Analysis Overview
SHA256
0fd57864cb820027ecddf4395633514ea6472f775cce6be99c95007b7410e1af
Threat Level: Known bad
The file BlockTheSpot-master.zip was found to be: Known bad.
Malicious Activity Summary
Lumma family
Detect Lumma Stealer payload V4
Lumma Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Blocklisted process makes network request
Downloads MZ/PE file
Modifies file permissions
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Checks BIOS information in registry
Identifies Wine through registry keys
Adds Run key to start application
Command and Scripting Interpreter: PowerShell
Unsigned PE
Program crash
Modifies system certificate store
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: CmdExeWriteProcessMemorySpam
Modifies registry class
Kills process with taskkill
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-05-20 01:57
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Lumma family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral3
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:00
Platform
win7-20240221-en
Max time kernel
120s
Max time network
127s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im Spotify.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im spotifywebhelper.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"
C:\Windows\system32\findstr.exe
findstr "PackageFullName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKCR\spotify\shell\open\command
C:\Windows\system32\reg.exe
reg query HKCR\spotify\shell\open\command
Network
Files
memory/2684-4-0x000007FEF588E000-0x000007FEF588F000-memory.dmp
memory/2684-5-0x000000001B370000-0x000000001B652000-memory.dmp
memory/2684-7-0x0000000002460000-0x0000000002468000-memory.dmp
memory/2684-6-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
memory/2684-8-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
memory/2684-9-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
memory/2684-10-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
memory/2684-11-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
memory/2684-12-0x000007FEF55D0000-0x000007FEF5F6D000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:00
Platform
win10v2004-20240508-en
Max time kernel
136s
Max time network
99s
Command Line
Signatures
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\install.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im Spotify.exe
C:\Windows\system32\taskkill.exe
taskkill /f /im spotifywebhelper.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"
C:\Windows\system32\findstr.exe
findstr "PackageFullName"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c reg query HKCR\spotify\shell\open\command
C:\Windows\system32\reg.exe
reg query HKCR\spotify\shell\open\command
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.14.97.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/3844-0-0x00007FF8F5A83000-0x00007FF8F5A85000-memory.dmp
memory/3844-1-0x000001B6F9F00000-0x000001B6F9F22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_gdafwgf2.3u1.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/3844-11-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp
memory/3844-12-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp
memory/3844-13-0x000001B6FA4D0000-0x000001B6FA4E6000-memory.dmp
memory/3844-14-0x000001B6FA4F0000-0x000001B6FA4FA000-memory.dmp
memory/3844-15-0x000001B6FA8D0000-0x000001B6FA8F6000-memory.dmp
memory/3844-18-0x00007FF8F5A80000-0x00007FF8F6541000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:00
Platform
win7-20240508-en
Max time kernel
118s
Max time network
120s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1756 -s 228
Network
Files
memory/1756-0-0x0000000000200000-0x0000000000201000-memory.dmp
memory/1756-1-0x0000000000270000-0x0000000000271000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:00
Platform
win10v2004-20240426-en
Max time kernel
138s
Max time network
111s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1708 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 1708 wrote to memory of 4656 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\netutils.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4656 -ip 4656
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.194:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 194.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 50.23.12.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 200.197.79.204.in-addr.arpa | udp |
Files
memory/4656-0-0x0000000000010000-0x0000000000011000-memory.dmp
memory/4656-1-0x0000000000020000-0x0000000000021000-memory.dmp
memory/4656-2-0x0000000000BE1000-0x0000000000BE8000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:00
Platform
win7-20240221-en
Max time kernel
140s
Max time network
123s
Command Line
Signatures
Detect Lumma Stealer payload V4
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Lumma Stealer
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious behavior: CmdExeWriteProcessMemorySpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im Spotify.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"
C:\Windows\system32\findstr.exe
findstr "PackageFullName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command (new-object System.Net.WebClient).DownloadFile('http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe','spotify_installer-1.1.4.197.g92d52c4f-13.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "saps -wait -filepath 'C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat' -verb runas -argumentlist 'patch'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat" patch
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /reset /T
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /deny "Admin":W
C:\Windows\system32\findstr.exe
findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
spotify_installer-1.1.4.197.g92d52c4f-13.exe /extract "C:\Users\Admin\AppData\Roaming\Spotify"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Spotify.lnk'); $S.TargetPath = 'C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe'; $S.Save()"
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x2d0,0x2d4,0x2d8,0x2c4,0x2dc,0x7456bf60,0x7456bf70,0x7456bf7c
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | upgrade.spotify.com | udp |
| US | 199.232.210.133:80 | upgrade.spotify.com | tcp |
| US | 8.8.8.8:53 | crashdump.spotify.com | udp |
| US | 35.186.224.25:443 | crashdump.spotify.com | tcp |
Files
memory/2596-4-0x000007FEF59EE000-0x000007FEF59EF000-memory.dmp
memory/2596-5-0x000000001B5F0000-0x000000001B8D2000-memory.dmp
memory/2596-7-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2596-6-0x00000000027A0000-0x00000000027A8000-memory.dmp
memory/2596-8-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2596-9-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2596-10-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2596-11-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
memory/2596-12-0x000007FEF5730000-0x000007FEF60CD000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\X8RPD37R1T0HRMSXJSXC.temp
| MD5 | 0bc2d49fbde1a64e4623396d6c6ceac9 |
| SHA1 | ab99f7c4a499e8641d8551a5473ebc411f5e4a3c |
| SHA256 | 4f6ebf37d2baa8945f3f732a16a4086698fed6ee94bd38cc04bb6052266e3216 |
| SHA512 | 9ab7df93485fad5218beff981c43a5edbee4e6b1a02c5d38ac9016167f48fee95d4d4bff71edc9f3f60a9c155e81acfa663eec491c8a168f10cd6194036392e1 |
memory/2700-18-0x000000001B500000-0x000000001B7E2000-memory.dmp
memory/2700-19-0x0000000001FF0000-0x0000000001FF8000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\~TMP_2848_42_~
| MD5 | aeb655492bb35b58a07b8b41d8eef307 |
| SHA1 | bbe7e19776c71857f8860854e418e0c67ee33641 |
| SHA256 | d85fdba1f42eeda30f0485166555e2b5d4f04b14f66209ccb30f6ba8806e8c26 |
| SHA512 | c611a125813365a16d240ae5bbc64261c9086680866f3adbcbf0f727678a4ee8c22b45723759f2c9b4876b1bab3d9572d421c55fd63d152c5e9326ab8d2c3b5a |
C:\Users\Admin\AppData\Roaming\Spotify\Apps\chart.spa
| MD5 | f0e953d82a6f20732e1bcec605d622c4 |
| SHA1 | cdfbe5ccfa0e6a21c5cd291e1d5916df4e00a3ec |
| SHA256 | 76cabbe6c61468ac893f1075753e186432566b58be7143f01e2cccd1f4ff0be8 |
| SHA512 | 421c7dcef9955cfaeae03dfef18782ba8d8e41989bb77a51aeeecf1121bdc3298894ffdc208fc6e9c9a9ca2a9fd856210c985450eb00eea6544f6fc815384b73 |
C:\Users\Admin\AppData\Roaming\Spotify\SpotifyMigrator.exe
| MD5 | f4716682d00302d413993f523a35674d |
| SHA1 | 06c2868236e2c560add30fa25ea585fd03915fbf |
| SHA256 | 382493696af57226d6eae41957f9eb80f11a831dd577724d36cd1e768d1c47bf |
| SHA512 | 38d72294f3ad6ba28867fac44af2a36fe133d9c40f01d34d5625246cde4d809c79a0ee10cec800a2b6645fdcf23f3d3841092cd16919753b8d1aa645cf526ee8 |
C:\Users\Admin\AppData\Roaming\Spotify\SpotifyStartupTask.exe
| MD5 | 0771f29159b7c6fef703eef12cd89d65 |
| SHA1 | 3d3be76d379f7f218fcf59d564559c5a009c7231 |
| SHA256 | ba4c10e4eda5bada2a32660fbdd49847e335afa2a6830b3e2f35c558124d8e35 |
| SHA512 | abfb1271641cebbbe493c97d7f486badf0dd962c41f5ed62567f75ccf1b2164a3d454eafba0d4f6028b691b14c0bbd45939241e2d1a468485fb0dda349ebfd83 |
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
| MD5 | 4202fdbbba3e2bd7b24d6b51be4d958c |
| SHA1 | 3766ad5a1e7a47bfd46807f250df8cc6a3556596 |
| SHA256 | 53f029491e4ff121706ce1975d391688c4adf28560f4d2afe3afe16d028e2283 |
| SHA512 | 440b80a662ca385310df3bb5aefdd268cb3b21ea34cbdc5a156ac2be5f39f8ca788f8d5e1aad74e0d730794e143d972c290903baa29f228c2f7f7257b8b4fe49 |
memory/1788-293-0x0000000000400000-0x0000000001CB4000-memory.dmp
\Users\Admin\AppData\Roaming\Spotify\netutils.dll
| MD5 | 301efd794940d799a9b67575ddf9e414 |
| SHA1 | 175465fc68f8b3e419342eeeb2b478c6649513a4 |
| SHA256 | f1f024d75051dc703e7f176647d10c73a3f3e936d2f336b0083fab4511d62401 |
| SHA512 | b662b367c7af9af7aa1043256438625c57962d12b8b2b711363ec172f556b445b399a51e10afbb463156b6f6dc9e3a58602c4848ac68b4552a091f47c055599c |
\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dll
| MD5 | 58873b9f530a2a12c87d1e994640ff44 |
| SHA1 | f47ef4e07dcb6798d08570668ed6550cda5c8261 |
| SHA256 | 20b0190eb0501f398f75a5eb0eefacf9eb88d46d530a263097927bac7f715269 |
| SHA512 | d2cb25ec60cf61a0df87da4f049f147e02b6785e7267ebc552d5b40b77f2f261c9e8cb30a344361bbe395ceca3aebbd57d575564e501bba87dd8768dbc206c27 |
memory/1788-300-0x0000000006240000-0x0000000006241000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\crash_reporter.cfg
| MD5 | d8fc1bd0f526b1904785c2ca763491bf |
| SHA1 | 37feeeb0e57883ee3de880386c9e9c991626e63b |
| SHA256 | 1831e0e8798b0e5565e5d3e17e26712ef96b38ff1f4183e57c6c97ba032ba03a |
| SHA512 | c090a67bf1bf046190409cd3b508a10e108185027b258b0b4355c13d616b722a142f641a6125fa44ceb22129681853894aa9a0fed6c0db3cc875887824ea1caa |
C:\Users\Admin\AppData\Roaming\Spotify\locales\en.mo
| MD5 | e44595c326fa330a49555516606a738d |
| SHA1 | 624ade55bd2ba915b4dc4b1b740c89b9d380850f |
| SHA256 | 2e943e6638dfbfb3caa5a89e04006f228d1893f763336ce2d9dca81293121a95 |
| SHA512 | 6b43f991c9f7fd417eb437df1f7313f2380295575850c894e7ea97298cbed59467dd6263b4f2b60c3f841df64e1415eb6259b992f20b82c6ce0a48d8391a6945 |
memory/1788-301-0x0000000006250000-0x0000000006251000-memory.dmp
memory/1788-306-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-320-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\devtools_resources.pak
| MD5 | 130c04346c820223158cbbb22e9778f7 |
| SHA1 | 1ce1667b0c681edba6d3a91f7624b102479a67bd |
| SHA256 | 7a96d52e9ce68a7f45b88df2ed09751c98ed5a141828ed5b896b80849a80dea4 |
| SHA512 | f64b6cef5b95d7a0ed2724423300d890e2e7985a26085da33e23c8f90bdea64a3d0dd6cfd2b5bc3bfe7750f124e6d81a382418f6cabe699e10acbdea5f061587 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_extensions.pak
| MD5 | b10a3d7dd27850971c167f1d30c7ab3b |
| SHA1 | 1786d50c9d3ed703490b3b51e572e0ef16cf1767 |
| SHA256 | e202d358447614fd81dd25c057dec6c4e816750cf71a06d545bbb4d0d1d541ae |
| SHA512 | a89ccc754f37c855493daf754ecdab357b560865e9fe63c9ce37d6520873dc5c1728b9c37fc2ac3af75933c74f5bb80c02e72f21ae0e0ba282723131e82e1968 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_200_percent.pak
| MD5 | 1b06237cc07c19dbff65bc1747dcb662 |
| SHA1 | d0ed988b56d7a22a9a40d7f9913bf54fc8c20323 |
| SHA256 | 8a199510bd868f0238abff37bb9a22acd5525cdb827ad9f5159304fa5250337a |
| SHA512 | 9a153f7ea58d5f025537203f1389dfa866ca44ef31676f69e565703e097f6da97b388ebe8f9d7d34d09c8dbc78e5650f3f0f889bfc61c623d4c989e673657826 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_100_percent.pak
| MD5 | ae8353be5a8e4c7d844e9b7754de2dbf |
| SHA1 | 2e8462fbcb4a71ab862d6038fd64b5e8026fa467 |
| SHA256 | 90de148753248c37bf6d995bf0231f8b62bcb9119c5787897524eed8a08fd49b |
| SHA512 | 3bb405608e767ebacf29319bb0b306e657acb5faa3a493783672ab27eb57358a4f82a946299cc24d88544ece0477777f068ca42637172aea045cf0a4229c6c77 |
C:\Users\Admin\AppData\Roaming\Spotify\cef.pak
| MD5 | 1b662cd6f746d57fdc5eaf98aac0817d |
| SHA1 | 1c6095a7fd86cd54ee09139c3f623b9b2a08cc1b |
| SHA256 | fab836d8708c59a46b7df4cb76ed46c311c9fad3ff4570f9e6ebe64cb51653bd |
| SHA512 | 01943434333d18ce94806f4a9752eb8ccbd13d83c4bdc4045cae255689299c32e0e138f0e440504b4f4602c105904dcb2ec3d542ea6e9cb9e29347c03ee9a0b9 |
C:\Users\Admin\AppData\Roaming\Spotify\locales\en-US.pak
| MD5 | 40a80772522569a153958bf767508f33 |
| SHA1 | 1d1b2748a8bf0d8770154960300180425a7f43e3 |
| SHA256 | bb982606bf56072ac193c313ba675b5365dad0b9d5cc05981468ab520f8e5610 |
| SHA512 | 4baa7713e4c069184677f989549a99db6eb859c593969396344b40036ba1072d6017d6a8b0375775e0daa0acfcaddf6e7456ffc1560b6dafe6e628f37a00af6f |
C:\Users\Admin\AppData\Roaming\Spotify\natives_blob.bin
| MD5 | ee8117cf109aa1e47599b6b6bbffc176 |
| SHA1 | 5860d98d47084650ace3847b956686df01a32d14 |
| SHA256 | 05620c1db015ddfbbc7dfe39afb14c250f20090a61d9aba8dcd55e6a1a649223 |
| SHA512 | 49cecab0c2657e5c9811d90bc65bc8b9763bf51b033c27b6db159354911865729e62f47dcde8598c854d2d458296cddb0de76697687925892a94e9e45edd6730 |
C:\Users\Admin\AppData\Roaming\Spotify\v8_context_snapshot.bin
| MD5 | d4cc670bdec5acb81effe6f21bf2bc4a |
| SHA1 | 77a9114ee2eac502dca119685b4d4bc07a31b623 |
| SHA256 | 999ed6d14e77986cf2a349f50118c5d6e0ecab85a7ccab2ad29d676b0ed69961 |
| SHA512 | 5c20fac189868a8a01b6992d6556a9fa303e1e0ff38ef8b413b10918fe80f466383ebcef3b0409852c36980ad64474b683291357a56addc0e869c910b0d34f67 |
C:\Users\Admin\AppData\Roaming\Spotify\icudtl.dat
| MD5 | 59e21005a68ed37eb7019091301b2c6c |
| SHA1 | 0161c874d50f245238b8683381b3c39ced4873f7 |
| SHA256 | 75b9d0e6c2ce9d8f8abd53c7198f614ab77af4912b39cb9a0ff272a7c2093b95 |
| SHA512 | 40241f90bf4ef435a0449acfdec416c8a86c9db9219a532b27ec7dc265d731809dd1932f97b8695d425b4597d5c9c08149ea8bff8324a4a27077e4ed60cd881e |
C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad\settings.dat
| MD5 | 00aaae4330a80046326d93b1b28c62e4 |
| SHA1 | d6adf74e33d3a09493f3e03d336f38d712e45eaf |
| SHA256 | 509ba11e3d4f6adca789651dc878d1db845b9af6ff385efd10802749d0868359 |
| SHA512 | b950b085cf86700adcb9ea6b7e74fcbb4de3947e1d952c3d64d3d96cbb4e48b746ea469e486f1e54cfe320391cda32ab27c9b582e6657557b2712d2120eadc93 |
memory/1788-343-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar6EC1.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
memory/2508-409-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-410-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-411-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-412-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-413-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-414-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-415-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-416-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-417-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-418-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-419-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/2508-420-0x0000000000400000-0x0000000001CB4000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-05-20 01:57
Reported
2024-05-20 02:02
Platform
win10v2004-20240508-en
Max time kernel
269s
Max time network
270s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Blocklisted process makes network request
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Downloads MZ/PE file
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Identifies Wine through registry keys
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Wine | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Spotify = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe --autostart --minimized" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppPath = "C:\\Users\\Admin\\AppData\\Roaming\\Spotify" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\AppName = "Spotify.exe" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Software\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6} | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Internet Explorer\Low Rights\DragDrop\{5C0D11B8-C5F6-4be3-AD2C-2B1A3EB94AB6}\Policy = "3" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key deleted | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\URL Protocol | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\ddeexec | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open\ddeexec | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\",0" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\Local Settings | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\shell\open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\Spotify\\Spotify.exe\" --protocol-uri=\"%1\"" | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key deleted | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000_Classes\spotify\shell\open\ddeexec | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\spotify\DefaultIcon | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\Software\Classes\spotify | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Modifies system certificate store
| Description | Indicator | Process | Target |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 19000000010000001000000060e2dc65295f1062e558f3fef235ed3c030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e1d000000010000001000000054e2cd85ba79cda018fed9e6a863aa461400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b276200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f553000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f0072006900740079002000132020004700320000000f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b052000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B51C067CEE2B0C3DF855AB2D92F4FE39D4E70F0E\Blob = 0f000000010000002000000071b437f087f3700ffd4e2fa46f42b6b810d7bf19adfedf951c023edd65b50b050b000000010000005400000053007400610072006600690065006c006400200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000002500000030233021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c06200000001000000200000002ce1cb0bf9d2f9e102993fbe215152c3b2dd0cabde1c68e5319b839154dbb7f51400000001000000140000007c0c321fa7d9307fc47d68a362a8a1ceab075b271d000000010000001000000054e2cd85ba79cda018fed9e6a863aa46030000000100000014000000b51c067cee2b0c3df855ab2d92f4fe39d4e70f0e2000000001000000e1030000308203dd308202c5a003020102020100300d06092a864886f70d01010b050030818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a30818f310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e3132303006035504031329537461726669656c6420526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bdedc103fcf68ffc02b16f5b9f48d99d79e2a2b703615618c347b6d7ca3d352e8943f7a1699bde8a1afd13209cb44977322956fdb9ec8cdd22fa72dc276197eef65a84ec6e19b9892cdc845bd574fb6b5fc589a51052894655f4b8751ce67fe454ae4bf85572570219f8177159eb1e280774c59d48be6cb4f4a4b0f364377992c0ec465e7fe16d534c62afcd1f0b63bb3a9dfbfc7900986174cf26824063f3b2726a190d99cad40e75cc37fb8b89c159f1627f5fb35f6530f8a7b74d765a1e765e34c0e89656998ab3f07fa4cdbddc32317c91cfe05f11f86baa495cd19994d1a2e3635b0976b55662e14b741d96d426d4080459d0980e0ee6defcc3ec1f90f10203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147c0c321fa7d9307fc47d68a362a8a1ceab075b27300d06092a864886f70d01010b050003820101001159fa254f036f94993b9a1f828539d47605945ee128936d625d09c2a0a8d4b07538f1346a9de49f8a862651e62cd1c62d6e95204a9201ecb88a677b31e2672e8c9503262e439d4a31f60eb50cbbb7e2377f22ba00a30e7b52fb6bbb3bc4d379514ecd90f4670719c83c467a0d017dc558e76de68530179a24c410e004f7e0f27fd4aa0aff421d37ed94e5645912207738d3323e3881759673fa688fb1cbce1fc5ecfa9c7ecf7eb1f1072db6fcbfcaa4bfd097054abcea18280290bd5478092171d3d17d1dd916b0a9613dd00a0022fcc77bcb0964450b3b4081f77d7c32f598ca588e7d2aee90597364f936745e25a1f566052e7f3915a92afb508b8e8569f4 | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0 | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"
C:\Windows\system32\taskkill.exe
taskkill /f /im Spotify.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-AppxPackage -Name "SpotifyAB.SpotifyMusic"
C:\Windows\system32\findstr.exe
findstr "PackageFullName"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy Bypass -Command (new-object System.Net.WebClient).DownloadFile('http://upgrade.spotify.com/upgrade/client/win32-x86/spotify_installer-1.1.4.197.g92d52c4f-13.exe','spotify_installer-1.1.4.197.g92d52c4f-13.exe')
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell "saps -wait -filepath 'C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat' -verb runas -argumentlist 'patch'"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat" patch
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /reset /T
C:\Windows\system32\icacls.exe
icacls "C:\Users\Admin\AppData\Local\Spotify\Update" /deny "Admin":W
C:\Windows\system32\findstr.exe
findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\downgrade.bat"
C:\Users\Admin\AppData\Local\Temp\BlockTheSpot-master\spotify_installer-1.1.4.197.g92d52c4f-13.exe
spotify_installer-1.1.4.197.g92d52c4f-13.exe /extract "C:\Users\Admin\AppData\Roaming\Spotify"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -ExecutionPolicy Bypass -Command "$ws = New-Object -ComObject WScript.Shell; $s = $ws.CreateShortcut('C:\Users\Admin\Desktop\Spotify.lnk'); $S.TargetPath = 'C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe'; $S.Save()"
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe"
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe --type=crashpad-handler /prefetch:7 --max-uploads=5 --max-db-size=20 --max-db-age=5 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Spotify\User Data" --url=https://crashdump.spotify.com:443/ --annotation=platform=win32 --annotation=product=spotify --annotation=version=1.1.4.197 --initial-client-data=0x580,0x584,0x588,0x57c,0x590,0x6d55bf60,0x6d55bf70,0x6d55bf7c
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --disable-d3d11 --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --service-request-channel-token=3065589623334711565 --mojo-platform-channel-handle=1908 --ignored=" --type=renderer " /prefetch:2
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=renderer --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --service-pipe-token=8729099315106907948 --lang=en-US --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --disable-spell-checking --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=8729099315106907948 --renderer-client-id=3 --mojo-platform-channel-handle=3092 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
"C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe" --type=gpu-process --field-trial-handle=1900,10762265407061715960,4675461662290625612,131072 --disable-features=ExtendedMouseButtons --disable-gpu-sandbox --use-gl=disabled --disable-d3d11 --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --gpu-preferences=KAAAAAAAAACAAwCAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAFAAAAEAAAAAAAAAAAAAAABgAAABAAAAAAAAAAAQAAAAUAAAAQAAAAAAAAAAEAAAAGAAAA --log-file="C:\Users\Admin\AppData\Roaming\Spotify\debug.log" --log-severity=disable --product-version=Spotify/1.1.4.197 --lang=en-US --service-request-channel-token=18069621122043178639 --mojo-platform-channel-handle=4232 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | upgrade.spotify.com | udp |
| US | 199.232.210.133:80 | upgrade.spotify.com | tcp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | open.spotify.com | udp |
| US | 151.101.3.42:443 | open.spotify.com | tcp |
| US | 151.101.3.42:443 | open.spotify.com | tcp |
| US | 8.8.8.8:53 | certificates.starfieldtech.com | udp |
| US | 192.124.249.36:80 | certificates.starfieldtech.com | tcp |
| US | 8.8.8.8:53 | redirector.gvt1.com | udp |
| US | 8.8.8.8:53 | 42.3.101.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 36.249.124.192.in-addr.arpa | udp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| GB | 142.250.187.206:443 | redirector.gvt1.com | tcp |
| US | 8.8.8.8:53 | r4---sn-aigl6ns6.gvt1.com | udp |
| GB | 74.125.105.9:443 | r4---sn-aigl6ns6.gvt1.com | tcp |
| US | 8.8.8.8:53 | 9.105.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | r4---sn-5hnekn7z.gvt1.com | udp |
| NL | 74.125.100.105:443 | r4---sn-5hnekn7z.gvt1.com | tcp |
| US | 8.8.8.8:53 | r1---sn-aigl6nzl.gvt1.com | udp |
| GB | 74.125.168.166:443 | r1---sn-aigl6nzl.gvt1.com | tcp |
| US | 8.8.8.8:53 | 105.100.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 166.168.125.74.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sentry.io | udp |
| US | 35.186.247.156:443 | sentry.io | tcp |
| US | 8.8.8.8:53 | 156.247.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apresolve.spotify.com | udp |
| US | 35.186.224.25:80 | apresolve.spotify.com | tcp |
| US | 8.8.8.8:53 | ap-gew1.spotify.com | udp |
| BE | 104.199.65.124:4070 | ap-gew1.spotify.com | tcp |
| US | 8.8.8.8:53 | 25.224.186.35.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 124.65.199.104.in-addr.arpa | udp |
| US | 35.186.224.25:80 | apresolve.spotify.com | tcp |
| BE | 104.199.65.124:4070 | ap-gew1.spotify.com | tcp |
| US | 35.186.224.25:80 | apresolve.spotify.com | tcp |
| BE | 104.199.65.124:4070 | ap-gew1.spotify.com | tcp |
| US | 8.8.8.8:53 | spclient.wg.spotify.com | udp |
| US | 35.186.224.25:443 | spclient.wg.spotify.com | tcp |
Files
memory/1004-0-0x00007FFC3FFD3000-0x00007FFC3FFD5000-memory.dmp
memory/1004-11-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp
memory/1004-6-0x000001FE7B8C0000-0x000001FE7B8E2000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_dodxtqrq.4q5.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/1004-12-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp
memory/1004-13-0x000001FE7B910000-0x000001FE7B926000-memory.dmp
memory/1004-14-0x000001FE7B930000-0x000001FE7B93A000-memory.dmp
memory/1004-15-0x000001FE7BF70000-0x000001FE7BF96000-memory.dmp
memory/1004-18-0x00007FFC3FFD0000-0x00007FFC40A91000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | 958ec9d245aa0e4bd5d05bbdb37475f4 |
| SHA1 | 80e6d2c6a85922cb83b9fea874320e9c53740bd9 |
| SHA256 | a01df48cd7398ad6894bc40d27fb024dcdda87a3315934e5452a2a3e7dfb371d |
| SHA512 | 82567b9f898238e38b3b6b3cdb2565be8cac08788e612564c6ac1545f161cd5c545ba833946cc6f0954f38f066a20c9a4922a09f7d37604c71c8f0e7e46a59ec |
memory/3100-20-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp
memory/3100-31-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a8c4d2c53fbcc4a8d45ccbce9a278d86 |
| SHA1 | 22a03402aab2996381690bbd9cc11c3a3e087802 |
| SHA256 | 87e09cc730f24a2bd77d279b262d9a3110346d6f119e344d2c34f17a804754e3 |
| SHA512 | e6841e0b52b3b6df6a5baba347b64458433ef7d0fec1e2e6d3f0939379a62aa1bf85cab8a12cef667b41c5fe7a66b66e81f4f829ec0f3b3975848bcad83d8242 |
memory/3100-32-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp
memory/3100-35-0x00007FFC3FCA0000-0x00007FFC40761000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 65a0402859eb508bd02b000b6c20ba6a |
| SHA1 | d177a75ebc1f49a3366523a1bb157eacdc4f4d20 |
| SHA256 | 91bedbea62a81487dfe4a01db4e0cab75e56b0b838a2ecc85343633dd9be8f1d |
| SHA512 | 2f45d6566ced035babea5b94e3bac4f3230a5e3b573bd5bd6a7ae71afe7ee1e78d6528390fd1e4f42d09a22b8d1cbd7727b3a0bff417b55a7a0844b3d2e83a40 |
C:\Users\Admin\AppData\Roaming\Spotify\~TMP_1760_42_~
| MD5 | aeb655492bb35b58a07b8b41d8eef307 |
| SHA1 | bbe7e19776c71857f8860854e418e0c67ee33641 |
| SHA256 | d85fdba1f42eeda30f0485166555e2b5d4f04b14f66209ccb30f6ba8806e8c26 |
| SHA512 | c611a125813365a16d240ae5bbc64261c9086680866f3adbcbf0f727678a4ee8c22b45723759f2c9b4876b1bab3d9572d421c55fd63d152c5e9326ab8d2c3b5a |
C:\Users\Admin\AppData\Roaming\Spotify\Apps\chart.spa
| MD5 | f0e953d82a6f20732e1bcec605d622c4 |
| SHA1 | cdfbe5ccfa0e6a21c5cd291e1d5916df4e00a3ec |
| SHA256 | 76cabbe6c61468ac893f1075753e186432566b58be7143f01e2cccd1f4ff0be8 |
| SHA512 | 421c7dcef9955cfaeae03dfef18782ba8d8e41989bb77a51aeeecf1121bdc3298894ffdc208fc6e9c9a9ca2a9fd856210c985450eb00eea6544f6fc815384b73 |
C:\Users\Admin\AppData\Roaming\Spotify\SpotifyMigrator.exe
| MD5 | f4716682d00302d413993f523a35674d |
| SHA1 | 06c2868236e2c560add30fa25ea585fd03915fbf |
| SHA256 | 382493696af57226d6eae41957f9eb80f11a831dd577724d36cd1e768d1c47bf |
| SHA512 | 38d72294f3ad6ba28867fac44af2a36fe133d9c40f01d34d5625246cde4d809c79a0ee10cec800a2b6645fdcf23f3d3841092cd16919753b8d1aa645cf526ee8 |
C:\Users\Admin\AppData\Roaming\Spotify\SpotifyStartupTask.exe
| MD5 | 0771f29159b7c6fef703eef12cd89d65 |
| SHA1 | 3d3be76d379f7f218fcf59d564559c5a009c7231 |
| SHA256 | ba4c10e4eda5bada2a32660fbdd49847e335afa2a6830b3e2f35c558124d8e35 |
| SHA512 | abfb1271641cebbbe493c97d7f486badf0dd962c41f5ed62567f75ccf1b2164a3d454eafba0d4f6028b691b14c0bbd45939241e2d1a468485fb0dda349ebfd83 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 3cc867ef6eae30d484789b670097208a |
| SHA1 | d8cc9a6a6504ba1d83e4fd6ffca80e36f40f35ba |
| SHA256 | 63fb2f0099fb5beabab8fe9007a18e76ffcedd4b234f38ba78b0f92917965fb6 |
| SHA512 | 66233fb223978a2757bf76d4d15ccc32fd8c78d10a61b6d411ec5b45285c094d72631a7ec66b194f85b05e5793fe57d3ca7bfe03862d6a4ac25183f8c887d18d |
C:\Users\Admin\AppData\Roaming\Spotify\Spotify.exe
| MD5 | 4202fdbbba3e2bd7b24d6b51be4d958c |
| SHA1 | 3766ad5a1e7a47bfd46807f250df8cc6a3556596 |
| SHA256 | 53f029491e4ff121706ce1975d391688c4adf28560f4d2afe3afe16d028e2283 |
| SHA512 | 440b80a662ca385310df3bb5aefdd268cb3b21ea34cbdc5a156ac2be5f39f8ca788f8d5e1aad74e0d730794e143d972c290903baa29f228c2f7f7257b8b4fe49 |
memory/384-327-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\chrome_elf.dll
| MD5 | 58873b9f530a2a12c87d1e994640ff44 |
| SHA1 | f47ef4e07dcb6798d08570668ed6550cda5c8261 |
| SHA256 | 20b0190eb0501f398f75a5eb0eefacf9eb88d46d530a263097927bac7f715269 |
| SHA512 | d2cb25ec60cf61a0df87da4f049f147e02b6785e7267ebc552d5b40b77f2f261c9e8cb30a344361bbe395ceca3aebbd57d575564e501bba87dd8768dbc206c27 |
C:\Users\Admin\AppData\Roaming\Spotify\crash_reporter.cfg
| MD5 | d8fc1bd0f526b1904785c2ca763491bf |
| SHA1 | 37feeeb0e57883ee3de880386c9e9c991626e63b |
| SHA256 | 1831e0e8798b0e5565e5d3e17e26712ef96b38ff1f4183e57c6c97ba032ba03a |
| SHA512 | c090a67bf1bf046190409cd3b508a10e108185027b258b0b4355c13d616b722a142f641a6125fa44ceb22129681853894aa9a0fed6c0db3cc875887824ea1caa |
C:\Users\Admin\AppData\Roaming\Spotify\locales\en.mo
| MD5 | e44595c326fa330a49555516606a738d |
| SHA1 | 624ade55bd2ba915b4dc4b1b740c89b9d380850f |
| SHA256 | 2e943e6638dfbfb3caa5a89e04006f228d1893f763336ce2d9dca81293121a95 |
| SHA512 | 6b43f991c9f7fd417eb437df1f7313f2380295575850c894e7ea97298cbed59467dd6263b4f2b60c3f841df64e1415eb6259b992f20b82c6ce0a48d8391a6945 |
memory/3456-335-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\natives_blob.bin
| MD5 | ee8117cf109aa1e47599b6b6bbffc176 |
| SHA1 | 5860d98d47084650ace3847b956686df01a32d14 |
| SHA256 | 05620c1db015ddfbbc7dfe39afb14c250f20090a61d9aba8dcd55e6a1a649223 |
| SHA512 | 49cecab0c2657e5c9811d90bc65bc8b9763bf51b033c27b6db159354911865729e62f47dcde8598c854d2d458296cddb0de76697687925892a94e9e45edd6730 |
C:\Users\Admin\AppData\Roaming\Spotify\devtools_resources.pak
| MD5 | 130c04346c820223158cbbb22e9778f7 |
| SHA1 | 1ce1667b0c681edba6d3a91f7624b102479a67bd |
| SHA256 | 7a96d52e9ce68a7f45b88df2ed09751c98ed5a141828ed5b896b80849a80dea4 |
| SHA512 | f64b6cef5b95d7a0ed2724423300d890e2e7985a26085da33e23c8f90bdea64a3d0dd6cfd2b5bc3bfe7750f124e6d81a382418f6cabe699e10acbdea5f061587 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_extensions.pak
| MD5 | b10a3d7dd27850971c167f1d30c7ab3b |
| SHA1 | 1786d50c9d3ed703490b3b51e572e0ef16cf1767 |
| SHA256 | e202d358447614fd81dd25c057dec6c4e816750cf71a06d545bbb4d0d1d541ae |
| SHA512 | a89ccc754f37c855493daf754ecdab357b560865e9fe63c9ce37d6520873dc5c1728b9c37fc2ac3af75933c74f5bb80c02e72f21ae0e0ba282723131e82e1968 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_200_percent.pak
| MD5 | 1b06237cc07c19dbff65bc1747dcb662 |
| SHA1 | d0ed988b56d7a22a9a40d7f9913bf54fc8c20323 |
| SHA256 | 8a199510bd868f0238abff37bb9a22acd5525cdb827ad9f5159304fa5250337a |
| SHA512 | 9a153f7ea58d5f025537203f1389dfa866ca44ef31676f69e565703e097f6da97b388ebe8f9d7d34d09c8dbc78e5650f3f0f889bfc61c623d4c989e673657826 |
C:\Users\Admin\AppData\Roaming\Spotify\cef_100_percent.pak
| MD5 | ae8353be5a8e4c7d844e9b7754de2dbf |
| SHA1 | 2e8462fbcb4a71ab862d6038fd64b5e8026fa467 |
| SHA256 | 90de148753248c37bf6d995bf0231f8b62bcb9119c5787897524eed8a08fd49b |
| SHA512 | 3bb405608e767ebacf29319bb0b306e657acb5faa3a493783672ab27eb57358a4f82a946299cc24d88544ece0477777f068ca42637172aea045cf0a4229c6c77 |
C:\Users\Admin\AppData\Roaming\Spotify\cef.pak
| MD5 | 1b662cd6f746d57fdc5eaf98aac0817d |
| SHA1 | 1c6095a7fd86cd54ee09139c3f623b9b2a08cc1b |
| SHA256 | fab836d8708c59a46b7df4cb76ed46c311c9fad3ff4570f9e6ebe64cb51653bd |
| SHA512 | 01943434333d18ce94806f4a9752eb8ccbd13d83c4bdc4045cae255689299c32e0e138f0e440504b4f4602c105904dcb2ec3d542ea6e9cb9e29347c03ee9a0b9 |
C:\Users\Admin\AppData\Roaming\Spotify\locales\en-US.pak
| MD5 | 40a80772522569a153958bf767508f33 |
| SHA1 | 1d1b2748a8bf0d8770154960300180425a7f43e3 |
| SHA256 | bb982606bf56072ac193c313ba675b5365dad0b9d5cc05981468ab520f8e5610 |
| SHA512 | 4baa7713e4c069184677f989549a99db6eb859c593969396344b40036ba1072d6017d6a8b0375775e0daa0acfcaddf6e7456ffc1560b6dafe6e628f37a00af6f |
C:\Users\Admin\AppData\Roaming\Spotify\v8_context_snapshot.bin
| MD5 | d4cc670bdec5acb81effe6f21bf2bc4a |
| SHA1 | 77a9114ee2eac502dca119685b4d4bc07a31b623 |
| SHA256 | 999ed6d14e77986cf2a349f50118c5d6e0ecab85a7ccab2ad29d676b0ed69961 |
| SHA512 | 5c20fac189868a8a01b6992d6556a9fa303e1e0ff38ef8b413b10918fe80f466383ebcef3b0409852c36980ad64474b683291357a56addc0e869c910b0d34f67 |
C:\Users\Admin\AppData\Roaming\Spotify\icudtl.dat
| MD5 | 59e21005a68ed37eb7019091301b2c6c |
| SHA1 | 0161c874d50f245238b8683381b3c39ced4873f7 |
| SHA256 | 75b9d0e6c2ce9d8f8abd53c7198f614ab77af4912b39cb9a0ff272a7c2093b95 |
| SHA512 | 40241f90bf4ef435a0449acfdec416c8a86c9db9219a532b27ec7dc265d731809dd1932f97b8695d425b4597d5c9c08149ea8bff8324a4a27077e4ed60cd881e |
C:\Users\Admin\AppData\Local\Spotify\User Data\Crashpad\settings.dat
| MD5 | 2340be9ee39b6ad267ac8e4b7ca02065 |
| SHA1 | be65055bc3a058e0a4f4e44ddcd8f25193ebc9e4 |
| SHA256 | 4da3436e7eeae712226bd3d798fe7d2684dcd97a4fb07961b01628830915b481 |
| SHA512 | 99d38b0269b2c16fadcb274f52fbae6a581298bff2ece02b0cfdb7a817b5575ff3cd132bdfdd5c6fa5676412c4154c7a5f1b04c570ec732b9097fa7f9333ae1f |
C:\Users\Admin\AppData\Roaming\Spotify\Apps\glue-resources.spa
| MD5 | 6164414e4e0d868ae6ee0a3c947f99d2 |
| SHA1 | 0f4b8888aa2e2c772c3d5b8800fe6974b3fb2b35 |
| SHA256 | 264284283de5675055e2c700d4f7b44dc9d9e661fb054af8fb9912d9d4d6060c |
| SHA512 | 594565fddc71977277e85e9666af46072bc3d7565e9fba777d273f1d5d73e94257b7c8665b0cbe0a63276fcd8bfb213ebf1ff5683bc227145cef832272e71459 |
memory/1400-354-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\Apps\zlink.spa
| MD5 | f08a09ab0f231ba2fe34678f4af9375d |
| SHA1 | 8bf686826498581096ed475b53f3498ef87cd127 |
| SHA256 | 71746a5442f3d983962e194f4bb7910a80a16c69d1968cdd302eb8f748007fda |
| SHA512 | beb776467607ff884904b7f77acd31eace6b1ab2e60c96afa946f821a3e886ad34d373e494021b0571a2c8ff8b2707b4c041b922fead84cd8ae9d5064c709dd9 |
memory/1764-375-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Spotify\swiftshader\libEGL.dll
| MD5 | bf607a9177cd0fdce1078bf2529a82f6 |
| SHA1 | 5cbcbfde4ceb4e9ec16ba0c40e5e3e8d5792493d |
| SHA256 | 8fed6985d8750dc0d604730d0e134b381814ec3c6de18c708210a619dcd9b8a3 |
| SHA512 | 46112b8018e17b7c41df5afef860448065bac7b161ae0b2d38f0d0c94e41bca9c3eb600b0abacf4cc4179b627808efaa55adc491c51c898a519bef954f344c36 |
C:\Users\Admin\AppData\Roaming\Spotify\swiftshader\libGLESv2.dll
| MD5 | 2d70428e58516dd194267447504de051 |
| SHA1 | e789ea1e3f9e3784bd4e3ffbac963df90e05cf7e |
| SHA256 | fdc5161057abdaaf2387268d886b108413f65b746615851db8362ef45d99272c |
| SHA512 | 8c4b2e98963c527144b34df99ef7418297afccdb03fa69e6a5241651ce75232c5e416dfbe93b4d7ac2c3193ab812aec062d5cc844cb3454db2f2aa375a71464a |
C:\Users\Admin\AppData\Roaming\Spotify\d3dcompiler_47.dll
| MD5 | 59b0759303cbc010ac7d9bd135a5a389 |
| SHA1 | 202c7ababe7f4412a59c00588e4bc51aad9af213 |
| SHA256 | a74a8e4502ca52f5e6551fd5287f784eb9f27c26651ec473ea47fb9cefeb35b1 |
| SHA512 | a8f854161f2f7f233b13a92b5df8a5a5807c03f37d6ad8db18ac3f1b823dd4b1887f2717be08def37027785636a6f251e4add54988d1b05ba7cace5bad70555f |
\??\pipe\crashpad_384_TDVMZCOJDFBFRGEH
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Spotify\Apps\login.spa
| MD5 | a28b0510512a88fc95d799a9224b21f1 |
| SHA1 | 83d2a4d05e0502e91aad3d5e0d7938b0824bf05d |
| SHA256 | f4c75b3c4f1086b50a38242b794acb6c68f7f19c4bd12c7724fa89f07b20da2f |
| SHA512 | 8f380f3b29b1e627e3427781dd3145f51b4c7abc51688e6aeebb4b3d14fa324eddf177d5ddde5a00978c2afa0c41ec0b007198d011b175fa39d0c3a7a17e2db6 |
C:\Users\Admin\AppData\Local\Spotify\Browser\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\AppData\Local\Spotify\Browser\MANIFEST-000001
| MD5 | 5af87dfd673ba2115e2fcf5cfdb727ab |
| SHA1 | d5b5bbf396dc291274584ef71f444f420b6056f1 |
| SHA256 | f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4 |
| SHA512 | de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b |
memory/384-416-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-417-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-418-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-419-0x0000000000400000-0x0000000001CB4000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.4.9.1088-win-ia32.zip
| MD5 | 1435d52e122ed0a35b2a8e4a926c98f5 |
| SHA1 | 9b4dc9bf52531b2728b047acd16b7aee02691287 |
| SHA256 | 9bd4cd6b15c955f1d341d6cc91e031890afa1838cadc0a149eacfb5142b07889 |
| SHA512 | 8e115f3f941663ac052570191acca09cb025388f82b232df5770aeb1781a611f002226de244ddd1b75553bbb5154068dca8913465b2c27ea28a1b4cae8359682 |
memory/4544-432-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-435-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-436-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-437-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-438-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-439-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-440-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-442-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-441-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-443-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-444-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-445-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-446-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-447-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-448-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-449-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-450-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-451-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-452-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-453-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-454-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-455-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-456-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-457-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-458-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-459-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-460-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-461-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-462-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-463-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-464-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-465-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-466-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-467-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-468-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-469-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-470-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-471-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-472-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-473-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-474-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-475-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-476-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-477-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-478-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-479-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-480-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-481-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-482-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-483-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-484-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-485-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-486-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-487-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-488-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-489-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-490-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-491-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1764-493-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-492-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/384-494-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/3456-495-0x0000000000400000-0x0000000001CB4000-memory.dmp
memory/1400-496-0x0000000000400000-0x0000000001CB4000-memory.dmp