Analysis Overview
SHA256
35539ea45b8981e7c44faf2cf2b4e92ed83863a1c6ee19c45a2ae41b65ecf003
Threat Level: Known bad
The file Pro Chair + Blocker.exe was found to be: Known bad.
Malicious Activity Summary
Modifies visiblity of hidden/system files in Explorer
Downloads MZ/PE file
Loads dropped DLL
Executes dropped EXE
Reads user/profile data of web browsers
UPX packed file
Looks up external IP address via web service
Adds Run key to start application
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Detects Pyinstaller
Unsigned PE
Event Triggered Execution: Netsh Helper DLL
Suspicious use of AdjustPrivilegeToken
Scheduled Task/Job: Scheduled Task
Suspicious use of FindShellTrayWindow
Enumerates system info in registry
Modifies registry key
Modifies data under HKEY_USERS
Suspicious use of SetWindowsHookEx
Suspicious use of SendNotifyMessage
Suspicious behavior: GetForegroundWindowSpam
Suspicious behavior: EnumeratesProcesses
Suspicious use of WriteProcessMemory
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-20 03:50
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 03:50
Reported
2024-06-20 03:53
Platform
win7-20240508-en
Max time kernel
150s
Max time network
122s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"
\??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe
"c:\users\admin\appdata\local\temp\pro chair + blocker.exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\Explorer.exe
C:\Windows\Explorer.exe
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:53 /f
C:\Windows\SysWOW64\schtasks.exe
schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | apps.identrust.com | udp |
| NL | 23.63.101.171:80 | apps.identrust.com | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| N/A | 127.0.0.1:49264 | tcp | |
| N/A | 127.0.0.1:49266 | tcp |
Files
memory/2060-0-0x0000000000400000-0x000000000041F000-memory.dmp
\Users\Admin\AppData\Local\Temp\pro chair + blocker.exe
| MD5 | 0e2c1ee8e6bdb339094ec24026a01e20 |
| SHA1 | 449972cb63e21bf25d03ad1e85cf87af97c75a2e |
| SHA256 | ffe104f44b6a84074e2305fba55c1cb777446d1dace44c23eaf873536dcc542f |
| SHA512 | c0a71a9d796802bdf7110c8f69ebdaeb9c968df69b41a8bc1ff52f3a4082f40df93085ec278863acc93763ca11114b4eac5278db136540be0bea67aa93c607c5 |
\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 15a0dce7203a773f9e27405c6e7ec5ae |
| SHA1 | bfd02c9f6c4dafe7fe2c8fd4bc51f8f9a9f84aff |
| SHA256 | 92eab4d199a1e592b38ba7c06ebcd8314f9532613fbb8dea53b674e69d10a389 |
| SHA512 | ba4fd5801fd01b42baf3bedc3c4a8e6b46354f43d6c30432b2fde075cf210f2436937243f13d4d78e3974eabd18d5a450e0382c2b5332cf9e7604916489399a1 |
C:\Windows\Resources\Themes\explorer.exe
| MD5 | b456f2d9bd6e2810b171316ced69a114 |
| SHA1 | 7796e4e6785e61f86d3fc591708d030a75c93f9b |
| SHA256 | c29b5443ad6004d3e1488acfcb45871d0975861a2561c597db0cf9d06e0c46f2 |
| SHA512 | e8461540bad9539011ece330f34c95b51380e76130327a1cfe9522bfd5e67ae93c847ed19932e221211658068f73c160f2e1def01945cbbb990d64d5f29383c2 |
memory/3016-24-0x00000000003A0000-0x00000000003BF000-memory.dmp
C:\Windows\Resources\spoolsv.exe
| MD5 | 1d0625bd2b12cc0e45928a4a6f9dd0f1 |
| SHA1 | 954a3e7c9205bcb7bf3020cfc89c5942f4b644ef |
| SHA256 | e84e07653af848c6a33d4355b1ddbeee5f1ce3d34e56886578a608075bfc1805 |
| SHA512 | 40ed19df7b8abbe5743e23090573746cd46d96da56df3dd9563acd2bb719789b35453a4e2fefc87da1bb6450d3d83d3cb9e083ca1ae0fbcf38a407f8fe62b53d |
memory/2592-34-0x0000000002280000-0x000000000229F000-memory.dmp
memory/2680-42-0x0000000000400000-0x000000000041F000-memory.dmp
\??\c:\windows\resources\svchost.exe
| MD5 | 191fd21dddb144336fb54be1726eba03 |
| SHA1 | 9bd19a0b3ee3673e7ee55d24daca9bdfc7cc4d67 |
| SHA256 | b655ac67e95bf021986819168c1db410ebfc9976bd310045cfff7b0d8063f8d1 |
| SHA512 | 816e1a96dc5b8625aa4a55a8f1d1a2db17d95c4f4e25a3efd09f5c17a05ae39c9962d2ab52ab9a800024993d79729d63716696a86c5e27eb7385318d4ee1b0a4 |
memory/2740-54-0x00000000002B0000-0x00000000002CF000-memory.dmp
memory/2740-50-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2060-61-0x0000000000400000-0x000000000041F000-memory.dmp
memory/3016-60-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2996-59-0x0000000000400000-0x000000000041F000-memory.dmp
memory/2680-46-0x00000000003D0000-0x00000000003EF000-memory.dmp
memory/1144-72-0x000000013FAA0000-0x0000000140478000-memory.dmp
memory/1144-68-0x000000013FB38000-0x000000013FED9000-memory.dmp
memory/1144-66-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/1144-64-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/1144-62-0x00000000777D0000-0x00000000777D2000-memory.dmp
memory/1144-74-0x000000013FB38000-0x000000013FED9000-memory.dmp
memory/1144-75-0x000000013FAA0000-0x0000000140478000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 03:50
Reported
2024-06-20 03:53
Platform
win10v2004-20240508-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Modifies visiblity of hidden/system files in Explorer
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" | \??\c:\windows\resources\svchost.exe | N/A |
Downloads MZ/PE file
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\spoolsv.exe | N/A |
| N/A | N/A | C:\Users\Admin\Downloads\DemonWare.exe | N/A |
| N/A | N/A | \??\c:\users\admin\downloads\demonware.exe | N/A |
| N/A | N/A | \??\c:\users\admin\downloads\demonware.exe | N/A |
| N/A | N/A | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
Loads dropped DLL
Reads user/profile data of web browsers
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\themes\explorer.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" | \??\c:\windows\resources\svchost.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" | C:\Windows\system32\reg.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
| N/A | ipapi.co | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\explorer.exe | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
| N/A | N/A | \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Resources\tjud.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe | N/A |
| File opened for modification | \??\c:\windows\resources\themes\explorer.exe | C:\Windows\Resources\Themes\icsys.icn.exe | N/A |
| File opened for modification | \??\c:\windows\resources\spoolsv.exe | \??\c:\windows\resources\themes\explorer.exe | N/A |
| File opened for modification | \??\c:\windows\resources\svchost.exe | \??\c:\windows\resources\spoolsv.exe | N/A |
| File opened for modification | C:\Windows\Resources\Themes\icsys.icn.exe | C:\Users\Admin\Downloads\DemonWare.exe | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies data under HKEY_USERS
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633290589254735" | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | \??\c:\windows\resources\themes\explorer.exe | N/A |
| N/A | N/A | \??\c:\windows\resources\svchost.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
| N/A | N/A | C:\Program Files\Google\Chrome\Application\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe
"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"
\??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe
"c:\users\admin\appdata\local\temp\pro chair + blocker.exe "
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe SE
\??\c:\windows\resources\svchost.exe
c:\windows\resources\svchost.exe
\??\c:\windows\resources\spoolsv.exe
c:\windows\resources\spoolsv.exe PR
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5 | find /i /v "md5" | find /i /v "certutil"
C:\Windows\system32\certutil.exe
certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5
C:\Windows\system32\find.exe
find /i /v "md5"
C:\Windows\system32\find.exe
find /i /v "certutil"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c CLS
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd4baab58,0x7ffdd4baab68,0x7ffdd4baab78
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:2
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3908 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4544 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3056 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5036 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5204 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Users\Admin\Downloads\DemonWare.exe
"C:\Users\Admin\Downloads\DemonWare.exe"
\??\c:\users\admin\downloads\demonware.exe
c:\users\admin\downloads\demonware.exe
\??\c:\users\admin\downloads\demonware.exe
c:\users\admin\downloads\demonware.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "ver"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"
C:\Windows\system32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"
C:\Windows\System32\wbem\WMIC.exe
C:\Windows\System32\wbem\WMIC.exe csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\Resources\Themes\icsys.icn.exe
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
\??\c:\windows\resources\themes\explorer.exe
c:\windows\resources\themes\explorer.exe
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3192 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4756 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5436 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"
C:\Windows\system32\netsh.exe
netsh wlan show profiles
C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | keyauth.win | udp |
| US | 104.26.1.5:443 | keyauth.win | tcp |
| US | 8.8.8.8:53 | x2.c.lencr.org | udp |
| BE | 23.55.97.11:80 | x2.c.lencr.org | tcp |
| US | 8.8.8.8:53 | 5.1.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.97.55.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| N/A | 127.0.0.1:49861 | tcp | |
| N/A | 127.0.0.1:49863 | tcp | |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.187.196:443 | www.google.com | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 8.8.8.8:53 | 234.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 195.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | apis.google.com | udp |
| GB | 142.250.200.14:443 | apis.google.com | tcp |
| US | 8.8.8.8:53 | 195.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | play.google.com | udp |
| GB | 142.250.179.238:443 | play.google.com | tcp |
| US | 8.8.8.8:53 | 238.179.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | clients2.google.com | udp |
| GB | 142.250.187.238:443 | clients2.google.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 238.187.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | gofile.io | udp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| FR | 151.80.29.83:443 | gofile.io | tcp |
| US | 8.8.8.8:53 | 83.29.80.151.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.gofile.io | udp |
| FR | 151.80.29.83:443 | api.gofile.io | tcp |
| US | 8.8.8.8:53 | s.gofile.io | udp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| FR | 51.75.242.210:443 | s.gofile.io | tcp |
| US | 8.8.8.8:53 | content-autofill.googleapis.com | udp |
| GB | 172.217.169.10:443 | content-autofill.googleapis.com | tcp |
| US | 8.8.8.8:53 | 210.242.75.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | store9.gofile.io | udp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 206.168.190.239:443 | store9.gofile.io | tcp |
| US | 8.8.8.8:53 | 92.12.20.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 239.190.168.206.in-addr.arpa | udp |
| US | 8.8.8.8:53 | ipapi.co | udp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 44.9.26.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.135.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.110.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.cloudflare.com | udp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| US | 8.8.8.8:53 | 96.124.16.104.in-addr.arpa | udp |
| US | 104.16.124.96:443 | www.cloudflare.com | tcp |
| US | 104.26.9.44:443 | ipapi.co | tcp |
| GB | 142.250.187.196:443 | www.google.com | udp |
| US | 162.159.135.232:443 | discord.com | tcp |
| GB | 142.250.179.238:443 | play.google.com | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | beacons.gcp.gvt2.com | udp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| GB | 172.217.169.67:443 | beacons.gcp.gvt2.com | tcp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
Files
memory/208-0-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\pro chair + blocker.exe
| MD5 | 0e2c1ee8e6bdb339094ec24026a01e20 |
| SHA1 | 449972cb63e21bf25d03ad1e85cf87af97c75a2e |
| SHA256 | ffe104f44b6a84074e2305fba55c1cb777446d1dace44c23eaf873536dcc542f |
| SHA512 | c0a71a9d796802bdf7110c8f69ebdaeb9c968df69b41a8bc1ff52f3a4082f40df93085ec278863acc93763ca11114b4eac5278db136540be0bea67aa93c607c5 |
C:\Windows\Resources\Themes\icsys.icn.exe
| MD5 | 15a0dce7203a773f9e27405c6e7ec5ae |
| SHA1 | bfd02c9f6c4dafe7fe2c8fd4bc51f8f9a9f84aff |
| SHA256 | 92eab4d199a1e592b38ba7c06ebcd8314f9532613fbb8dea53b674e69d10a389 |
| SHA512 | ba4fd5801fd01b42baf3bedc3c4a8e6b46354f43d6c30432b2fde075cf210f2436937243f13d4d78e3974eabd18d5a450e0382c2b5332cf9e7604916489399a1 |
memory/1408-11-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\Resources\Themes\explorer.exe
| MD5 | 23996ca3c46de6ed978503bbef62fe49 |
| SHA1 | ea4b499bf8ed6a5a40bca62d641a72b526d1f1ad |
| SHA256 | 76a90cfb5400bf5ae5623ee7c29bdd916c269b7c217803c961d4bc9a05b92ea3 |
| SHA512 | 720b9a6ab2a96afdfc4278cddf8ca80c58094c33b6068d214f53f97363e428825065c77e48351a52de3a53e6654681c3d8a08a07645371d691b34e3480241b32 |
\??\c:\windows\resources\spoolsv.exe
| MD5 | 552e16a19b63c277d79e660f005796b8 |
| SHA1 | 9f71bd61821ea467d3bf7c1fed38a346bca21acd |
| SHA256 | 77adf4ec4cc79c5dbb5f9a5bcbf0a2e26996f7c14054075cb16136dab2072699 |
| SHA512 | 2b59db928ab460762f4367d313baf2eb2abcd7362001fb2b7c64c7334b9c9e79d15cc10763576178d9dbe1cb0a55a43c0dd4d20749edb73af1ddcf205c76e581 |
memory/4668-31-0x0000000000400000-0x000000000041F000-memory.dmp
C:\Windows\Resources\svchost.exe
| MD5 | 290c8a025be90f63cc17f5f4fec07fc2 |
| SHA1 | 40848d8519c1aac331c19a78474706a3fceb60e0 |
| SHA256 | b223b8324a5c3c43cb73bbc9bd6c68ef18d93cbd076c9a7cb449ab9812a2ef38 |
| SHA512 | cca1d67de4e93f42046e5637a4e94297e7c328561ffe68f15d09b304f373285530c85d79371756627741ba94e7383e4f519623aa7ba9f13478a609ea086a8340 |
memory/1148-44-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1148-46-0x0000000000400000-0x000000000041F000-memory.dmp
memory/4668-47-0x0000000000400000-0x000000000041F000-memory.dmp
memory/208-49-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1408-48-0x0000000000400000-0x000000000041F000-memory.dmp
memory/1856-52-0x00007FF647810000-0x00007FF6481E8000-memory.dmp
memory/1856-51-0x00007FFDF26F0000-0x00007FFDF26F2000-memory.dmp
memory/1856-50-0x00007FF6478A8000-0x00007FF647C49000-memory.dmp
memory/1856-56-0x00007FF6478A8000-0x00007FF647C49000-memory.dmp
memory/1856-57-0x00007FF647810000-0x00007FF6481E8000-memory.dmp
\??\pipe\crashpad_4772_UESYVCLFHNANFRAG
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
| MD5 | d751713988987e9331980363e24189ce |
| SHA1 | 97d170e1550eee4afc0af065b78cda302a97674c |
| SHA256 | 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945 |
| SHA512 | b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | 41e7f2e8ff15454cf9935f1b3818dbd6 |
| SHA1 | f52f1f007ed432b6f3cf79bff3d246397a2ed163 |
| SHA256 | 67d0a15705fb94cddb54226a7e26c10445765e24e9f7b7dbab81ee9dfd583ed7 |
| SHA512 | 0c0e142b392c246b2bc1f4ab6cc7b29d3560fd22bdb0066ab0ebaec3a6fd09a27e1128e2a1e070234990a8aa503ad3eb8aa408789758220ada761770c7fdf09c |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 6835653a437db4074509b6b903e8ad42 |
| SHA1 | ba4a51247e3466184c0cecffb4e0aef7f37e379a |
| SHA256 | 1bc75a97e2fd3ca666fee5e40ce73a5653dc68b641b2702158afaffaf23702f9 |
| SHA512 | 71dc127f4a88e80813e6ac40542ec79779c13b1d7d4257ee6722dd4c6f136b4aeb79d7c8604fbf40bdf589e6350222333c71c0465d7c218cfe46f11d8349cf36 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | 2aa2c941cf45ae1ca40d75fef8dabc04 |
| SHA1 | 28636fb5bda311afb3e279ea180faecb9d0761d9 |
| SHA256 | 4bec46ffd319a6502d6480a02b93c73945402a4af4d0c22f2f1b432420be8013 |
| SHA512 | d1f40132aa634fb2cfb4f929f87c9a2d626b805e4fcef812ef57741d9bfb46ec4ef9384680f55280a8274fa2f4d9a9ccc3b630dacb0a9b312a5a90c6565b05e9 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
| MD5 | 38f164ccabf170ae66f8d88fdaa0c14a |
| SHA1 | 6c8f5d622ded714735282d5e24fb1822d8b6fe5f |
| SHA256 | 45c2c84c93c0e641a6bbe230d36983952002b5361c73da929bdfc9bbaa586cd2 |
| SHA512 | 9837ad1f77c344ea1a318e2210b36e945ad482d5a15bdca16524b9b252d9a2793ce818bbda2399ebd4229b70c4f74b3874aa33fa5622f3ad635679d00bf6b73b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | ab6ae98ff98606697e1f51236c96abe9 |
| SHA1 | 4d5481453ad4b3ab7026a1c9eccb9e5ea30dd216 |
| SHA256 | 292c1a4308931b9a9ba9b9e2252c3f6d488695d6f8a8a7d415957b03372a552a |
| SHA512 | bc8ea22e2c59f1f86683cfeda42747c135f31c3d89918917860317b983af48b2f84e04dcc198569f9a083fcdc806a8f75490555094a6d1e0325153bb50ff6860 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 61bd063a9acc787680e3d1bbe04901c4 |
| SHA1 | 643fa614610409defe666fd698836821b648cca5 |
| SHA256 | 029ab24cbf45160774940f817f76e46b540b7c595377ee80a728aa83e72a2b58 |
| SHA512 | 1295e6ec11750c818c026985913c55cac270e8f40a5835b76cecc8885392a65a4ef2be671c5fcb13106e3e6a1a20f65d9b5769126a21b461e5e292190fc45621 |
C:\Users\Admin\Downloads\DemonWare.exe
| MD5 | 40f76deda9228388017c91aca9621de5 |
| SHA1 | f45e55b76725263883a9e40cefcd3a9d88ab89c0 |
| SHA256 | 0359e89e0cff0d5537c3e4cf032b1e66f2f49b969a20737563e6ba72d06f1512 |
| SHA512 | 1ad3ee7759aea345f29352ee29fa68193a0c2234b9e92f59f060b7361d6f2ac6cf89f6522c8772f67794a8ef3622cace5152a062630c5627010fe2412f6c345d |
memory/5468-200-0x0000000000400000-0x000000000045D000-memory.dmp
C:\Users\Admin\Downloads\demonware.exe
| MD5 | 46baf83fb95e22e34ae73658e40583fd |
| SHA1 | 8b5c3072ede486f392dbe9d1d08326d6baa1c851 |
| SHA256 | bccca4526fc6c918057f568611a258a665c7184e808f49c1d792f67bdbb6adc0 |
| SHA512 | f9f7f80a0abeb5ebfa4d5154af17101a01bc558b2f646ccf5e72759cdcafe4a8a6a75c50af7a5d5be36e1ba46cad25634ab526e420718007c1704140e852c781 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\python310.dll
| MD5 | 69d4f13fbaeee9b551c2d9a4a94d4458 |
| SHA1 | 69540d8dfc0ee299a7ff6585018c7db0662aa629 |
| SHA256 | 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046 |
| SHA512 | 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140.dll
| MD5 | 870fea4e961e2fbd00110d3783e529be |
| SHA1 | a948e65c6f73d7da4ffde4e8533c098a00cc7311 |
| SHA256 | 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644 |
| SHA512 | 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\ucrtbase.dll
| MD5 | 0e0bac3d1dcc1833eae4e3e4cf83c4ef |
| SHA1 | 4189f4459c54e69c6d3155a82524bda7549a75a6 |
| SHA256 | 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae |
| SHA512 | a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\setuptools-65.5.0.dist-info\INSTALLER
| MD5 | 365c9bfeb7d89244f2ce01c1de44cb85 |
| SHA1 | d7a03141d5d6b1e88b6b59ef08b6681df212c599 |
| SHA256 | ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508 |
| SHA512 | d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1 |
memory/5164-399-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\base_library.zip
| MD5 | 524a85217dc9edc8c9efc73159ca955d |
| SHA1 | a4238cbde50443262d00a843ffe814435fb0f4e2 |
| SHA256 | 808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621 |
| SHA512 | f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\python3.DLL
| MD5 | c17b7a4b853827f538576f4c3521c653 |
| SHA1 | 6115047d02fbbad4ff32afb4ebd439f5d529485a |
| SHA256 | d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68 |
| SHA512 | 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ctypes.pyd
| MD5 | 6ca9a99c75a0b7b6a22681aa8e5ad77b |
| SHA1 | dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8 |
| SHA256 | d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8 |
| SHA512 | b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe |
memory/5164-409-0x00007FFDE7960000-0x00007FFDE796F000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_bz2.pyd
| MD5 | 758fff1d194a7ac7a1e3d98bcf143a44 |
| SHA1 | de1c61a8e1fb90666340f8b0a34e4d8bfc56da07 |
| SHA256 | f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708 |
| SHA512 | 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\pyexpat.pyd
| MD5 | 5a328b011fa748939264318a433297e2 |
| SHA1 | d46dd2be7c452e5b6525e88a2d29179f4c07de65 |
| SHA256 | e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14 |
| SHA512 | 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87 |
memory/5164-418-0x00007FFDD0C20000-0x00007FFDD0C54000-memory.dmp
memory/5164-415-0x00007FFDD0C60000-0x00007FFDD0C8D000-memory.dmp
memory/5164-414-0x00007FFDDA750000-0x00007FFDDA769000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_lzma.pyd
| MD5 | abceeceaeff3798b5b0de412af610f58 |
| SHA1 | c3c94c120b5bed8bccf8104d933e96ac6e42ca90 |
| SHA256 | 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e |
| SHA512 | 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\select.pyd
| MD5 | 72009cde5945de0673a11efb521c8ccd |
| SHA1 | bddb47ac13c6302a871a53ba303001837939f837 |
| SHA256 | 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca |
| SHA512 | d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140_1.dll
| MD5 | bba9680bc310d8d25e97b12463196c92 |
| SHA1 | 9a480c0cf9d377a4caedd4ea60e90fa79001f03a |
| SHA256 | e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab |
| SHA512 | 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739 |
memory/5164-431-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\pywintypes310.dll
| MD5 | 6f2aa8fa02f59671f99083f9cef12cda |
| SHA1 | 9fd0716bcde6ac01cd916be28aa4297c5d4791cd |
| SHA256 | 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6 |
| SHA512 | f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211 |
memory/5164-435-0x00007FFDD0B00000-0x00007FFDD0B2B000-memory.dmp
memory/5164-434-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp
memory/5164-433-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp
memory/5164-432-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp
memory/5164-427-0x00007FFDE3270000-0x00007FFDE327D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_queue.pyd
| MD5 | 0d267bb65918b55839a9400b0fb11aa2 |
| SHA1 | 54e66a14bea8ae551ab6f8f48d81560b2add1afc |
| SHA256 | 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c |
| SHA512 | c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56 |
memory/5164-424-0x00007FFDE4030000-0x00007FFDE403D000-memory.dmp
memory/5164-421-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI50922\_socket.pyd
| MD5 | afd296823375e106c4b1ac8b39927f8b |
| SHA1 | b05d811e5a5921d5b5cc90b9e4763fd63783587b |
| SHA256 | e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007 |
| SHA512 | 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369 |
C:\Users\Admin\AppData\Local\Temp\_MEI50922\libffi-7.dll
| MD5 | b5150b41ca910f212a1dd236832eb472 |
| SHA1 | a17809732c562524b185953ffe60dfa91ba3ce7d |
| SHA256 | 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a |
| SHA512 | 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6 |
memory/5164-438-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp
memory/5164-407-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp
memory/5164-439-0x00007FFDDD440000-0x00007FFDDD44A000-memory.dmp
memory/5164-441-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp
memory/5164-440-0x00007FFDD0A90000-0x00007FFDD0AAC000-memory.dmp
memory/5164-443-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp
memory/5164-444-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp
memory/5164-442-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp
memory/5164-445-0x000002315B600000-0x000002315B975000-memory.dmp
memory/5164-446-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp
memory/5164-447-0x00007FFDD0570000-0x00007FFDD0584000-memory.dmp
memory/5164-450-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp
memory/5164-452-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp
memory/5164-451-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp
memory/5164-449-0x00007FFDD5270000-0x00007FFDD527B000-memory.dmp
memory/5164-448-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp
memory/5164-454-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp
memory/5164-453-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp
memory/5164-457-0x00007FFDD4730000-0x00007FFDD473B000-memory.dmp
memory/5164-461-0x00007FFDD0220000-0x00007FFDD022C000-memory.dmp
memory/5164-462-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp
memory/5164-460-0x00007FFDD0230000-0x00007FFDD023B000-memory.dmp
memory/5164-471-0x00007FFDD0180000-0x00007FFDD018C000-memory.dmp
memory/5164-470-0x00007FFDD0190000-0x00007FFDD019C000-memory.dmp
memory/5164-469-0x00007FFDD01A0000-0x00007FFDD01AB000-memory.dmp
memory/5164-473-0x00007FFDD0200000-0x00007FFDD020C000-memory.dmp
memory/5164-472-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp
memory/5164-468-0x00007FFDD01B0000-0x00007FFDD01BB000-memory.dmp
memory/5164-484-0x00007FFDD00A0000-0x00007FFDD00B7000-memory.dmp
memory/5164-483-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp
memory/5164-482-0x00007FFDD0140000-0x00007FFDD014C000-memory.dmp
memory/5164-481-0x00007FFDD0150000-0x00007FFDD0162000-memory.dmp
memory/5164-488-0x00007FFDCFFF0000-0x00007FFDD000E000-memory.dmp
memory/5164-487-0x00007FFDD0010000-0x00007FFDD0021000-memory.dmp
memory/5164-486-0x00007FFDD0030000-0x00007FFDD007C000-memory.dmp
memory/5164-485-0x00007FFDD0080000-0x00007FFDD0099000-memory.dmp
memory/5164-480-0x00007FFDD0170000-0x00007FFDD017D000-memory.dmp
memory/5164-479-0x00007FFDD00C0000-0x00007FFDD00E2000-memory.dmp
memory/5164-478-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp
memory/5164-490-0x00007FFDCFFC0000-0x00007FFDCFFE9000-memory.dmp
memory/5164-489-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp
memory/5164-477-0x00007FFDD0110000-0x00007FFDD0120000-memory.dmp
memory/5164-494-0x00007FFDCFD10000-0x00007FFDCFF62000-memory.dmp
memory/5164-493-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp
memory/5164-476-0x00007FFDD0120000-0x00007FFDD0135000-memory.dmp
memory/5164-475-0x00007FFDD01D0000-0x00007FFDD01DC000-memory.dmp
memory/5164-474-0x000002315B600000-0x000002315B975000-memory.dmp
memory/5164-467-0x00007FFDD01C0000-0x00007FFDD01CC000-memory.dmp
memory/5164-466-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp
memory/5164-465-0x00007FFDD01E0000-0x00007FFDD01EE000-memory.dmp
memory/5164-464-0x00007FFDD01F0000-0x00007FFDD01FD000-memory.dmp
memory/5164-463-0x00007FFDD0210000-0x00007FFDD021B000-memory.dmp
memory/5164-459-0x00007FFDD1C70000-0x00007FFDD1C7C000-memory.dmp
memory/5164-458-0x00007FFDD4480000-0x00007FFDD448B000-memory.dmp
memory/5164-456-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp
memory/5164-455-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp
C:\Users\Admin\Downloads\downloads_db
| MD5 | 91216919ce8d405c33b6a5be36386f48 |
| SHA1 | 4e82468eeb6f87083d05292b4f7c7ce105c0618f |
| SHA256 | ec56be9c10b5aafd1a3b8f475e3f73bc7a88717aa6a1819f5bf7bae38c166aa6 |
| SHA512 | 9dbb5c28f39de3499a2bf876613125d7f8d024ce3025ba6e1ec51d9b9b097ab1dbf345244b6cab0b8af80ff208583ccd5900e8878b163bec5d6a1466936ded9d |
C:\Users\Admin\Downloads\vault\web_history.txt
| MD5 | cd4190a7fd3ff66967a44319f2f3a7b6 |
| SHA1 | 0620e4072b5939fd504f4caffcb3f2e92cd59cc2 |
| SHA256 | b27b7bba460da337f64e1ff1edddc5252c5ca7a11cfaad780c76df5d09f6e290 |
| SHA512 | f6408dbbb483059ad1e8f0dfeedf0a938b687ed54361f6b104d7e3ec256f0c4cb44bce961dc87d6bd7bafa4cea586242b1479f2a37bb1fe31872718307abca65 |
C:\Users\Admin\Downloads\vault\downloads.txt
| MD5 | 59f8673e0dde208af34aedbe8b392210 |
| SHA1 | 62e731caee7e21203d2d68f6c5bf68bbb957ba1a |
| SHA256 | f13946f88418d2ac49ae013f09f099d0657e06fcefc46a637440a4a4855c449d |
| SHA512 | 4157713ec3b1e02af626a9f1054ad7f46d1d6467639e402ef4c9ca8433c8bd397f41673f8579c884c57ce7396a0b2c4978cb9e5f4851bd9f5f595834ca5d5421 |
C:\Users\Admin\Downloads\vault\cookies.txt
| MD5 | e7787aadf8a18c9bc9c6028f145a63d4 |
| SHA1 | eb6e12b31bdc0de890779072288d42d602273e5d |
| SHA256 | 0c6787b1ff124f2992676207495def3282d4d876439bdf2fe012c34fccfba316 |
| SHA512 | 864955798222d92ae980479b7af57c5282790b918ce7493345aabc5d6fdec605eeb289f8099639444590500409606da30113e09fbf4ce9b1cd2ac94156ece952 |
C:\Users\Admin\Downloads\downloads_db
| MD5 | 99f9e1d0e6242010707fea4814c5d1cc |
| SHA1 | 611cd9346a29f73337cc984f18885c34454e2689 |
| SHA256 | 82d690db648e3899eaef9c74b934da29980758295be66edde20716ce3e108074 |
| SHA512 | aefcd24d55be3c50585d9c1afcdb05702fdbe08572fbab25e6a48e6ced3239cb7760afc286e6ee16e0fe3d961a9251a19926a34ec3ca81211bd369405a9bbdd4 |
memory/5164-559-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp
memory/5164-558-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | f40cf526aec16eaa700c46eb808358be |
| SHA1 | 1f89fb62d9c35dbf1b909d412a78cb0a16ed29a3 |
| SHA256 | 20d7653a7408476d7ea9e17af61066e772225fb669e67bc162d8be3f096bffef |
| SHA512 | 832039e5e6aa30b8b93de429d465476ec7d60f6d3b78c50ca097dd1663dcd648821af2a7e8edb7af9bf61072fcecdf6d9a1b67d13a075be35907b0e8bc9d46ae |
memory/5164-565-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | e1c33030d1df8ad3c1c0a1e683906e3b |
| SHA1 | 971a6c3d5910bfb8a0239972f7ee4237465ade22 |
| SHA256 | da13df302b6229771813ef47731fdcbf07fd75805cc66186e6985299be69c476 |
| SHA512 | 4128d88c40df5ee6c421d0d2cb8969ccfa35fa7d91d82a47132164e16d520e898944216c29d47a14333bde65abc2b97bfe9dcabb09752afc86f9e6dc3a593c2b |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
| MD5 | ed59706062291957a70c051e0ba647c7 |
| SHA1 | 5370e90a6f83bf4a838575ab460137a2581e116f |
| SHA256 | ffdb83ce3a632a77f22ca52263a0b2019b776a8fecd68714be48e11a27f9ffcb |
| SHA512 | 0e6013ebecab3e1f98aaadd474b437b120b3a4c6e4c1ded9ed5e663cd6385a725ad5180015a4b842bf85b555ae1898e9f753fabc0149860fddcf81932cb82406 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a0ee.TMP
| MD5 | aa785cfffcefa9f4cd413dfcdbf6ed06 |
| SHA1 | b4999d99af8012fe3b1caf701cdac1d9db0d5087 |
| SHA256 | b9653cdd13c2d17d201606ae2108b6d7fc0ff20894575117bfbc531c16cce7da |
| SHA512 | bb6a9ec598ca7b393548e93844e2996441a36e2694f6069386553dcc792925bd8416cf35d75f8850a19904a072a4fc97631bc30eb50d2d7feb382a2ddc50525c |
memory/5164-586-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp
memory/5164-608-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp
memory/5164-601-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp
memory/5164-600-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp
memory/5164-585-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp
memory/5164-602-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp
memory/5164-595-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp
memory/5164-594-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp
memory/5164-591-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp
memory/5680-615-0x0000000000400000-0x000000000041F000-memory.dmp
memory/5620-617-0x0000000000400000-0x000000000045D000-memory.dmp
memory/5468-616-0x0000000000400000-0x000000000045D000-memory.dmp
memory/5164-645-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp
memory/5164-657-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp
memory/5164-656-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp
memory/5164-652-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp
memory/5164-651-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp
memory/5164-650-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp
memory/5164-649-0x00007FFDD0A90000-0x00007FFDD0AAC000-memory.dmp
memory/5164-648-0x00007FFDDD440000-0x00007FFDDD44A000-memory.dmp
memory/5164-647-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp
memory/5164-646-0x00007FFDD0B00000-0x00007FFDD0B2B000-memory.dmp
memory/5164-644-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp
memory/5164-643-0x00007FFDE3270000-0x00007FFDE327D000-memory.dmp
memory/5164-642-0x00007FFDE4030000-0x00007FFDE403D000-memory.dmp
memory/5164-641-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp
memory/5164-640-0x00007FFDD0C20000-0x00007FFDD0C54000-memory.dmp
memory/5164-639-0x00007FFDD0C60000-0x00007FFDD0C8D000-memory.dmp
memory/5164-638-0x00007FFDDA750000-0x00007FFDDA769000-memory.dmp
memory/5164-637-0x00007FFDE7960000-0x00007FFDE796F000-memory.dmp
memory/5164-636-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp
memory/5164-661-0x00007FFDD00A0000-0x00007FFDD00B7000-memory.dmp
memory/5164-660-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp
memory/5164-659-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp
memory/5164-635-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp
memory/5164-667-0x00007FFDD0030000-0x00007FFDD007C000-memory.dmp
memory/5164-666-0x00007FFDD0080000-0x00007FFDD0099000-memory.dmp
memory/5164-665-0x00007FFDD00C0000-0x00007FFDD00E2000-memory.dmp
memory/5164-664-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp
memory/5164-663-0x00007FFDD0110000-0x00007FFDD0120000-memory.dmp
memory/5164-662-0x00007FFDD0120000-0x00007FFDD0135000-memory.dmp
memory/5164-658-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp
memory/5164-655-0x00007FFDD5270000-0x00007FFDD527B000-memory.dmp
memory/5164-654-0x00007FFDD0570000-0x00007FFDD0584000-memory.dmp
memory/5164-653-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
| MD5 | 83841589e5e338a0e0ec3981e2e11544 |
| SHA1 | bb09f932fc2a6f3e05c191e42c13054bd59a73c4 |
| SHA256 | 5db9f22e80b4f0a84022c625064e913629527ae2703e5707c86da68eb1a9e31f |
| SHA512 | e7be03749c991a4742bc3f664bfe858fb68a93c4ad12e28560ec26c0162dfbf6efa0d8bf0ab3cc030fa5f29ddc4a15158807702a0c3a85b796a141ab5ebd1524 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
| MD5 | d8c53f02767efdfaf6b46cb9264b3fe2 |
| SHA1 | 927c7dd21b065dbff2ea32bb6176419e9b289187 |
| SHA256 | b44687568ae52eae17efacd5d80cda96b5e1ccb99effed95e602e5fd224fd692 |
| SHA512 | 2d8216d6875df043e30b4a6b20b3782b96565d1d527f672121241f3703a45eebebc7318471c0636c9cbd66abb5998e3a8ff92135c4e94f4ed662834405d2a1c2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
| MD5 | cf0c17b787c6e0f8aeb6adb18bd589c6 |
| SHA1 | 193cb6610fff0154ca8e94d551f69a39ff882709 |
| SHA256 | da48167ba2b9a2bb94d5de91c0cc0aec3924adb07846fd907e5c79d6b3a8b77e |
| SHA512 | b2ec7a1b24833d72a37ebabc9364aa60d92fb22268b82ba24aa218b25a065e483fa89a470e0bb599caa11a9d3241c778d8662e4617c7fd290f987f7b496430b2 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 6e1457dc9fb4d1210abe5a8ca0f26d9f |
| SHA1 | 2772e209ff8c9ab6846e4cb9ad847bbc97aab175 |
| SHA256 | 624c00b435752e0274ed819ebfd595c54183ca021c65f78726afe1ca1d8ac0fd |
| SHA512 | 394a9ae206a801ca24eabe5f38ae8ed5257a765c7a3731633fa4a79fe1cc4fab74c124a4916d0409d85eb3fd69cd096e13cc83027987ef310733a95ca0a08cc5 |
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
| MD5 | 20d485f2a3fe8ef6e985d22fab93f11c |
| SHA1 | 3462322044c2ec6dd24c8077253619d9d7830b77 |
| SHA256 | 61af76785f9a50025de2ca01fe94fe3e19223c1219b9b65aece1cb51a1bf76b5 |
| SHA512 | 3761144f61de6c7ae0e2055d6259bd8e8a5730182bca57f3d7dda992700db144817582388b52b7aec707f25f3b6d0024c9f3df16eebb94a0d8b49a3b8b8167f4 |