Malware Analysis Report

2024-11-30 13:04

Sample ID 240620-ed8z8s1grl
Target Pro Chair + Blocker.exe
SHA256 35539ea45b8981e7c44faf2cf2b4e92ed83863a1c6ee19c45a2ae41b65ecf003
Tags
evasion persistence privilege_escalation pyinstaller spyware stealer upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

35539ea45b8981e7c44faf2cf2b4e92ed83863a1c6ee19c45a2ae41b65ecf003

Threat Level: Known bad

The file Pro Chair + Blocker.exe was found to be: Known bad.

Malicious Activity Summary

evasion persistence privilege_escalation pyinstaller spyware stealer upx

Modifies visiblity of hidden/system files in Explorer

Downloads MZ/PE file

Loads dropped DLL

Executes dropped EXE

Reads user/profile data of web browsers

UPX packed file

Looks up external IP address via web service

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Detects Pyinstaller

Unsigned PE

Event Triggered Execution: Netsh Helper DLL

Suspicious use of AdjustPrivilegeToken

Scheduled Task/Job: Scheduled Task

Suspicious use of FindShellTrayWindow

Enumerates system info in registry

Modifies registry key

Modifies data under HKEY_USERS

Suspicious use of SetWindowsHookEx

Suspicious use of SendNotifyMessage

Suspicious behavior: GetForegroundWindowSpam

Suspicious behavior: EnumeratesProcesses

Suspicious use of WriteProcessMemory

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 03:50

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 03:50

Reported

2024-06-20 03:53

Platform

win7-20240508-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A

Scheduled Task/Job: Scheduled Task

persistence execution
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A
N/A N/A C:\Windows\SysWOW64\schtasks.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2060 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 2060 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 2060 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 2060 wrote to memory of 1144 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 2060 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2060 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2060 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 2060 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 3016 wrote to memory of 2592 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3016 wrote to memory of 2592 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3016 wrote to memory of 2592 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 3016 wrote to memory of 2592 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 2592 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2592 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2592 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2592 wrote to memory of 2680 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 2680 wrote to memory of 2740 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2680 wrote to memory of 2740 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2680 wrote to memory of 2740 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2680 wrote to memory of 2740 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 2740 wrote to memory of 2996 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2740 wrote to memory of 2996 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2740 wrote to memory of 2996 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2740 wrote to memory of 2996 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 2592 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2592 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2592 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2592 wrote to memory of 2488 N/A \??\c:\windows\resources\themes\explorer.exe C:\Windows\Explorer.exe
PID 2740 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 2564 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 1144 wrote to memory of 2588 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2588 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2588 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 2588 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2588 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2588 wrote to memory of 2820 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 2588 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2588 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2588 wrote to memory of 2812 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 2588 wrote to memory of 2932 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1144 wrote to memory of 2132 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2132 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1144 wrote to memory of 2132 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 2740 wrote to memory of 1340 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1340 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1340 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1340 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1768 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1768 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1768 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe
PID 2740 wrote to memory of 1768 N/A \??\c:\windows\resources\svchost.exe C:\Windows\SysWOW64\schtasks.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe

"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"

\??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 

"c:\users\admin\appdata\local\temp\pro chair + blocker.exe "

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\Explorer.exe

C:\Windows\Explorer.exe

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:52 /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:53 /f

C:\Windows\SysWOW64\schtasks.exe

schtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 03:54 /f

Network

Country Destination Domain Proto
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 apps.identrust.com udp
NL 23.63.101.171:80 apps.identrust.com tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
N/A 127.0.0.1:49264 tcp
N/A 127.0.0.1:49266 tcp

Files

memory/2060-0-0x0000000000400000-0x000000000041F000-memory.dmp

\Users\Admin\AppData\Local\Temp\pro chair + blocker.exe 

MD5 0e2c1ee8e6bdb339094ec24026a01e20
SHA1 449972cb63e21bf25d03ad1e85cf87af97c75a2e
SHA256 ffe104f44b6a84074e2305fba55c1cb777446d1dace44c23eaf873536dcc542f
SHA512 c0a71a9d796802bdf7110c8f69ebdaeb9c968df69b41a8bc1ff52f3a4082f40df93085ec278863acc93763ca11114b4eac5278db136540be0bea67aa93c607c5

\Windows\Resources\Themes\icsys.icn.exe

MD5 15a0dce7203a773f9e27405c6e7ec5ae
SHA1 bfd02c9f6c4dafe7fe2c8fd4bc51f8f9a9f84aff
SHA256 92eab4d199a1e592b38ba7c06ebcd8314f9532613fbb8dea53b674e69d10a389
SHA512 ba4fd5801fd01b42baf3bedc3c4a8e6b46354f43d6c30432b2fde075cf210f2436937243f13d4d78e3974eabd18d5a450e0382c2b5332cf9e7604916489399a1

C:\Windows\Resources\Themes\explorer.exe

MD5 b456f2d9bd6e2810b171316ced69a114
SHA1 7796e4e6785e61f86d3fc591708d030a75c93f9b
SHA256 c29b5443ad6004d3e1488acfcb45871d0975861a2561c597db0cf9d06e0c46f2
SHA512 e8461540bad9539011ece330f34c95b51380e76130327a1cfe9522bfd5e67ae93c847ed19932e221211658068f73c160f2e1def01945cbbb990d64d5f29383c2

memory/3016-24-0x00000000003A0000-0x00000000003BF000-memory.dmp

C:\Windows\Resources\spoolsv.exe

MD5 1d0625bd2b12cc0e45928a4a6f9dd0f1
SHA1 954a3e7c9205bcb7bf3020cfc89c5942f4b644ef
SHA256 e84e07653af848c6a33d4355b1ddbeee5f1ce3d34e56886578a608075bfc1805
SHA512 40ed19df7b8abbe5743e23090573746cd46d96da56df3dd9563acd2bb719789b35453a4e2fefc87da1bb6450d3d83d3cb9e083ca1ae0fbcf38a407f8fe62b53d

memory/2592-34-0x0000000002280000-0x000000000229F000-memory.dmp

memory/2680-42-0x0000000000400000-0x000000000041F000-memory.dmp

\??\c:\windows\resources\svchost.exe

MD5 191fd21dddb144336fb54be1726eba03
SHA1 9bd19a0b3ee3673e7ee55d24daca9bdfc7cc4d67
SHA256 b655ac67e95bf021986819168c1db410ebfc9976bd310045cfff7b0d8063f8d1
SHA512 816e1a96dc5b8625aa4a55a8f1d1a2db17d95c4f4e25a3efd09f5c17a05ae39c9962d2ab52ab9a800024993d79729d63716696a86c5e27eb7385318d4ee1b0a4

memory/2740-54-0x00000000002B0000-0x00000000002CF000-memory.dmp

memory/2740-50-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2060-61-0x0000000000400000-0x000000000041F000-memory.dmp

memory/3016-60-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2996-59-0x0000000000400000-0x000000000041F000-memory.dmp

memory/2680-46-0x00000000003D0000-0x00000000003EF000-memory.dmp

memory/1144-72-0x000000013FAA0000-0x0000000140478000-memory.dmp

memory/1144-68-0x000000013FB38000-0x000000013FED9000-memory.dmp

memory/1144-66-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/1144-64-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/1144-62-0x00000000777D0000-0x00000000777D2000-memory.dmp

memory/1144-74-0x000000013FB38000-0x000000013FED9000-memory.dmp

memory/1144-75-0x000000013FAA0000-0x0000000140478000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 03:50

Reported

2024-06-20 03:53

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"

Signatures

Modifies visiblity of hidden/system files in Explorer

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0" \??\c:\windows\resources\svchost.exe N/A

Downloads MZ/PE file

Loads dropped DLL

Description Indicator Process Target
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A
N/A N/A \??\c:\users\admin\downloads\demonware.exe  N/A

Reads user/profile data of web browsers

spyware stealer

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\themes\explorer.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\resources\\themes\\explorer.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\resources\\svchost.exe RO" \??\c:\windows\resources\svchost.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\empyrean = "C:\\Users\\Admin\\AppData\\Roaming\\empyrean\\run.bat" C:\Windows\system32\reg.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A raw.githubusercontent.com N/A N/A
N/A raw.githubusercontent.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A
N/A ipapi.co N/A N/A

Drops file in System32 directory

Description Indicator Process Target
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\SysWOW64\explorer.exe \??\c:\windows\resources\svchost.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  N/A
N/A N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  N/A

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Resources\tjud.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
File opened for modification \??\c:\windows\resources\themes\explorer.exe C:\Windows\Resources\Themes\icsys.icn.exe N/A
File opened for modification \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\themes\explorer.exe N/A
File opened for modification \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe N/A
File opened for modification C:\Windows\Resources\Themes\icsys.icn.exe C:\Users\Admin\Downloads\DemonWare.exe N/A

Detects Pyinstaller

pyinstaller
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133633290589254735" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry key

Description Indicator Process Target
N/A N/A C:\Windows\system32\reg.exe N/A
N/A N/A C:\Windows\system32\reg.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A
N/A N/A C:\Windows\Resources\Themes\icsys.icn.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A \??\c:\windows\resources\themes\explorer.exe N/A
N/A N/A \??\c:\windows\resources\svchost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 208 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 208 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 
PID 208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 208 wrote to memory of 1408 N/A C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe C:\Windows\Resources\Themes\icsys.icn.exe
PID 1408 wrote to memory of 1852 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1408 wrote to memory of 1852 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1408 wrote to memory of 1852 N/A C:\Windows\Resources\Themes\icsys.icn.exe \??\c:\windows\resources\themes\explorer.exe
PID 1852 wrote to memory of 4668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1852 wrote to memory of 4668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 1852 wrote to memory of 4668 N/A \??\c:\windows\resources\themes\explorer.exe \??\c:\windows\resources\spoolsv.exe
PID 4668 wrote to memory of 1668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4668 wrote to memory of 1668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 4668 wrote to memory of 1668 N/A \??\c:\windows\resources\spoolsv.exe \??\c:\windows\resources\svchost.exe
PID 1668 wrote to memory of 1148 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1668 wrote to memory of 1148 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1668 wrote to memory of 1148 N/A \??\c:\windows\resources\svchost.exe \??\c:\windows\resources\spoolsv.exe
PID 1856 wrote to memory of 4068 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 4068 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 4068 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4068 wrote to memory of 3996 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\certutil.exe
PID 4068 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4068 wrote to memory of 3156 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4068 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 4068 wrote to memory of 4680 N/A C:\Windows\system32\cmd.exe C:\Windows\system32\find.exe
PID 1856 wrote to memory of 1268 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 1856 wrote to memory of 1268 N/A \??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe  C:\Windows\system32\cmd.exe
PID 4772 wrote to memory of 2052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 2052 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 5012 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 4316 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 4316 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 4772 wrote to memory of 3532 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe

"C:\Users\Admin\AppData\Local\Temp\Pro Chair + Blocker.exe"

\??\c:\users\admin\appdata\local\temp\pro chair + blocker.exe 

"c:\users\admin\appdata\local\temp\pro chair + blocker.exe "

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe SE

\??\c:\windows\resources\svchost.exe

c:\windows\resources\svchost.exe

\??\c:\windows\resources\spoolsv.exe

c:\windows\resources\spoolsv.exe PR

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5 | find /i /v "md5" | find /i /v "certutil"

C:\Windows\system32\certutil.exe

certutil -hashfile "c:\users\admin\appdata\local\temp\pro chair + blocker.exe " MD5

C:\Windows\system32\find.exe

find /i /v "md5"

C:\Windows\system32\find.exe

find /i /v "certutil"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c CLS

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4332,i,15721081447618313297,6839074028983272033,262144 --variations-seed-version --mojo-platform-channel-handle=3976 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ffdd4baab58,0x7ffdd4baab68,0x7ffdd4baab78

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1756 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2172 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2284 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2968 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2976 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4260 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4416 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4456 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3544 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4408 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4408 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3908 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=4544 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=3056 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4396 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4972 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5036 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5032 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5204 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5224 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Users\Admin\Downloads\DemonWare.exe

"C:\Users\Admin\Downloads\DemonWare.exe"

\??\c:\users\admin\downloads\demonware.exe 

c:\users\admin\downloads\demonware.exe 

\??\c:\users\admin\downloads\demonware.exe 

c:\users\admin\downloads\demonware.exe 

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "ver"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f"

C:\Windows\system32\reg.exe

reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f"

C:\Windows\system32\reg.exe

reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v empyrean /t REG_SZ /d C:\Users\Admin\AppData\Roaming\empyrean\run.bat /f

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Windows\System32\wbem\WMIC.exe csproduct get uuid"

C:\Windows\System32\wbem\WMIC.exe

C:\Windows\System32\wbem\WMIC.exe csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\Resources\Themes\icsys.icn.exe

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

\??\c:\windows\resources\themes\explorer.exe

c:\windows\resources\themes\explorer.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3192 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=4756 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5304 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5436 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:8

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profiles"

C:\Windows\system32\netsh.exe

netsh wlan show profiles

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1900 --field-trial-handle=1896,i,1856390896895318722,13417046139738589072,131072 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 keyauth.win udp
US 104.26.1.5:443 keyauth.win tcp
US 8.8.8.8:53 x2.c.lencr.org udp
BE 23.55.97.11:80 x2.c.lencr.org tcp
US 8.8.8.8:53 5.1.26.104.in-addr.arpa udp
US 8.8.8.8:53 11.97.55.23.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
N/A 127.0.0.1:49861 tcp
N/A 127.0.0.1:49863 tcp
US 8.8.8.8:53 www.google.com udp
GB 142.250.187.196:443 www.google.com tcp
GB 142.250.187.196:443 www.google.com udp
US 8.8.8.8:53 234.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 195.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 196.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.200.14:443 apis.google.com tcp
US 8.8.8.8:53 195.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 238.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.187.238:443 clients2.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 238.187.250.142.in-addr.arpa udp
US 8.8.8.8:53 gofile.io udp
FR 151.80.29.83:443 gofile.io tcp
FR 151.80.29.83:443 gofile.io tcp
US 8.8.8.8:53 83.29.80.151.in-addr.arpa udp
US 8.8.8.8:53 api.gofile.io udp
FR 151.80.29.83:443 api.gofile.io tcp
US 8.8.8.8:53 s.gofile.io udp
FR 51.75.242.210:443 s.gofile.io tcp
FR 51.75.242.210:443 s.gofile.io tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 172.217.169.10:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 210.242.75.51.in-addr.arpa udp
US 8.8.8.8:53 10.169.217.172.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 store9.gofile.io udp
US 206.168.190.239:443 store9.gofile.io tcp
US 206.168.190.239:443 store9.gofile.io tcp
US 8.8.8.8:53 92.12.20.2.in-addr.arpa udp
US 8.8.8.8:53 239.190.168.206.in-addr.arpa udp
US 8.8.8.8:53 ipapi.co udp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 discord.com udp
US 162.159.135.232:443 discord.com tcp
US 8.8.8.8:53 44.9.26.104.in-addr.arpa udp
US 8.8.8.8:53 232.135.159.162.in-addr.arpa udp
US 8.8.8.8:53 raw.githubusercontent.com udp
US 185.199.110.133:443 raw.githubusercontent.com tcp
US 8.8.8.8:53 133.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 www.cloudflare.com udp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
US 8.8.8.8:53 96.124.16.104.in-addr.arpa udp
US 104.16.124.96:443 www.cloudflare.com tcp
US 104.26.9.44:443 ipapi.co tcp
GB 142.250.187.196:443 www.google.com udp
US 162.159.135.232:443 discord.com tcp
GB 142.250.179.238:443 play.google.com udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
GB 172.217.169.67:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 67.169.217.172.in-addr.arpa udp

Files

memory/208-0-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\pro chair + blocker.exe 

MD5 0e2c1ee8e6bdb339094ec24026a01e20
SHA1 449972cb63e21bf25d03ad1e85cf87af97c75a2e
SHA256 ffe104f44b6a84074e2305fba55c1cb777446d1dace44c23eaf873536dcc542f
SHA512 c0a71a9d796802bdf7110c8f69ebdaeb9c968df69b41a8bc1ff52f3a4082f40df93085ec278863acc93763ca11114b4eac5278db136540be0bea67aa93c607c5

C:\Windows\Resources\Themes\icsys.icn.exe

MD5 15a0dce7203a773f9e27405c6e7ec5ae
SHA1 bfd02c9f6c4dafe7fe2c8fd4bc51f8f9a9f84aff
SHA256 92eab4d199a1e592b38ba7c06ebcd8314f9532613fbb8dea53b674e69d10a389
SHA512 ba4fd5801fd01b42baf3bedc3c4a8e6b46354f43d6c30432b2fde075cf210f2436937243f13d4d78e3974eabd18d5a450e0382c2b5332cf9e7604916489399a1

memory/1408-11-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\Themes\explorer.exe

MD5 23996ca3c46de6ed978503bbef62fe49
SHA1 ea4b499bf8ed6a5a40bca62d641a72b526d1f1ad
SHA256 76a90cfb5400bf5ae5623ee7c29bdd916c269b7c217803c961d4bc9a05b92ea3
SHA512 720b9a6ab2a96afdfc4278cddf8ca80c58094c33b6068d214f53f97363e428825065c77e48351a52de3a53e6654681c3d8a08a07645371d691b34e3480241b32

\??\c:\windows\resources\spoolsv.exe

MD5 552e16a19b63c277d79e660f005796b8
SHA1 9f71bd61821ea467d3bf7c1fed38a346bca21acd
SHA256 77adf4ec4cc79c5dbb5f9a5bcbf0a2e26996f7c14054075cb16136dab2072699
SHA512 2b59db928ab460762f4367d313baf2eb2abcd7362001fb2b7c64c7334b9c9e79d15cc10763576178d9dbe1cb0a55a43c0dd4d20749edb73af1ddcf205c76e581

memory/4668-31-0x0000000000400000-0x000000000041F000-memory.dmp

C:\Windows\Resources\svchost.exe

MD5 290c8a025be90f63cc17f5f4fec07fc2
SHA1 40848d8519c1aac331c19a78474706a3fceb60e0
SHA256 b223b8324a5c3c43cb73bbc9bd6c68ef18d93cbd076c9a7cb449ab9812a2ef38
SHA512 cca1d67de4e93f42046e5637a4e94297e7c328561ffe68f15d09b304f373285530c85d79371756627741ba94e7383e4f519623aa7ba9f13478a609ea086a8340

memory/1148-44-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1148-46-0x0000000000400000-0x000000000041F000-memory.dmp

memory/4668-47-0x0000000000400000-0x000000000041F000-memory.dmp

memory/208-49-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1408-48-0x0000000000400000-0x000000000041F000-memory.dmp

memory/1856-52-0x00007FF647810000-0x00007FF6481E8000-memory.dmp

memory/1856-51-0x00007FFDF26F0000-0x00007FFDF26F2000-memory.dmp

memory/1856-50-0x00007FF6478A8000-0x00007FF647C49000-memory.dmp

memory/1856-56-0x00007FF6478A8000-0x00007FF647C49000-memory.dmp

memory/1856-57-0x00007FF647810000-0x00007FF6481E8000-memory.dmp

\??\pipe\crashpad_4772_UESYVCLFHNANFRAG

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

MD5 d751713988987e9331980363e24189ce
SHA1 97d170e1550eee4afc0af065b78cda302a97674c
SHA256 4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512 b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 41e7f2e8ff15454cf9935f1b3818dbd6
SHA1 f52f1f007ed432b6f3cf79bff3d246397a2ed163
SHA256 67d0a15705fb94cddb54226a7e26c10445765e24e9f7b7dbab81ee9dfd583ed7
SHA512 0c0e142b392c246b2bc1f4ab6cc7b29d3560fd22bdb0066ab0ebaec3a6fd09a27e1128e2a1e070234990a8aa503ad3eb8aa408789758220ada761770c7fdf09c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 6835653a437db4074509b6b903e8ad42
SHA1 ba4a51247e3466184c0cecffb4e0aef7f37e379a
SHA256 1bc75a97e2fd3ca666fee5e40ce73a5653dc68b641b2702158afaffaf23702f9
SHA512 71dc127f4a88e80813e6ac40542ec79779c13b1d7d4257ee6722dd4c6f136b4aeb79d7c8604fbf40bdf589e6350222333c71c0465d7c218cfe46f11d8349cf36

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 2aa2c941cf45ae1ca40d75fef8dabc04
SHA1 28636fb5bda311afb3e279ea180faecb9d0761d9
SHA256 4bec46ffd319a6502d6480a02b93c73945402a4af4d0c22f2f1b432420be8013
SHA512 d1f40132aa634fb2cfb4f929f87c9a2d626b805e4fcef812ef57741d9bfb46ec4ef9384680f55280a8274fa2f4d9a9ccc3b630dacb0a9b312a5a90c6565b05e9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

MD5 38f164ccabf170ae66f8d88fdaa0c14a
SHA1 6c8f5d622ded714735282d5e24fb1822d8b6fe5f
SHA256 45c2c84c93c0e641a6bbe230d36983952002b5361c73da929bdfc9bbaa586cd2
SHA512 9837ad1f77c344ea1a318e2210b36e945ad482d5a15bdca16524b9b252d9a2793ce818bbda2399ebd4229b70c4f74b3874aa33fa5622f3ad635679d00bf6b73b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 ab6ae98ff98606697e1f51236c96abe9
SHA1 4d5481453ad4b3ab7026a1c9eccb9e5ea30dd216
SHA256 292c1a4308931b9a9ba9b9e2252c3f6d488695d6f8a8a7d415957b03372a552a
SHA512 bc8ea22e2c59f1f86683cfeda42747c135f31c3d89918917860317b983af48b2f84e04dcc198569f9a083fcdc806a8f75490555094a6d1e0325153bb50ff6860

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 61bd063a9acc787680e3d1bbe04901c4
SHA1 643fa614610409defe666fd698836821b648cca5
SHA256 029ab24cbf45160774940f817f76e46b540b7c595377ee80a728aa83e72a2b58
SHA512 1295e6ec11750c818c026985913c55cac270e8f40a5835b76cecc8885392a65a4ef2be671c5fcb13106e3e6a1a20f65d9b5769126a21b461e5e292190fc45621

C:\Users\Admin\Downloads\DemonWare.exe

MD5 40f76deda9228388017c91aca9621de5
SHA1 f45e55b76725263883a9e40cefcd3a9d88ab89c0
SHA256 0359e89e0cff0d5537c3e4cf032b1e66f2f49b969a20737563e6ba72d06f1512
SHA512 1ad3ee7759aea345f29352ee29fa68193a0c2234b9e92f59f060b7361d6f2ac6cf89f6522c8772f67794a8ef3622cace5152a062630c5627010fe2412f6c345d

memory/5468-200-0x0000000000400000-0x000000000045D000-memory.dmp

C:\Users\Admin\Downloads\demonware.exe 

MD5 46baf83fb95e22e34ae73658e40583fd
SHA1 8b5c3072ede486f392dbe9d1d08326d6baa1c851
SHA256 bccca4526fc6c918057f568611a258a665c7184e808f49c1d792f67bdbb6adc0
SHA512 f9f7f80a0abeb5ebfa4d5154af17101a01bc558b2f646ccf5e72759cdcafe4a8a6a75c50af7a5d5be36e1ba46cad25634ab526e420718007c1704140e852c781

C:\Users\Admin\AppData\Local\Temp\_MEI50922\python310.dll

MD5 69d4f13fbaeee9b551c2d9a4a94d4458
SHA1 69540d8dfc0ee299a7ff6585018c7db0662aa629
SHA256 801317463bd116e603878c7c106093ba7db2bece11e691793e93065223fc7046
SHA512 8e632f141daf44bc470f8ee677c6f0fdcbcacbfce1472d928576bf7b9f91d6b76639d18e386d5e1c97e538a8fe19dd2d22ea47ae1acf138a0925e3c6dd156378

C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140.dll

MD5 870fea4e961e2fbd00110d3783e529be
SHA1 a948e65c6f73d7da4ffde4e8533c098a00cc7311
SHA256 76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644
SHA512 0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

C:\Users\Admin\AppData\Local\Temp\_MEI50922\ucrtbase.dll

MD5 0e0bac3d1dcc1833eae4e3e4cf83c4ef
SHA1 4189f4459c54e69c6d3155a82524bda7549a75a6
SHA256 8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae
SHA512 a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

C:\Users\Admin\AppData\Local\Temp\_MEI50922\setuptools-65.5.0.dist-info\INSTALLER

MD5 365c9bfeb7d89244f2ce01c1de44cb85
SHA1 d7a03141d5d6b1e88b6b59ef08b6681df212c599
SHA256 ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508
SHA512 d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

memory/5164-399-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\base_library.zip

MD5 524a85217dc9edc8c9efc73159ca955d
SHA1 a4238cbde50443262d00a843ffe814435fb0f4e2
SHA256 808549964adb09afafb410cdc030df4813c5c2a7276a94e7f116103af5de7621
SHA512 f5a929b35a63f073bdc7600155ba2f0f262e6f60cf67efb38fa44e8b3be085cf1d5741d66d25a1ecaaf3f94abfe9bbe97d135f8a47c11f2b811d2aac6876f46c

C:\Users\Admin\AppData\Local\Temp\_MEI50922\python3.DLL

MD5 c17b7a4b853827f538576f4c3521c653
SHA1 6115047d02fbbad4ff32afb4ebd439f5d529485a
SHA256 d21e60f3dfbf2bab0cc8a06656721fa3347f026df10297674fc635ebf9559a68
SHA512 8e08e702d69df6840781d174c4565e14a28022b40f650fda88d60172be2d4ffd96a3e9426d20718c54072ca0da27e0455cc0394c098b75e062a27559234a3df7

C:\Users\Admin\AppData\Local\Temp\_MEI50922\_ctypes.pyd

MD5 6ca9a99c75a0b7b6a22681aa8e5ad77b
SHA1 dd1118b7d77be6bb33b81da65f6b5dc153a4b1e8
SHA256 d39390552c55d8fd4940864905cd4437bc3f8efe7ff3ca220543b2c0efab04f8
SHA512 b0b5f2979747d2f6796d415dd300848f32b4e79ede59827ac447af0f4ea8709b60d6935d09e579299b3bc54b6c0f10972f17f6c0d1759c5388ad5b14689a23fe

memory/5164-409-0x00007FFDE7960000-0x00007FFDE796F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\_bz2.pyd

MD5 758fff1d194a7ac7a1e3d98bcf143a44
SHA1 de1c61a8e1fb90666340f8b0a34e4d8bfc56da07
SHA256 f5e913a9f2adf7d599ea9bb105e144ba11699bbcb1514e73edcf7e062354e708
SHA512 468d7c52f14812d5bde1e505c95cb630e22d71282bda05bf66324f31560bfa06095cf60fc0d34877f8b361ccd65a1b61d0fd1f91d52facb0baf8e74f3fed31cc

C:\Users\Admin\AppData\Local\Temp\_MEI50922\pyexpat.pyd

MD5 5a328b011fa748939264318a433297e2
SHA1 d46dd2be7c452e5b6525e88a2d29179f4c07de65
SHA256 e8a81b47029e8500e0f4e04ccf81f8bdf23a599a2b5cd627095678cdf2fabc14
SHA512 06fa8262378634a42f5ab8c1e5f6716202544c8b304de327a08aa20c8f888114746f69b725ed3088d975d09094df7c3a37338a93983b957723aa2b7fda597f87

memory/5164-418-0x00007FFDD0C20000-0x00007FFDD0C54000-memory.dmp

memory/5164-415-0x00007FFDD0C60000-0x00007FFDD0C8D000-memory.dmp

memory/5164-414-0x00007FFDDA750000-0x00007FFDDA769000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\_lzma.pyd

MD5 abceeceaeff3798b5b0de412af610f58
SHA1 c3c94c120b5bed8bccf8104d933e96ac6e42ca90
SHA256 216aa4bb6f62dd250fd6d2dcde14709aa82e320b946a21edeec7344ed6c2c62e
SHA512 3e1a2eb86605aa851a0c5153f7be399f6259ecaad86dbcbf12eeae5f985dc2ea2ab25683285e02b787a5b75f7df70b4182ae8f1567946f99ad2ec7b27d4c7955

C:\Users\Admin\AppData\Local\Temp\_MEI50922\select.pyd

MD5 72009cde5945de0673a11efb521c8ccd
SHA1 bddb47ac13c6302a871a53ba303001837939f837
SHA256 5aaa15868421a46461156e7817a69eeeb10b29c1e826a9155b5f8854facf3dca
SHA512 d00a42700c9201f23a44fd9407fea7ea9df1014c976133f33ff711150727bf160941373d53f3a973f7dd6ca7b5502e178c2b88ea1815ca8bce1a239ed5d8256d

C:\Users\Admin\AppData\Local\Temp\_MEI50922\VCRUNTIME140_1.dll

MD5 bba9680bc310d8d25e97b12463196c92
SHA1 9a480c0cf9d377a4caedd4ea60e90fa79001f03a
SHA256 e0b66601cc28ecb171c3d4b7ac690c667f47da6b6183bff80604c84c00d265ab
SHA512 1575c786ac3324b17057255488da5f0bc13ad943ac9383656baf98db64d4ec6e453230de4cd26b535ce7e8b7d41a9f2d3f569a0eff5a84aeb1c2f9d6e3429739

memory/5164-431-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\pywintypes310.dll

MD5 6f2aa8fa02f59671f99083f9cef12cda
SHA1 9fd0716bcde6ac01cd916be28aa4297c5d4791cd
SHA256 1a15d98d4f9622fa81b60876a5f359707a88fbbbae3ae4e0c799192c378ef8c6
SHA512 f5d5112e63307068cdb1d0670fe24b65a9f4942a39416f537bdbc17dedfd99963861bf0f4e94299cdce874816f27b3d86c4bebb889c3162c666d5ee92229c211

memory/5164-435-0x00007FFDD0B00000-0x00007FFDD0B2B000-memory.dmp

memory/5164-434-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp

memory/5164-433-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp

memory/5164-432-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp

memory/5164-427-0x00007FFDE3270000-0x00007FFDE327D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\_queue.pyd

MD5 0d267bb65918b55839a9400b0fb11aa2
SHA1 54e66a14bea8ae551ab6f8f48d81560b2add1afc
SHA256 13ee41980b7d0fb9ce07f8e41ee6a309e69a30bbf5b801942f41cbc357d59e9c
SHA512 c2375f46a98e44f54e2dd0a5cc5f016098500090bb78de520dc5e05aef8e6f11405d8f6964850a03060caed3628d0a6303091cba1f28a0aa9b3b814217d71e56

memory/5164-424-0x00007FFDE4030000-0x00007FFDE403D000-memory.dmp

memory/5164-421-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI50922\_socket.pyd

MD5 afd296823375e106c4b1ac8b39927f8b
SHA1 b05d811e5a5921d5b5cc90b9e4763fd63783587b
SHA256 e423a7c2ce5825dfdd41cfc99c049ff92abfb2aa394c85d0a9a11de7f8673007
SHA512 95e98a24be9e603b2870b787349e2aa7734014ac088c691063e4078e11a04898c9c547d6998224b1b171fc4802039c3078a28c7e81d59f6497f2f9230d8c9369

C:\Users\Admin\AppData\Local\Temp\_MEI50922\libffi-7.dll

MD5 b5150b41ca910f212a1dd236832eb472
SHA1 a17809732c562524b185953ffe60dfa91ba3ce7d
SHA256 1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA512 9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

memory/5164-438-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp

memory/5164-407-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp

memory/5164-439-0x00007FFDDD440000-0x00007FFDDD44A000-memory.dmp

memory/5164-441-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp

memory/5164-440-0x00007FFDD0A90000-0x00007FFDD0AAC000-memory.dmp

memory/5164-443-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp

memory/5164-444-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp

memory/5164-442-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp

memory/5164-445-0x000002315B600000-0x000002315B975000-memory.dmp

memory/5164-446-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp

memory/5164-447-0x00007FFDD0570000-0x00007FFDD0584000-memory.dmp

memory/5164-450-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp

memory/5164-452-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp

memory/5164-451-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp

memory/5164-449-0x00007FFDD5270000-0x00007FFDD527B000-memory.dmp

memory/5164-448-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp

memory/5164-454-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp

memory/5164-453-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp

memory/5164-457-0x00007FFDD4730000-0x00007FFDD473B000-memory.dmp

memory/5164-461-0x00007FFDD0220000-0x00007FFDD022C000-memory.dmp

memory/5164-462-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp

memory/5164-460-0x00007FFDD0230000-0x00007FFDD023B000-memory.dmp

memory/5164-471-0x00007FFDD0180000-0x00007FFDD018C000-memory.dmp

memory/5164-470-0x00007FFDD0190000-0x00007FFDD019C000-memory.dmp

memory/5164-469-0x00007FFDD01A0000-0x00007FFDD01AB000-memory.dmp

memory/5164-473-0x00007FFDD0200000-0x00007FFDD020C000-memory.dmp

memory/5164-472-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp

memory/5164-468-0x00007FFDD01B0000-0x00007FFDD01BB000-memory.dmp

memory/5164-484-0x00007FFDD00A0000-0x00007FFDD00B7000-memory.dmp

memory/5164-483-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp

memory/5164-482-0x00007FFDD0140000-0x00007FFDD014C000-memory.dmp

memory/5164-481-0x00007FFDD0150000-0x00007FFDD0162000-memory.dmp

memory/5164-488-0x00007FFDCFFF0000-0x00007FFDD000E000-memory.dmp

memory/5164-487-0x00007FFDD0010000-0x00007FFDD0021000-memory.dmp

memory/5164-486-0x00007FFDD0030000-0x00007FFDD007C000-memory.dmp

memory/5164-485-0x00007FFDD0080000-0x00007FFDD0099000-memory.dmp

memory/5164-480-0x00007FFDD0170000-0x00007FFDD017D000-memory.dmp

memory/5164-479-0x00007FFDD00C0000-0x00007FFDD00E2000-memory.dmp

memory/5164-478-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp

memory/5164-490-0x00007FFDCFFC0000-0x00007FFDCFFE9000-memory.dmp

memory/5164-489-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp

memory/5164-477-0x00007FFDD0110000-0x00007FFDD0120000-memory.dmp

memory/5164-494-0x00007FFDCFD10000-0x00007FFDCFF62000-memory.dmp

memory/5164-493-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp

memory/5164-476-0x00007FFDD0120000-0x00007FFDD0135000-memory.dmp

memory/5164-475-0x00007FFDD01D0000-0x00007FFDD01DC000-memory.dmp

memory/5164-474-0x000002315B600000-0x000002315B975000-memory.dmp

memory/5164-467-0x00007FFDD01C0000-0x00007FFDD01CC000-memory.dmp

memory/5164-466-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp

memory/5164-465-0x00007FFDD01E0000-0x00007FFDD01EE000-memory.dmp

memory/5164-464-0x00007FFDD01F0000-0x00007FFDD01FD000-memory.dmp

memory/5164-463-0x00007FFDD0210000-0x00007FFDD021B000-memory.dmp

memory/5164-459-0x00007FFDD1C70000-0x00007FFDD1C7C000-memory.dmp

memory/5164-458-0x00007FFDD4480000-0x00007FFDD448B000-memory.dmp

memory/5164-456-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp

memory/5164-455-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp

C:\Users\Admin\Downloads\downloads_db

MD5 91216919ce8d405c33b6a5be36386f48
SHA1 4e82468eeb6f87083d05292b4f7c7ce105c0618f
SHA256 ec56be9c10b5aafd1a3b8f475e3f73bc7a88717aa6a1819f5bf7bae38c166aa6
SHA512 9dbb5c28f39de3499a2bf876613125d7f8d024ce3025ba6e1ec51d9b9b097ab1dbf345244b6cab0b8af80ff208583ccd5900e8878b163bec5d6a1466936ded9d

C:\Users\Admin\Downloads\vault\web_history.txt

MD5 cd4190a7fd3ff66967a44319f2f3a7b6
SHA1 0620e4072b5939fd504f4caffcb3f2e92cd59cc2
SHA256 b27b7bba460da337f64e1ff1edddc5252c5ca7a11cfaad780c76df5d09f6e290
SHA512 f6408dbbb483059ad1e8f0dfeedf0a938b687ed54361f6b104d7e3ec256f0c4cb44bce961dc87d6bd7bafa4cea586242b1479f2a37bb1fe31872718307abca65

C:\Users\Admin\Downloads\vault\downloads.txt

MD5 59f8673e0dde208af34aedbe8b392210
SHA1 62e731caee7e21203d2d68f6c5bf68bbb957ba1a
SHA256 f13946f88418d2ac49ae013f09f099d0657e06fcefc46a637440a4a4855c449d
SHA512 4157713ec3b1e02af626a9f1054ad7f46d1d6467639e402ef4c9ca8433c8bd397f41673f8579c884c57ce7396a0b2c4978cb9e5f4851bd9f5f595834ca5d5421

C:\Users\Admin\Downloads\vault\cookies.txt

MD5 e7787aadf8a18c9bc9c6028f145a63d4
SHA1 eb6e12b31bdc0de890779072288d42d602273e5d
SHA256 0c6787b1ff124f2992676207495def3282d4d876439bdf2fe012c34fccfba316
SHA512 864955798222d92ae980479b7af57c5282790b918ce7493345aabc5d6fdec605eeb289f8099639444590500409606da30113e09fbf4ce9b1cd2ac94156ece952

C:\Users\Admin\Downloads\downloads_db

MD5 99f9e1d0e6242010707fea4814c5d1cc
SHA1 611cd9346a29f73337cc984f18885c34454e2689
SHA256 82d690db648e3899eaef9c74b934da29980758295be66edde20716ce3e108074
SHA512 aefcd24d55be3c50585d9c1afcdb05702fdbe08572fbab25e6a48e6ced3239cb7760afc286e6ee16e0fe3d961a9251a19926a34ec3ca81211bd369405a9bbdd4

memory/5164-559-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp

memory/5164-558-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 f40cf526aec16eaa700c46eb808358be
SHA1 1f89fb62d9c35dbf1b909d412a78cb0a16ed29a3
SHA256 20d7653a7408476d7ea9e17af61066e772225fb669e67bc162d8be3f096bffef
SHA512 832039e5e6aa30b8b93de429d465476ec7d60f6d3b78c50ca097dd1663dcd648821af2a7e8edb7af9bf61072fcecdf6d9a1b67d13a075be35907b0e8bc9d46ae

memory/5164-565-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 e1c33030d1df8ad3c1c0a1e683906e3b
SHA1 971a6c3d5910bfb8a0239972f7ee4237465ade22
SHA256 da13df302b6229771813ef47731fdcbf07fd75805cc66186e6985299be69c476
SHA512 4128d88c40df5ee6c421d0d2cb8969ccfa35fa7d91d82a47132164e16d520e898944216c29d47a14333bde65abc2b97bfe9dcabb09752afc86f9e6dc3a593c2b

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 ed59706062291957a70c051e0ba647c7
SHA1 5370e90a6f83bf4a838575ab460137a2581e116f
SHA256 ffdb83ce3a632a77f22ca52263a0b2019b776a8fecd68714be48e11a27f9ffcb
SHA512 0e6013ebecab3e1f98aaadd474b437b120b3a4c6e4c1ded9ed5e663cd6385a725ad5180015a4b842bf85b555ae1898e9f753fabc0149860fddcf81932cb82406

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe58a0ee.TMP

MD5 aa785cfffcefa9f4cd413dfcdbf6ed06
SHA1 b4999d99af8012fe3b1caf701cdac1d9db0d5087
SHA256 b9653cdd13c2d17d201606ae2108b6d7fc0ff20894575117bfbc531c16cce7da
SHA512 bb6a9ec598ca7b393548e93844e2996441a36e2694f6069386553dcc792925bd8416cf35d75f8850a19904a072a4fc97631bc30eb50d2d7feb382a2ddc50525c

memory/5164-586-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp

memory/5164-608-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp

memory/5164-601-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp

memory/5164-600-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp

memory/5164-585-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp

memory/5164-602-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp

memory/5164-595-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp

memory/5164-594-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp

memory/5164-591-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp

memory/5680-615-0x0000000000400000-0x000000000041F000-memory.dmp

memory/5620-617-0x0000000000400000-0x000000000045D000-memory.dmp

memory/5468-616-0x0000000000400000-0x000000000045D000-memory.dmp

memory/5164-645-0x00007FFDD0B30000-0x00007FFDD0BEC000-memory.dmp

memory/5164-657-0x00007FFDD0420000-0x00007FFDD0538000-memory.dmp

memory/5164-656-0x00007FFDD0540000-0x00007FFDD0566000-memory.dmp

memory/5164-652-0x00007FFDD0620000-0x00007FFDD0995000-memory.dmp

memory/5164-651-0x00007FFDD09A0000-0x00007FFDD0A58000-memory.dmp

memory/5164-650-0x00007FFDD0A60000-0x00007FFDD0A8E000-memory.dmp

memory/5164-649-0x00007FFDD0A90000-0x00007FFDD0AAC000-memory.dmp

memory/5164-648-0x00007FFDDD440000-0x00007FFDDD44A000-memory.dmp

memory/5164-647-0x00007FFDD0AB0000-0x00007FFDD0AF2000-memory.dmp

memory/5164-646-0x00007FFDD0B00000-0x00007FFDD0B2B000-memory.dmp

memory/5164-644-0x00007FFDD0BF0000-0x00007FFDD0C1E000-memory.dmp

memory/5164-643-0x00007FFDE3270000-0x00007FFDE327D000-memory.dmp

memory/5164-642-0x00007FFDE4030000-0x00007FFDE403D000-memory.dmp

memory/5164-641-0x00007FFDDA730000-0x00007FFDDA749000-memory.dmp

memory/5164-640-0x00007FFDD0C20000-0x00007FFDD0C54000-memory.dmp

memory/5164-639-0x00007FFDD0C60000-0x00007FFDD0C8D000-memory.dmp

memory/5164-638-0x00007FFDDA750000-0x00007FFDDA769000-memory.dmp

memory/5164-637-0x00007FFDE7960000-0x00007FFDE796F000-memory.dmp

memory/5164-636-0x00007FFDDA770000-0x00007FFDDA794000-memory.dmp

memory/5164-661-0x00007FFDD00A0000-0x00007FFDD00B7000-memory.dmp

memory/5164-660-0x00007FFDD0240000-0x00007FFDD0278000-memory.dmp

memory/5164-659-0x00007FFDD0280000-0x00007FFDD03F1000-memory.dmp

memory/5164-635-0x00007FFDD0C90000-0x00007FFDD10FE000-memory.dmp

memory/5164-667-0x00007FFDD0030000-0x00007FFDD007C000-memory.dmp

memory/5164-666-0x00007FFDD0080000-0x00007FFDD0099000-memory.dmp

memory/5164-665-0x00007FFDD00C0000-0x00007FFDD00E2000-memory.dmp

memory/5164-664-0x00007FFDD00F0000-0x00007FFDD0104000-memory.dmp

memory/5164-663-0x00007FFDD0110000-0x00007FFDD0120000-memory.dmp

memory/5164-662-0x00007FFDD0120000-0x00007FFDD0135000-memory.dmp

memory/5164-658-0x00007FFDD0400000-0x00007FFDD041F000-memory.dmp

memory/5164-655-0x00007FFDD5270000-0x00007FFDD527B000-memory.dmp

memory/5164-654-0x00007FFDD0570000-0x00007FFDD0584000-memory.dmp

memory/5164-653-0x00007FFDD0590000-0x00007FFDD0617000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 83841589e5e338a0e0ec3981e2e11544
SHA1 bb09f932fc2a6f3e05c191e42c13054bd59a73c4
SHA256 5db9f22e80b4f0a84022c625064e913629527ae2703e5707c86da68eb1a9e31f
SHA512 e7be03749c991a4742bc3f664bfe858fb68a93c4ad12e28560ec26c0162dfbf6efa0d8bf0ab3cc030fa5f29ddc4a15158807702a0c3a85b796a141ab5ebd1524

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 d8c53f02767efdfaf6b46cb9264b3fe2
SHA1 927c7dd21b065dbff2ea32bb6176419e9b289187
SHA256 b44687568ae52eae17efacd5d80cda96b5e1ccb99effed95e602e5fd224fd692
SHA512 2d8216d6875df043e30b4a6b20b3782b96565d1d527f672121241f3703a45eebebc7318471c0636c9cbd66abb5998e3a8ff92135c4e94f4ed662834405d2a1c2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 cf0c17b787c6e0f8aeb6adb18bd589c6
SHA1 193cb6610fff0154ca8e94d551f69a39ff882709
SHA256 da48167ba2b9a2bb94d5de91c0cc0aec3924adb07846fd907e5c79d6b3a8b77e
SHA512 b2ec7a1b24833d72a37ebabc9364aa60d92fb22268b82ba24aa218b25a065e483fa89a470e0bb599caa11a9d3241c778d8662e4617c7fd290f987f7b496430b2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6e1457dc9fb4d1210abe5a8ca0f26d9f
SHA1 2772e209ff8c9ab6846e4cb9ad847bbc97aab175
SHA256 624c00b435752e0274ed819ebfd595c54183ca021c65f78726afe1ca1d8ac0fd
SHA512 394a9ae206a801ca24eabe5f38ae8ed5257a765c7a3731633fa4a79fe1cc4fab74c124a4916d0409d85eb3fd69cd096e13cc83027987ef310733a95ca0a08cc5

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 20d485f2a3fe8ef6e985d22fab93f11c
SHA1 3462322044c2ec6dd24c8077253619d9d7830b77
SHA256 61af76785f9a50025de2ca01fe94fe3e19223c1219b9b65aece1cb51a1bf76b5
SHA512 3761144f61de6c7ae0e2055d6259bd8e8a5730182bca57f3d7dda992700db144817582388b52b7aec707f25f3b6d0024c9f3df16eebb94a0d8b49a3b8b8167f4