Users\Admin\AppData\Roaming\Spotify\SpotifyMigrator.exe

MD5 f4716682d00302d413993f523a35674d
SHA1 06c2868236e2c560add30fa25ea585fd03915fbf
SHA256 382493696af57226d6eae41957f9eb80f11a831dd577724d36cd1e768d1c47bf
SHA512 38d72294f3ad6ba28867fac44af2a36fe133d9c40f01d34d5625246cde4d809c79a0ee10cec800a2b6645fdcf23f3d3841092cd16919753b8d1aa645cf526ee8

C:\Users\Admin\AppData\Roaming\Spotify\SpotifyStartupTask.exe

MD5 0771f29159b7c6fef703eef12cd89d65
SHA1 3d3be76d379f7f218fcf59d564559c5a009c7231
SHA256 ba4c10e4eda5bada2a32660fbdd49847e335afa2a6830b3e2f35c558124d8e35
SHA512 abfb1271641cebbbe493c97d7f486badf0dd962c41f5ed62567f75ccf1b2164a3d454eafba0d4f6028b691b14c0bbd45939241e2d1a468485fb0dda349ebfd83

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

MD5 4202fdbbba3e2bd7b24d6b51be4d958c
SHA1 3766ad5a1e7a47bfd46807f250df8cc6a3556596
SHA256 53f029491e4ff121706ce1975d391688c4adf28560f4d2afe3afe16d028e2283
SHA512 440b80a662ca385310df3bb5aefdd268cb3b21ea34cbdc5a156ac2be5f39f8ca788f8d5e1aad74e0d730794e143d972c290903baa29f228c2f7f7257b8b4fe49

memory/1788-293-0x0000000000400000-0x0000000001CB4000-memory.dmp

\Users\Admin\AppData\Roaming\Spotify\netutils.dll

MD5 301efd794940d799a9b67575ddf9e414
SHA1 175465fc68f8b3e419342eeeb2b478c6649513a4
SHA256 f1f024d75051dc703e7f176647d10c73a3f3e936d2f336b0083fab4511d62401
SHA512 b662b367c7af9af7aa1043256438625c57962d12b8b2b711363ec172f556b445b399a51e10afbb463156b6f6dc9e3a58602c4848ac68b4552a091f47c055599c

\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dll

MD5 58873b9f530a2a12c87d1e994640ff44
SHA1 f47ef4e07dcb6798d08570668ed6550cda5c8261
SHA256 20b0190eb0501f398f75a5eb0eefacf9eb88d46d530a263097927bac7f715269
SHA512 d2cb25ec60cf61a0df87da4f049f147e02b6785e7267ebc552d5b40b77f2f261c9e8cb30a344361bbe395ceca3aebbd57d575564e501bba87dd8768dbc206c27

memory/1788-300-0x0000000006240000-0x0000000006241000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\crash_reporter.cfg

MD5 d8fc1bd0f526b1904785c2ca763491bf
SHA1 37feeeb0e57883ee3de880386c9e9c991626e63b
SHA256 1831e0e8798b0e5565e5d3e17e26712ef96b38ff1f4183e57c6c97ba032ba03a
SHA512 c090a67bf1bf046190409cd3b508a10e108185027b258b0b4355c13d616b722a142f641a6125fa44ceb22129681853894aa9a0fed6c0db3cc875887824ea1caa

C:\Users\Admin\AppData\Roaming\Spotify\locales\en.mo

MD5 e44595c326fa330a49555516606a738d
SHA1 624ade55bd2ba915b4dc4b1b740c89b9d380850f
SHA256 2e943e6638dfbfb3caa5a89e04006f228d1893f763336ce2d9dca81293121a95
SHA512 6b43f991c9f7fd417eb437df1f7313f2380295575850c894e7ea97298cbed59467dd6263b4f2b60c3f841df64e1415eb6259b992f20b82c6ce0a48d8391a6945

memory/1788-301-0x0000000006250000-0x0000000006251000-memory.dmp

memory/1788-306-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-320-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\devtools_resources.pak

MD5 130c04346c820223158cbbb22e9778f7
SHA1 1ce1667b0c681edba6d3a91f7624b102479a67bd
SHA256 7a96d52e9ce68a7f45b88df2ed09751c98ed5a141828ed5b896b80849a80dea4
SHA512 f64b6cef5b95d7a0ed2724423300d890e2e7985a26085da33e23c8f90bdea64a3d0dd6cfd2b5bc3bfe7750f124e6d81a382418f6cabe699e10acbdea5f061587

C:\Users\Admin\AppData\Roaming\Spotify\cef_extensions.pak

MD5 b10a3d7dd27850971c167f1d30c7ab3b
SHA1 1786d50c9d3ed703490b3b51e572e0ef16cf1767
SHA256 e202d358447614fd81dd25c057dec6c4e816750cf71a06d545bbb4d0d1d541ae
SHA512 a89ccc754f37c855493daf754ecdab357b560865e9fe63c9ce37d6520873dc5c1728b9c37fc2ac3af75933c74f5bb80c02e72f21ae0e0ba282723131e82e1968

C:\Users\Admin\AppData\Roaming\Spotify\cef_200_percent.pak

MD5 1b06237cc07c19dbff65bc1747dcb662
SHA1 d0ed988b56d7a22a9a40d7f9913bf54fc8c20323
SHA256 8a199510bd868f0238abff37bb9a22acd5525cdb827ad9f5159304fa5250337a
SHA512 9a153f7ea58d5f025537203f1389dfa866ca44ef31676f69e565703e097f6da97b388ebe8f9d7d34d09c8dbc78e5650f3f0f889bfc61c623d4c989e673657826

C:\Users\Admin\AppData\Roaming\Spotify\cef_100_percent.pak

MD5 ae8353be5a8e4c7d844e9b7754de2dbf
SHA1 2e8462fbcb4a71ab862d6038fd64b5e8026fa467
SHA256 90de148753248c37bf6d995bf0231f8b62bcb9119c5787897524eed8a08fd49b
SHA512 3bb405608e767ebacf29319bb0b306e657acb5faa3a493783672ab27eb57358a4f82a946299cc24d88544ece0477777f068ca42637172aea045cf0a4229c6c77

C:\Users\Admin\AppData\Roaming\Spotify\cef.pak

MD5 1b662cd6f746d57fdc5eaf98aac0817d
SHA1 1c6095a7fd86cd54ee09139c3f623b9b2a08cc1b
SHA256 fab836d8708c59a46b7df4cb76ed46c311c9fad3ff4570f9e6ebe64cb51653bd
SHA512 01943434333d18ce94806f4a9752eb8ccbd13d83c4bdc4045cae255689299c32e0e138f0e440504b4f4602c105904dcb2ec3d542ea6e9cb9e29347c03ee9a0b9

C:\Users\Admin\AppData\Roaming\Spotify\locales\en-US.pak

MD5 40a80772522569a153958bf767508f33
SHA1 1d1b2748a8bf0d8770154960300180425a7f43e3
SHA256 bb982606bf56072ac193c313ba675b5365dad0b9d5cc05981468ab520f8e5610
SHA512 4baa7713e4c069184677f989549a99db6eb859c593969396344b40036ba1072d6017d6a8b0375775e0daa0acfcaddf6e7456ffc1560b6dafe6e628f37a00af6f

C:\Users\Admin\AppData\Roaming\Spotify\natives_blob.bin

MD5 ee8117cf109aa1e47599b6b6bbffc176
SHA1 5860d98d47084650ace3847b956686df01a32d14
SHA256 05620c1db015ddfbbc7dfe39afb14c250f20090a61d9aba8dcd55e6a1a649223
SHA512 49cecab0c2657e5c9811d90bc65bc8b9763bf51b033c27b6db159354911865729e62f47dcde8598c854d2d458296cddb0de76697687925892a94e9e45edd6730

C:\Users\Admin\AppData\Roaming\Spotify\v8_context_snapshot.bin

MD5 d4cc670bdec5acb81effe6f21bf2bc4a
SHA1 77a9114ee2eac502dca119685b4d4bc07a31b623
SHA256 999ed6d14e77986cf2a349f50118c5d6e0ecab85a7ccab2ad29d676b0ed69961
SHA512 5c20fac189868a8a01b6992d6556a9fa303e1e0ff38ef8b413b10918fe80f466383ebcef3b0409852c36980ad64474b683291357a56addc0e869c910b0d34f67

C:\Users\Admin\AppData\Roaming\Spotify\icudtl.dat

MD5 59e21005a68ed37eb7019091301b2c6c
SHA1 0161c874d50f245238b8683381b3c39ced4873f7
SHA256 75b9d0e6c2ce9d8f8abd53c7198f614ab77af4912b39cb9a0ff272a7c2093b95
SHA512 40241f90bf4ef435a0449acfdec416c8a86c9db9219a532b27ec7dc265d731809dd1932f97b8695d425b4597d5c9c08149ea8bff8324a4a27077e4ed60cd881e

C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad\settings.dat

MD5 00aaae4330a80046326d93b1b28c62e4
SHA1 d6adf74e33d3a09493f3e03d336f38d712e45eaf
SHA256 509ba11e3d4f6adca789651dc878d1db845b9af6ff385efd10802749d0868359
SHA512 b950b085cf86700adcb9ea6b7e74fcbb4de3947e1d952c3d64d3d96cbb4e48b746ea469e486f1e54cfe320391cda32ab27c9b582e6657557b2712d2120eadc93

memory/1788-343-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar6EC1.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

memory/2508-409-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-410-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-411-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-412-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-413-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-414-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-415-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-416-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-417-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-418-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-419-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/2508-420-0x0000000000400000-0x0000000001CB4000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-20 01:57

Reported

2024-05-20 02:02

Platform

win10v2004-20240508-en

Max time kernel

269s

Max time network

270s

Command Line

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Identifies Wine through registry keys

evasion
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key opened \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\icacls.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Command and Scripting Interpreter: PowerShell

execution
Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Kills process with taskkill

evasion
Description Indicator Process Target
N/A N/A C:\Windows\system32\taskkill.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\URL Protocol C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open\ddeexec C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\",0" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\" --protocol-uri=\"%1\"" C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key deleted \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open\ddeexec C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\Software\Classes\spotify C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\taskkill.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4728 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4728 wrote to memory of 4432 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\taskkill.exe
PID 4728 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 1004 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 3108 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3100 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 3460 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 3460 wrote to memory of 2844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 3460 wrote to memory of 2844 N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe C:\Windows\System32\cmd.exe
PID 2844 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 4628 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 2844 wrote to memory of 2876 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4728 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 980 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\findstr.exe
PID 4728 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 4728 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 4728 wrote to memory of 1760 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
PID 4728 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 744 N/A C:\Windows\system32\cmd.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4728 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 4728 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 4728 wrote to memory of 384 N/A C:\Windows\system32\cmd.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 3456 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
PID 384 wrote to memory of 1400 N/A C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

Processes

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

C:\Windows\system32\taskkill.exe

taskkill /f /im Spotify.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"

C:\Windows\system32\findstr.exe

findstr "PackageFullName"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell.exe -ExecutionPolicy Bypass -Command (new-object System.Net.WebClient).DownloadFile('http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe','spotify_installer-1.1.4.197.g92d52c4f-13.exe')

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell "saps -wait -filepath 'C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat' -verb runas -argumentlist 'patch'"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat" patch

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /reset /T

C:\Windows\system32\icacls.exe

icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /deny "Admin":W

C:\Windows\system32\findstr.exe

findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"

C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe

spotify_installer-1.1.4.197.g92d52c4f-13.exe /extract "C:\Users\Admin\AppData\Roaming\Spotify"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -ExecutionPolicy Bypass -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Spotify.lnk'); $S.TargetPath = 'C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe'; $S.Save()"

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x580,0x584,0x588,0x57c,0x590,0x6d55bf60,0x6d55bf70,0x6d55bf7c

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --disable-d3d11 --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --service-request-channel-token=3065589623334711565 --mojo-platform-channel-handle=1908 --ignored=" --type=renderer " /prefetch:2

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=renderer --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --service-pipe-token=8729099315106907948 --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --disable-spell-checking --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=8729099315106907948 --renderer-client-id=3 --mojo-platform-channel-handle=3092 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --disable-gpu-sandbox --use-gl=disabled --disable-d3d11 --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --service-request-channel-token=18069621122043178639 --mojo-platform-channel-handle=4232 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 upgrade.spotify.com udp
US 199.232.210.133:80 upgrade.spotify.com tcp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 133.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 open.spotify.com udp
US 151.101.3.42:443 open.spotify.com tcp
US 151.101.3.42:443 open.spotify.com tcp
US 8.8.8.8:53 certificates.starfieldtech.com udp
US 192.124.249.36:80 certificates.starfieldtech.com tcp
US 8.8.8.8:53 redirector.gvt1.com udp
US 8.8.8.8:53 42.3.101.151.in-addr.arpa udp
US 8.8.8.8:53 36.249.124.192.in-addr.arpa udp
GB 142.250.187.206:443 redirector.gvt1.com tcp
GB 142.250.187.206:443 redirector.gvt1.com tcp
US 8.8.8.8:53 r4---sn-aigl6ns6.gvt1.com udp
GB 74.125.105.9:443 r4---sn-aigl6ns6.gvt1.com tcp
US 8.8.8.8:53 9.105.125.74.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 r4---sn-5hnekn7z.gvt1.com udp
NL 74.125.100.105:443 r4---sn-5hnekn7z.gvt1.com tcp
US 8.8.8.8:53 r1---sn-aigl6nzl.gvt1.com udp
GB 74.125.168.166:443 r1---sn-aigl6nzl.gvt1.com tcp
US 8.8.8.8:53 105.100.125.74.in-addr.arpa udp
US 8.8.8.8:53 166.168.125.74.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 sentry.io udp
US 35.186.247.156:443 sentry.io tcp
US 8.8.8.8:53 156.247.186.35.in-addr.arpa udp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 apresolve.spotify.com udp
US 35.186.224.25:80 apresolve.spotify.com tcp
US 8.8.8.8:53 ap-gew1.spotify.com udp
BE 104.199.65.124:4070 ap-gew1.spotify.com tcp
US 8.8.8.8:53 25.224.186.35.in-addr.arpa udp
US 8.8.8.8:53 124.65.199.104.in-addr.arpa udp
US 35.186.224.25:80 apresolve.spotify.com tcp
BE 104.199.65.124:4070 ap-gew1.spotify.com tcp
US 35.186.224.25:80 apresolve.spotify.com tcp
BE 104.199.65.124:4070 ap-gew1.spotify.com tcp
US 8.8.8.8:53 spclient.wg.spotify.com udp
US 35.186.224.25:443 spclient.wg.spotify.com tcp

Files

memory/1004-0-0x00007FFC3FFD3000-0x00007FFC3FFD5000-memory.dmp

memory/1004-11-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp

memory/1004-6-0x000001FE7B8C0000-0x000001FE7B8E2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dodxtqrq.4q5.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/1004-12-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp

memory/1004-13-0x000001FE7B910000-0x000001FE7B926000-memory.dmp

memory/1004-14-0x000001FE7B930000-0x000001FE7B93A000-memory.dmp

memory/1004-15-0x000001FE7BF70000-0x000001FE7BF96000-memory.dmp

memory/1004-18-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 958ec9d245aa0e4bd5d05bbdb37475f4
SHA1 80e6d2c6a85922cb83b9fea874320e9c53740bd9
SHA256 a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d
SHA512 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec

memory/3100-20-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp

memory/3100-31-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a8c4d2c53fbcc4a8d45ccbce9a278d86
SHA1 22a03402aab2996381690bbd9cc11c3a3e087802
SHA256 87e09cc730f24a2bd77d279b262d9a3110346d6f119e344d2c34f17a804754e3
SHA512 e6841e0b52b3b6df6a5baba347b64458433ef7d0fec1e2e6d3f0939379a62aa1bf85cab8a12cef667b41c5fe7a66b66e81f4f829ec0f3b3975848bcad83d8242

memory/3100-32-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp

memory/3100-35-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 65a0402859eb508bd02b000b6c20ba6a
SHA1 d177a75ebc1f49a3366523a1bb157eacdc4f4d20
SHA256 91bedbea62a81487dfe4a01db4e0cab75e56b0b838a2ecc85343633dd9be8f1d
SHA512 2f45d6566ced035babea5b94e3bac4f3230a5e3b573bd5bd6a7ae71afe7ee1e78d6528390fd1e4f42d09a22b8d1cbd7727b3a0bff417b55a7a0844b3d2e83a40

C:\Users\Admin\AppData\Roaming\Spotify\~TMP_1760_42_~

MD5 aeb655492bb35b58a07b8b41d8eef307
SHA1 bbe7e19776c71857f8860854e418e0c67ee33641
SHA256 d85fdba1f42eeda30f0485166555e2b5d4f04b14f66209ccb30f6ba8806e8c26
SHA512 c611a125813365a16d240ae5bbc64261c9086680866f3adbcbf0f727678a4ee8c22b45723759f2c9b4876b1bab3d9572d421c55fd63d152c5e9326ab8d2c3b5a

C:\Users\Admin\AppData\Roaming\Spotify\Apps\chart.spa

MD5 f0e953d82a6f20732e1bcec605d622c4
SHA1 cdfbe5ccfa0e6a21c5cd291e1d5916df4e00a3ec
SHA256 76cabbe6c61468ac893f1075753e186432566b58be7143f01e2cccd1f4ff0be8
SHA512 421c7dcef9955cfaeae03dfef18782ba8d8e41989bb77a51aeeecf1121bdc3298894ffdc208fc6e9c9a9ca2a9fd856210c985450eb00eea6544f6fc815384b73

C:\Users\Admin\AppData\Roaming\Spotify\SpotifyMigrator.exe

MD5 f4716682d00302d413993f523a35674d
SHA1 06c2868236e2c560add30fa25ea585fd03915fbf
SHA256 382493696af57226d6eae41957f9eb80f11a831dd577724d36cd1e768d1c47bf
SHA512 38d72294f3ad6ba28867fac44af2a36fe133d9c40f01d34d5625246cde4d809c79a0ee10cec800a2b6645fdcf23f3d3841092cd16919753b8d1aa645cf526ee8

C:\Users\Admin\AppData\Roaming\Spotify\SpotifyStartupTask.exe

MD5 0771f29159b7c6fef703eef12cd89d65
SHA1 3d3be76d379f7f218fcf59d564559c5a009c7231
SHA256 ba4c10e4eda5bada2a32660fbdd49847e335afa2a6830b3e2f35c558124d8e35
SHA512 abfb1271641cebbbe493c97d7f486badf0dd962c41f5ed62567f75ccf1b2164a3d454eafba0d4f6028b691b14c0bbd45939241e2d1a468485fb0dda349ebfd83

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 3cc867ef6eae30d484789b670097208a
SHA1 d8cc9a6a6504ba1d83e4fd6ffca80e36f40f35ba
SHA256 63fb2f0099fb5beabab8fe9007a18e76ffcedd4b234f38ba78b0f92917965fb6
SHA512 66233fb223978a2757bf76d4d15ccc32fd8c78d10a61b6d411ec5b45285c094d72631a7ec66b194f85b05e5793fe57d3ca7bfe03862d6a4ac25183f8c887d18d

C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe

MD5 4202fdbbba3e2bd7b24d6b51be4d958c
SHA1 3766ad5a1e7a47bfd46807f250df8cc6a3556596
SHA256 53f029491e4ff121706ce1975d391688c4adf28560f4d2afe3afe16d028e2283
SHA512 440b80a662ca385310df3bb5aefdd268cb3b21ea34cbdc5a156ac2be5f39f8ca788f8d5e1aad74e0d730794e143d972c290903baa29f228c2f7f7257b8b4fe49

memory/384-327-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dll

MD5 58873b9f530a2a12c87d1e994640ff44
SHA1 f47ef4e07dcb6798d08570668ed6550cda5c8261
SHA256 20b0190eb0501f398f75a5eb0eefacf9eb88d46d530a263097927bac7f715269
SHA512 d2cb25ec60cf61a0df87da4f049f147e02b6785e7267ebc552d5b40b77f2f261c9e8cb30a344361bbe395ceca3aebbd57d575564e501bba87dd8768dbc206c27

C:\Users\Admin\AppData\Roaming\Spotify\crash_reporter.cfg

MD5 d8fc1bd0f526b1904785c2ca763491bf
SHA1 37feeeb0e57883ee3de880386c9e9c991626e63b
SHA256 1831e0e8798b0e5565e5d3e17e26712ef96b38ff1f4183e57c6c97ba032ba03a
SHA512 c090a67bf1bf046190409cd3b508a10e108185027b258b0b4355c13d616b722a142f641a6125fa44ceb22129681853894aa9a0fed6c0db3cc875887824ea1caa

C:\Users\Admin\AppData\Roaming\Spotify\locales\en.mo

MD5 e44595c326fa330a49555516606a738d
SHA1 624ade55bd2ba915b4dc4b1b740c89b9d380850f
SHA256 2e943e6638dfbfb3caa5a89e04006f228d1893f763336ce2d9dca81293121a95
SHA512 6b43f991c9f7fd417eb437df1f7313f2380295575850c894e7ea97298cbed59467dd6263b4f2b60c3f841df64e1415eb6259b992f20b82c6ce0a48d8391a6945

memory/3456-335-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\natives_blob.bin

MD5 ee8117cf109aa1e47599b6b6bbffc176
SHA1 5860d98d47084650ace3847b956686df01a32d14
SHA256 05620c1db015ddfbbc7dfe39afb14c250f20090a61d9aba8dcd55e6a1a649223
SHA512 49cecab0c2657e5c9811d90bc65bc8b9763bf51b033c27b6db159354911865729e62f47dcde8598c854d2d458296cddb0de76697687925892a94e9e45edd6730

C:\Users\Admin\AppData\Roaming\Spotify\devtools_resources.pak

MD5 130c04346c820223158cbbb22e9778f7
SHA1 1ce1667b0c681edba6d3a91f7624b102479a67bd
SHA256 7a96d52e9ce68a7f45b88df2ed09751c98ed5a141828ed5b896b80849a80dea4
SHA512 f64b6cef5b95d7a0ed2724423300d890e2e7985a26085da33e23c8f90bdea64a3d0dd6cfd2b5bc3bfe7750f124e6d81a382418f6cabe699e10acbdea5f061587

C:\Users\Admin\AppData\Roaming\Spotify\cef_extensions.pak

MD5 b10a3d7dd27850971c167f1d30c7ab3b
SHA1 1786d50c9d3ed703490b3b51e572e0ef16cf1767
SHA256 e202d358447614fd81dd25c057dec6c4e816750cf71a06d545bbb4d0d1d541ae
SHA512 a89ccc754f37c855493daf754ecdab357b560865e9fe63c9ce37d6520873dc5c1728b9c37fc2ac3af75933c74f5bb80c02e72f21ae0e0ba282723131e82e1968

C:\Users\Admin\AppData\Roaming\Spotify\cef_200_percent.pak

MD5 1b06237cc07c19dbff65bc1747dcb662
SHA1 d0ed988b56d7a22a9a40d7f9913bf54fc8c20323
SHA256 8a199510bd868f0238abff37bb9a22acd5525cdb827ad9f5159304fa5250337a
SHA512 9a153f7ea58d5f025537203f1389dfa866ca44ef31676f69e565703e097f6da97b388ebe8f9d7d34d09c8dbc78e5650f3f0f889bfc61c623d4c989e673657826

C:\Users\Admin\AppData\Roaming\Spotify\cef_100_percent.pak

MD5 ae8353be5a8e4c7d844e9b7754de2dbf
SHA1 2e8462fbcb4a71ab862d6038fd64b5e8026fa467
SHA256 90de148753248c37bf6d995bf0231f8b62bcb9119c5787897524eed8a08fd49b
SHA512 3bb405608e767ebacf29319bb0b306e657acb5faa3a493783672ab27eb57358a4f82a946299cc24d88544ece0477777f068ca42637172aea045cf0a4229c6c77

C:\Users\Admin\AppData\Roaming\Spotify\cef.pak

MD5 1b662cd6f746d57fdc5eaf98aac0817d
SHA1 1c6095a7fd86cd54ee09139c3f623b9b2a08cc1b
SHA256 fab836d8708c59a46b7df4cb76ed46c311c9fad3ff4570f9e6ebe64cb51653bd
SHA512 01943434333d18ce94806f4a9752eb8ccbd13d83c4bdc4045cae255689299c32e0e138f0e440504b4f4602c105904dcb2ec3d542ea6e9cb9e29347c03ee9a0b9

C:\Users\Admin\AppData\Roaming\Spotify\locales\en-US.pak

MD5 40a80772522569a153958bf767508f33
SHA1 1d1b2748a8bf0d8770154960300180425a7f43e3
SHA256 bb982606bf56072ac193c313ba675b5365dad0b9d5cc05981468ab520f8e5610
SHA512 4baa7713e4c069184677f989549a99db6eb859c593969396344b40036ba1072d6017d6a8b0375775e0daa0acfcaddf6e7456ffc1560b6dafe6e628f37a00af6f

C:\Users\Admin\AppData\Roaming\Spotify\v8_context_snapshot.bin

MD5 d4cc670bdec5acb81effe6f21bf2bc4a
SHA1 77a9114ee2eac502dca119685b4d4bc07a31b623
SHA256 999ed6d14e77986cf2a349f50118c5d6e0ecab85a7ccab2ad29d676b0ed69961
SHA512 5c20fac189868a8a01b6992d6556a9fa303e1e0ff38ef8b413b10918fe80f466383ebcef3b0409852c36980ad64474b683291357a56addc0e869c910b0d34f67

C:\Users\Admin\AppData\Roaming\Spotify\icudtl.dat

MD5 59e21005a68ed37eb7019091301b2c6c
SHA1 0161c874d50f245238b8683381b3c39ced4873f7
SHA256 75b9d0e6c2ce9d8f8abd53c7198f614ab77af4912b39cb9a0ff272a7c2093b95
SHA512 40241f90bf4ef435a0449acfdec416c8a86c9db9219a532b27ec7dc265d731809dd1932f97b8695d425b4597d5c9c08149ea8bff8324a4a27077e4ed60cd881e

C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad\settings.dat

MD5 2340be9ee39b6ad267ac8e4b7ca02065
SHA1 be65055bc3a058e0a4f4e44ddcd8f25193ebc9e4
SHA256 4da3436e7eeae712226bd3d798fe7d2684dcd97a4fb07961b01628830915b481
SHA512 99d38b0269b2c16fadcb274f52fbae6a581298bff2ece02b0cfdb7a817b5575ff3cd132bdfdd5c6fa5676412c4154c7a5f1b04c570ec732b9097fa7f9333ae1f

C:\Users\Admin\AppData\Roaming\Spotify\Apps\glue-resources.spa

MD5 6164414e4e0d868ae6ee0a3c947f99d2
SHA1 0f4b8888aa2e2c772c3d5b8800fe6974b3fb2b35
SHA256 264284283de5675055e2c700d4f7b44dc9d9e661fb054af8fb9912d9d4d6060c
SHA512 594565fddc71977277e85e9666af46072bc3d7565e9fba777d273f1d5d73e94257b7c8665b0cbe0a63276fcd8bfb213ebf1ff5683bc227145cef832272e71459

memory/1400-354-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\Apps\zlink.spa

MD5 f08a09ab0f231ba2fe34678f4af9375d
SHA1 8bf686826498581096ed475b53f3498ef87cd127
SHA256 71746a5442f3d983962e194f4bb7910a80a16c69d1968cdd302eb8f748007fda
SHA512 beb776467607ff884904b7f77acd31eace6b1ab2e60c96afa946f821a3e886ad34d373e494021b0571a2c8ff8b2707b4c041b922fead84cd8ae9d5064c709dd9

memory/1764-375-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Roaming\Spotify\swiftshader\libEGL.dll

MD5 bf607a9177cd0fdce1078bf2529a82f6
SHA1 5cbcbfde4ceb4e9ec16ba0c40e5e3e8d5792493d
SHA256 8fed6985d8750dc0d604730d0e134b381814ec3c6de18c708210a619dcd9b8a3
SHA512 46112b8018e17b7c41df5afef860448065bac7b161ae0b2d38f0d0c94e41bca9c3eb600b0abacf4cc4179b627808efaa55adc491c51c898a519bef954f344c36

C:\Users\Admin\AppData\Roaming\Spotify\swiftshader\libGLESv2.dll

MD5 2d70428e58516dd194267447504de051
SHA1 e789ea1e3f9e3784bd4e3ffbac963df90e05cf7e
SHA256 fdc5161057abdaaf2387268d886b108413f65b746615851db8362ef45d99272c
SHA512 8c4b2e98963c527144b34df99ef7418297afccdb03fa69e6a5241651ce75232c5e416dfbe93b4d7ac2c3193ab812aec062d5cc844cb3454db2f2aa375a71464a

C:\Users\Admin\AppData\Roaming\Spotify\d3dcompiler_47.dll

MD5 59b0759303cbc010ac7d9bd135a5a389
SHA1 202c7ababe7f4412a59c00588e4bc51aad9af213
SHA256 a74a8e4502ca52f5e6551fd5287f784eb9f27c26651ec473ea47fb9cefeb35b1
SHA512 a8f854161f2f7f233b13a92b5df8a5a5807c03f37d6ad8db18ac3f1b823dd4b1887f2717be08def37027785636a6f251e4add54988d1b05ba7cace5bad70555f

\??\pipe\crashpad_384_TDVMZCOJDFBFRGEH

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Spotify\Apps\login.spa

MD5 a28b0510512a88fc95d799a9224b21f1
SHA1 83d2a4d05e0502e91aad3d5e0d7938b0824bf05d
SHA256 f4c75b3c4f1086b50a38242b794acb6c68f7f19c4bd12c7724fa89f07b20da2f
SHA512 8f380f3b29b1e627e3427781dd3145f51b4c7abc51688e6aeebb4b3d14fa324eddf177d5ddde5a00978c2afa0c41ec0b007198d011b175fa39d0c3a7a17e2db6

C:\Users\Admin\AppData\Local\Spotify\Browser\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Spotify\Browser\MANIFEST-000001

MD5 5af87dfd673ba2115e2fcf5cfdb727ab
SHA1 d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256 f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512 de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

memory/384-416-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-417-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-418-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-419-0x0000000000400000-0x0000000001CB4000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.4.9.1088-win-ia32.zip

MD5 1435d52e122ed0a35b2a8e4a926c98f5
SHA1 9b4dc9bf52531b2728b047acd16b7aee02691287
SHA256 9bd4cd6b15c955f1d341d6cc91e031890afa1838cadc0a149eacfb5142b07889
SHA512 8e115f3f941663ac052570191acca09cb025388f82b232df5770aeb1781a611f002226de244ddd1b75553bbb5154068dca8913465b2c27ea28a1b4cae8359682

memory/4544-432-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-435-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-436-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-437-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-438-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-439-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-440-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-442-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-441-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-443-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-444-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-445-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-446-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-447-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-448-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-449-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-450-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-451-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-452-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-453-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-454-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-455-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-456-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-457-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-458-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-459-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-460-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-461-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-462-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-463-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-464-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-465-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-466-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-467-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-468-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-469-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-470-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-471-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-472-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-473-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-474-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-475-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-476-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-477-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-478-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-479-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-480-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-481-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-482-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-483-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-484-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-485-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-486-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-487-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-488-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-489-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-490-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-491-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1764-493-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-492-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/384-494-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/3456-495-0x0000000000400000-0x0000000001CB4000-memory.dmp

memory/1400-496-0x0000000000400000-0x0000000001CB4000-memory.dmp