cc64a875031c75c7f20410d362651e4c886c2e12b13fd041dcf492471f8694ec

Resubmissions

12-07-2024 23:52

240712-3wvgkaydqa 7

12-07-2024 23:49

240712-3vepqawekn 8

Analysis

max time kernel
91s
max time network
91s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
12-07-2024 23:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

GjIeRXj.exe
Size

9KB
MD5

672bb10a8b900749928a5dba1f30f505
SHA1

cf21194bf2ad984689eb4120f8a24e6821f7f4fa
SHA256

cc64a875031c75c7f20410d362651e4c886c2e12b13fd041dcf492471f8694ec
SHA512

19822e0154074d2264520edc472a32950648dafb4f269988bcd0e6dd1d22d302b9be744278277f5028bf3481037fa3a661594578a8a6c71317dc810cd3bb8bee
SSDEEP

192:P/J7CcaAtRdBzGkDbb5qZKFGbj+pFaNJhLkwcud2DH9VwGfctsuQP:B1FNkKymaNJawcudoD7UmHP

Score

8^/10

execution upx

Malware Config

Signatures

Blocklisted process makes network request 5 IoCs

flow	pid	Process
19	3852	powershell.exe
22	3852	powershell.exe
25	3852	powershell.exe
27	3852	powershell.exe
43	3852	powershell.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	GjIeRXj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-701583114-2636601053-947405450-1000\Control Panel\International\Geo\Nation	b2e.exe

Executes dropped EXE 8 IoCs

pid	Process
2552	b2e.exe
2584	spicetify.exe
3484	spicetify.exe
4008	spicetify.exe
3960	spicetify.exe
2800	spicetify.exe
1700	spicetify.exe
4000	spicetify.exe

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/3592-0-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/3592-11-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4484	powershell.exe
4592	powershell.exe
3852	powershell.exe
1376	powershell.exe
4004	powershell.exe
844	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3852	powershell.exe
3852	powershell.exe
1376	powershell.exe
1376	powershell.exe
4004	powershell.exe
4004	powershell.exe
844	powershell.exe
844	powershell.exe
4484	powershell.exe
4484	powershell.exe
4592	powershell.exe
4592	powershell.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeDebugPrivilege	3852	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4004	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	4484	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	2816	taskmgr.exe
Token: SeSystemProfilePrivilege	2816	taskmgr.exe
Token: SeCreateGlobalPrivilege	2816	taskmgr.exe

Suspicious use of FindShellTrayWindow 23 IoCs

pid	Process
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious use of SendNotifyMessage 22 IoCs

pid	Process
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe
2816	taskmgr.exe

Suspicious use of WriteProcessMemory 51 IoCs

description	pid	Process	procid_target
PID 3592 wrote to memory of 2552	3592	GjIeRXj.exe	85
PID 3592 wrote to memory of 2552	3592	GjIeRXj.exe	85
PID 3592 wrote to memory of 2552	3592	GjIeRXj.exe	85
PID 2552 wrote to memory of 1996	2552	b2e.exe	86
PID 2552 wrote to memory of 1996	2552	b2e.exe	86
PID 2552 wrote to memory of 1996	2552	b2e.exe	86
PID 1996 wrote to memory of 1200	1996	cmd.exe	89
PID 1996 wrote to memory of 1200	1996	cmd.exe	89
PID 1996 wrote to memory of 1200	1996	cmd.exe	89
PID 1996 wrote to memory of 3852	1996	cmd.exe	91
PID 1996 wrote to memory of 3852	1996	cmd.exe	91
PID 1996 wrote to memory of 3852	1996	cmd.exe	91
PID 3852 wrote to memory of 2584	3852	powershell.exe	96
PID 3852 wrote to memory of 2584	3852	powershell.exe	96
PID 3852 wrote to memory of 2584	3852	powershell.exe	96
PID 3852 wrote to memory of 3484	3852	powershell.exe	97
PID 3852 wrote to memory of 3484	3852	powershell.exe	97
PID 3852 wrote to memory of 3484	3852	powershell.exe	97
PID 3852 wrote to memory of 4008	3852	powershell.exe	98
PID 3852 wrote to memory of 4008	3852	powershell.exe	98
PID 3852 wrote to memory of 4008	3852	powershell.exe	98
PID 3852 wrote to memory of 3960	3852	powershell.exe	99
PID 3852 wrote to memory of 3960	3852	powershell.exe	99
PID 3852 wrote to memory of 3960	3852	powershell.exe	99
PID 3852 wrote to memory of 2800	3852	powershell.exe	100
PID 3852 wrote to memory of 2800	3852	powershell.exe	100
PID 3852 wrote to memory of 2800	3852	powershell.exe	100
PID 2800 wrote to memory of 1376	2800	spicetify.exe	101
PID 2800 wrote to memory of 1376	2800	spicetify.exe	101
PID 2800 wrote to memory of 1376	2800	spicetify.exe	101
PID 2800 wrote to memory of 4004	2800	spicetify.exe	102
PID 2800 wrote to memory of 4004	2800	spicetify.exe	102
PID 2800 wrote to memory of 4004	2800	spicetify.exe	102
PID 2800 wrote to memory of 844	2800	spicetify.exe	103
PID 2800 wrote to memory of 844	2800	spicetify.exe	103
PID 2800 wrote to memory of 844	2800	spicetify.exe	103
PID 3852 wrote to memory of 1700	3852	powershell.exe	104
PID 3852 wrote to memory of 1700	3852	powershell.exe	104
PID 3852 wrote to memory of 1700	3852	powershell.exe	104
PID 1700 wrote to memory of 4484	1700	spicetify.exe	105
PID 1700 wrote to memory of 4484	1700	spicetify.exe	105
PID 1700 wrote to memory of 4484	1700	spicetify.exe	105
PID 3852 wrote to memory of 4000	3852	powershell.exe	106
PID 3852 wrote to memory of 4000	3852	powershell.exe	106
PID 3852 wrote to memory of 4000	3852	powershell.exe	106
PID 4000 wrote to memory of 4592	4000	spicetify.exe	107
PID 4000 wrote to memory of 4592	4000	spicetify.exe	107
PID 4000 wrote to memory of 4592	4000	spicetify.exe	107
PID 2552 wrote to memory of 3160	2552	b2e.exe	108
PID 2552 wrote to memory of 3160	2552	b2e.exe	108
PID 2552 wrote to memory of 3160	2552	b2e.exe	108

C:\Users\Admin\AppData\Local\Temp\GjIeRXj.exe
"C:\Users\Admin\AppData\Local\Temp\GjIeRXj.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3592
- C:\Users\Admin\AppData\Local\Temp\C890.tmp\b2e.exe
  "C:\Users\Admin\AppData\Local\Temp\C890.tmp\b2e.exe" C:\Users\Admin\AppData\Local\Temp\C890.tmp\b2e.exe C:\Users\Admin\AppData\Local\Temp "C:\Users\Admin\AppData\Local\Temp\GjIeRXj.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\CA74.tmp\batchfile.bat" "
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1996
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /v "^;;;===,,," "C:\Users\Admin\AppData\Local\Temp\CA74.tmp\batchfile.bat"
      4⤵
      PID:1200
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      PowerShell.exe -ExecutionPolicy Bypass -Command "& 'C:\Users\Admin\AppData\Local\Temp\CA74.tmp\ps.ps1'"
      4⤵
      Blocklisted process makes network request
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3852
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
        5⤵
        Executes dropped EXE
        
        PID:2584
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
        5⤵
        Executes dropped EXE
        
        PID:3484
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
        5⤵
        Executes dropped EXE
        
        PID:4008
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" -c
        5⤵
        Executes dropped EXE
        
        PID:3960
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config current_theme SpotifyNoPremium
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2800
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4004
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" config extensions adblock.js
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1700
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
    - - C:\Users\Admin\AppData\Local\spicetify\spicetify.exe
        
        "C:\Users\Admin\AppData\Local\spicetify\spicetify.exe" auto
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4000
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -NoProfile -NonInteractive "(Get-AppxPackage | Where-Object -Property Name -Eq \"SpotifyAB.SpotifyMusic\").InstallLocation"
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\selfdel0.bat" "
    3⤵
    PID:3160

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4612

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
7163b3bbe49a18bf844c888bdb6167d2

SHA1
13cdd672cd71ca1ef9b2647f22839c3cbf702f19

SHA256
8bebae95711f1ce927aade38d5662522ae3a17e630749f0f4ea19cede5b09fa6

SHA512
2db0384ad44b7c2d02173da6083d65413a9e6e736463cf0a53cb2cea32c6125fcbc49707191104c93b74253c499def8a7ff8a48d7fd79a6b5f32515595810ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\ModuleAnalysisCache

Filesize
53KB

MD5
b4a11d76a4e37697147804016f675042

SHA1
d41c257858ceb5a615ab724cd320b722b5b59b27

SHA256
30f81877525c35e19326b3295f15849dbe335efee0b0926f676de49bbf8ea792

SHA512
58202f656e5bd7714bc57fef18423b72b36f6e67b552ca43fd7c972b1c6799f857a62852224e062f93fb901f3ff61f149a18b3fffd916ef7526976f76d7de75b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
016190a44710d8ddf0d45fa443654e72

SHA1
6299071f6a022db1729f0e1d5c324546c0a3bc3a

SHA256
88755dab013c6de339e2feec21696af534fb03bc95af43980034edcc6028c8c3

SHA512
09cf7f3f6ae71a9bd1d10be275df43b4b8c39ddccc11128f77f0d7e5eb949483d6723eb1811e717e4e0d5ae29ca2dc65057669d7ed5293524523cafeef87faf2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
61ca8f51b1e08350a23172634f842b03

SHA1
514b029b7b9bdc6810310c4c629afb8c83d288eb

SHA256
c10eae0ef1b464df2c3f21418bd05618d006f32e9e0fe0e6a5f5632201e76347

SHA512
5d54750f3d332f4aabe3f61179f9e94076904ebacd6b74ae984b8449e5b011797ce4541da2761fcf4dbf73c49fca288e2ac289e5e51b59981562fd62002723e9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
ddf54ae446dc4391e0012ed89fd2e1c7

SHA1
63d2ff97557722d57c530be3bb22b8ed552577ff

SHA256
2065d6ccfe4c0cca1207e3036b117fd26a2a6cc1274324a7a0c9133a06786519

SHA512
39acf461d4967eaaa4b30d865ce1eda4089cecc0386ab7370837ee79c5d93645dcc16a8577c95bc880b2a6600ab4eba9fef68e6de364f3e4a2b03cddc934d182

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
d63ad9fd0dab9d23e668b372c01a930b

SHA1
a92ebd5ae01a2165ae49873f4ba7288dc5200bf4

SHA256
2831fd08562175c9fbdc36d3dba4a9e9e4c5d70c3a379cbb2b7d81c1986a4fe2

SHA512
d977ffba918d5fe8351f2c0a851b698b58c8199c6b8801518d7175e43bf7b91ef3dadbfa29b954a1ed179a509f51929c28be177738ea42b99d3989ddf339ae23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
612B

MD5
20086350072e960dc01bfcf81b62cdd0

SHA1
a31ea8366fd9cb1f02beeaa15af48882dcee8923

SHA256
2a31c694e36d7424dbe31b653bc143c104b7ff9ae7fe4842b9284c1db01e7953

SHA512
ff4a5e33d9eafd16a93e29f625d1788c840b257ebaceed39f6a122ca99fe0aee54bab9b77341e5f7e7a786654ff96452f552adbce3fd3659f017299bf800b2ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\C890.tmp\b2e.exe

Filesize
13KB

MD5
b98952914563ae10d390dcf06eb435e4

SHA1
f96fc1370bacb1d32b9b9c3c786a024c0ec4414d

SHA256
1b4cd7f1798849c2d6f8b6527ed439f08d7d4834b54d48496403d8d3f1ae0fd1

SHA512
3f4c871dc7aae92ec21523e4a825a4c4dfd3d99b99246c8c3c9f7e1243efa9cb29e75b3b31dfa3f1ce63175c6c27c1ea6cbfcf9596fb73dd63b4076ea6e68029

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA74.tmp\batchfile.bat

Filesize
4KB

MD5
3b0ade72d04f213270c57a5393588687

SHA1
cf58e2d8bcbe5638c7d396ee82a2bb992b67516e

SHA256
2744a7dc3b526f20b1553506e6d3076dfad30ab56309c7896d393686e38f1523

SHA512
9b3bae372e77bc2236f750ea7f32ff9d2a6d047cb96c6af9a4a4b2b489d4700795350b52a337d14845d5aca25354dd997fe0d1176d3cc4006ae3de42ae635ffd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA74.tmp\ps.ps1

Filesize
4KB

MD5
160c222cb06b996df28d277be301ed34

SHA1
6c7d58222cc005beca82597d9822a78bf6662d1e

SHA256
5c68b2bdad8c2bb73e157ac247565f4baf5540f48e6b01371863d567275f1398

SHA512
cd33be6ccc8933aa1f7b6c0bf4888c00990d894a392a15c979a8eedf9d67aa522d3cf78c4e110c41abc177fa5d0df79982bdebaeb7be5986ccac32a166340666

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kly2cm2j.iyb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\selfdel0.bat

Filesize
158B

MD5
58f352e34f85986b72c2c2c76333e3b6

SHA1
406d502983f1165ce76f8e949e73cac72ee53e07

SHA256
7a80b49502796ac8ceec61a2985686e092061c96b774b35515da28e798c61040

SHA512
85b229e9db329232de69ce9920cd8689a0e9dbf9678772737f8ceec62934d2011bf04854fed430779c592491c71d7afd28ea9527d5f7c7a63ac8a7e605e5c246

Download Submit
C:\Users\Admin\AppData\Local\spicetify\spicetify.exe

Filesize
8.1MB

MD5
41157f979346a901a83b4747fa6e8b46

SHA1
9b2cc37c42b2e4ad7fd845ea8cf90c8166d1ee45

SHA256
262550697ac47355e29c0b20e2501e80ac0cf6115d24092ddd2e1332c34c19b5

SHA512
eb59e76c5e44164fbfa3276d88961c99cf69fd94547e91d68132ce149b2fe130ea312158bf469f9a19c73ff247ab7fdb277d094e5d98f9805b79c1da68b671b1

Download Submit
C:\Users\Admin\AppData\Roaming\spicetify\config-xpui.ini

Filesize
649B

MD5
e206eaf0bb92cd15cabbc71ccdce53c6

SHA1
a223770a6d1ad7cb0580e1f03207e36bf08bae98

SHA256
ed866be1c381eb5590dcccd04bbd8f486d066b578434d3619bc03f3c232d3529

SHA512
ccaf7fa92426069738c861cef5c06fecc73a909628010634e96d88d41395b5a222a80e4790e80c1449ca9384c7ca15537e62249345c831054ad63ea41d492135

Download Submit
memory/2552-61-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2552-9-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2552-291-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download
memory/2816-301-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-293-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-294-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-295-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-305-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-304-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-303-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-302-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-300-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/2816-299-0x000001CB4A5F0000-0x000001CB4A5F1000-memory.dmp

Filesize
4KB

Download
memory/3592-0-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3592-11-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3852-35-0x0000000006550000-0x000000000656E000-memory.dmp

Filesize
120KB

Download
memory/3852-53-0x0000000007600000-0x000000000761E000-memory.dmp

Filesize
120KB

Download
memory/3852-58-0x0000000008AF0000-0x0000000009094000-memory.dmp

Filesize
5.6MB

Download
memory/3852-62-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download
memory/3852-63-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3852-64-0x000000000AB00000-0x000000000AB96000-memory.dmp

Filesize
600KB

Download
memory/3852-65-0x0000000008A90000-0x0000000008AB2000-memory.dmp

Filesize
136KB

Download
memory/3852-66-0x000000000ADF0000-0x000000000AFB2000-memory.dmp

Filesize
1.8MB

Download
memory/3852-67-0x000000000B4F0000-0x000000000BA1C000-memory.dmp

Filesize
5.2MB

Download
memory/3852-68-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3852-70-0x0000000070860000-0x0000000070BB4000-memory.dmp

Filesize
3.3MB

Download
memory/3852-80-0x00000000079D0000-0x00000000079DA000-memory.dmp

Filesize
40KB

Download
memory/3852-81-0x000000000AC90000-0x000000000ACA1000-memory.dmp

Filesize
68KB

Download
memory/3852-82-0x0000000008970000-0x0000000008982000-memory.dmp

Filesize
72KB

Download
memory/3852-83-0x0000000008940000-0x000000000894A000-memory.dmp

Filesize
40KB

Download
memory/3852-57-0x0000000007C00000-0x0000000007C26000-memory.dmp

Filesize
152KB

Download
memory/3852-56-0x0000000007600000-0x000000000760A000-memory.dmp

Filesize
40KB

Download
memory/3852-55-0x0000000007B90000-0x0000000007BA6000-memory.dmp

Filesize
88KB

Download
memory/3852-54-0x0000000007AC0000-0x0000000007B63000-memory.dmp

Filesize
652KB

Download
memory/3852-59-0x0000000008540000-0x00000000085D2000-memory.dmp

Filesize
584KB

Download
memory/3852-43-0x0000000070860000-0x0000000070BB4000-memory.dmp

Filesize
3.3MB

Download
memory/3852-42-0x00000000706F0000-0x000000007073C000-memory.dmp

Filesize
304KB

Download
memory/3852-41-0x0000000007980000-0x00000000079B2000-memory.dmp

Filesize
200KB

Download
memory/3852-40-0x0000000007A20000-0x0000000007ABC000-memory.dmp

Filesize
624KB

Download
memory/3852-287-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3852-39-0x0000000006A90000-0x0000000006AAA000-memory.dmp

Filesize
104KB

Download
memory/3852-38-0x0000000007EC0000-0x000000000853A000-memory.dmp

Filesize
6.5MB

Download
memory/3852-36-0x00000000065A0000-0x00000000065EC000-memory.dmp

Filesize
304KB

Download
memory/3852-34-0x0000000005F80000-0x00000000062D4000-memory.dmp

Filesize
3.3MB

Download
memory/3852-23-0x0000000005DA0000-0x0000000005E06000-memory.dmp

Filesize
408KB

Download
memory/3852-24-0x0000000005F10000-0x0000000005F76000-memory.dmp

Filesize
408KB

Download
memory/3852-22-0x00000000055C0000-0x00000000055E2000-memory.dmp

Filesize
136KB

Download
memory/3852-21-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3852-19-0x0000000005700000-0x0000000005D28000-memory.dmp

Filesize
6.2MB

Download
memory/3852-20-0x0000000073E60000-0x0000000074610000-memory.dmp

Filesize
7.7MB

Download
memory/3852-18-0x0000000004FD0000-0x0000000005006000-memory.dmp

Filesize
216KB

Download
memory/3852-17-0x0000000073E6E000-0x0000000073E6F000-memory.dmp

Filesize
4KB

Download