Edit tour

Windows Analysis Report
chromsetup.exe

Overview

General Information

Sample name:	chromsetup.exe
Analysis ID:	1592190
MD5:	41da209c453b8562a89db09f041b4ad9
SHA1:	8cd14bcbc349f5d2aa92834800939f0df09687af
SHA256:	4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
Tags:	exeuser-juroots
Infos:

Detection

Score:	57
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Detected unpacking (changes PE section rights)

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Modifies the windows firewall

PE file has a writeable .text section

Tries to harvest and steal browser information (history, passwords, etc)

Uses netsh to modify the Windows network and firewall settings

Allocates memory with a write watch (potentially for evading sandboxes)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to read the PEB

Creates a process in suspended mode (likely to inject code)

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

EXE planting / hijacking vulnerabilities found

Entry point lies outside standard sections

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file contains executable resources (Code or Archives)

PE file contains more sections than normal

PE file contains sections with non-standard names

Queries disk information (often used to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Process Tree

System is w10x64

chromsetup.exe (PID: 6852 cmdline: "C:\Users\user\Desktop\chromsetup.exe" MD5: 41DA209C453B8562A89DB09F041B4AD9)

cmd.exe (PID: 5308 cmdline: cmd /C netsh advfirewall firewall delete rule name = "???????????" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1076 cmdline: netsh advfirewall firewall delete rule name = "???????????" MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 3320 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 1780 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2200 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2144 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 1908 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 6332 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6640 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 2132 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2140 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 3156 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 3992 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 2872 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2200 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 6544 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

cmd.exe (PID: 5580 cmdline: cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 2032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 7072 cmdline: netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

MiniThunderPlatform.exe (PID: 792 cmdline: "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" -StartTP MD5: 0C8F2B0EE5BF990C6541025E94985C9F)

???????????2025-01-15.exe (PID: 2784 cmdline: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe MD5: F2009C81F52C13C3876CB72339F9D225)

setup.exe (PID: 5780 cmdline: "C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\CHROME.PACKED.7Z" MD5: B42B8AC29EE0A9C3401AC4E7E186282D)

setup.exe (PID: 5328 cmdline: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168 MD5: B42B8AC29EE0A9C3401AC4E7E186282D)

chrome.exe (PID: 3544 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

chrome.exe (PID: 5144 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2232,i,1759678746837150058,13767784246195472280,262144 /prefetch:8 MD5: 45DE480806D1B5D462A7DDE4DCEFC4E4)

cleanup

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: chromsetup.exe

Virustotal: Detection: 9%

Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 82.9% probability

Source: chromsetup.exe, 00000000.00000003.1690166937.0000000002D20000.00000004.00001000.00020000.00000000.sdmp

Binary or memory string: -----BEGIN PUBLIC KEY-----

memstr_ad4d174d-0

Source: C:\Users\user\Desktop\chromsetup.exe

EXE: cmd.exe

Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe

EXE: cmd.exe

Jump to behavior

Source: chromsetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: chromsetup.exe

Static PE information: certificate valid

Source: C:\Users\user\Desktop\chromsetup.exe

File opened: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcr71.dll

Jump to behavior

Source: chromsetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: msvcr71.pdb\ source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: atl71.pdbT source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb/ source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: atl71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, msvcp71.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: ???????????2025-01-15.exe, 0000001B.00000002.2090582167.00007FF736275000.00000002.00000001.01000000.00000019.sdmp, ???????????2025-01-15.exe, 0000001B.00000000.2004683269.00007FF736275000.00000002.00000001.01000000.00000019.sdmp, ___________2025-01-15.exe.td.22.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp

Source: chrome.exe

Memory has grown: Private usage: 21MB later: 36MB

Source: Joe Sandbox View	IP Address: 104.193.90.89 104.193.90.89
Source: Joe Sandbox View	IP Address: 104.193.90.87 104.193.90.87
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188
Source: Joe Sandbox View	IP Address: 103.235.47.188 103.235.47.188

Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%s&
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.xunlei.com/cgi-bin/bugreport.fcgi?appname=%s&appversion=%s&exceptcode=%s&peerid=%sr
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: chromsetup.exe, 00000000.00000003.1715210735.00000000033AB000.00000004.00000020.00020000.00000000.sdmp, manifest.json.0.dr	String found in binary or memory: http://clients2.google.com/service/update2/crx
Source: chromsetup.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: chromsetup.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: chromsetup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningCAEVR36.crl0
Source: chromsetup.exe	String found in binary or memory: http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: chromsetup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#
Source: chromsetup.exe	String found in binary or memory: http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%sHTTP://http://
Source: chromsetup.exe, 00000000.00000003.1715210735.000000000338C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001423000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102113577.0000000003356000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://gool.52supan.cn/
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020554015.00000000070D7000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/4g
Source: chromsetup.exe, 00000000.00000002.2100665793.000000000134E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?102-03
Source: chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=01
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=01/?105&step=01
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=01A
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=01F
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=01hS
Source: chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033A4000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1737948189.0000000003387000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02%p
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02...
Source: chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=020
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=023p
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=025
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1737948189.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02C:
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02J
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02Qp
Source: chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02X
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02e
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02fd
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02h
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02ip
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02s
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=02z
Source: chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03&
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03(
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03)
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03-
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03-8
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03263746&t=zC;
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=037
Source: chromsetup.exe, 00000000.00000003.1790713098.0000000003F84000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790458322.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790658293.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790849288.0000000003F88000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790766085.0000000003F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03F
Source: chromsetup.exe, 00000000.00000003.2095552255.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03N
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03Q
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03R
Source: chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03RTC
Source: chromsetup.exe, 00000000.00000003.2095552255.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03T
Source: chromsetup.exe, 00000000.00000002.2100665793.000000000134E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03d31
Source: chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03g
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03l
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03wp
Source: chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=03zSk
Source: chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04-
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04-8
Source: chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04...Q
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=041
Source: chromsetup.exe, 00000000.00000003.2020735744.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=0418577O
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033BE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04263746&t=zis
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=043p
Source: chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=0457
Source: chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04578b6d44a632f2016a071857
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04578b6d44a632f2016a071857res=Wed
Source: chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=047
Source: chromsetup.exe, 00000000.00000002.2122982128.000000000710C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094674565.0000000007108000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04Dc
Source: chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04G
Source: chromsetup.exe, 00000000.00000002.2105943050.0000000003EE0000.00000004.00000010.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04I
Source: chromsetup.exe, 00000000.00000003.2020735744.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04SO
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04a071857lNt
Source: chromsetup.exe, 00000000.00000003.2094674565.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04e
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04l
Source: chromsetup.exe, 00000000.00000003.2020554015.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04ll
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04q
Source: chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=04rk
Source: chromsetup.exe, 00000000.00000003.2079583985.0000000007114000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05$
Source: chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05(b
Source: chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05)
Source: chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05...
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05...tCache
Source: chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=051
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=051857d44a632f2016a071857
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=051C:
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=052
Source: chromsetup.exe, 00000000.00000003.2094797420.0000000001439000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001439000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05263746&t=z81263746&t=z
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05263746&t=zgO
Source: chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=053
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105458307.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=055
Source: chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=0557
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05578b6d44a632f2016a0718574652supan.cn;
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05578b6d44a632f2016a071857=Wed
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105458307.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=058
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105458307.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=059O
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05C
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05G
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05Q
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05ea
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05ll
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05rk
Source: chromsetup.exe, 00000000.00000003.2095552255.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/?105&step=05z
Source: chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/N28
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/iZ
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ntj.52supan.cn/pZv
Source: chromsetup.exe	String found in binary or memory: http://ocsp.comodoca.com0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://ocsp.digicert.com0A
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://ocsp.digicert.com0C
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe	String found in binary or memory: http://ocsp.digicert.com0X
Source: chromsetup.exe	String found in binary or memory: http://ocsp.sectigo.com0
Source: chromsetup.exe	String found in binary or memory: http://ocsp.sectigo.com00
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/encoding/
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/soap/envelope/
Source: chromsetup.exe, 00000000.00000003.1715270525.000000000336C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715556418.0000000003387000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1737948189.0000000003387000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sd520.cn/search.html?
Source: chromsetup.exe, 00000000.00000003.1715556418.0000000003387000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715210735.00000000033AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://sd520.cn/search.html?wd=
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://store.paycenter.uc.cn
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp	String found in binary or memory: http://store.paycenter.uc.cnmail-attachment.googleusercontent.com
Source: chromecache_273.31.dr	String found in binary or memory: http://t11.baidu.com/it/u=3049637327
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2013931321.0000000003F86000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2021433155.0000000003F87000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	String found in binary or memory: http://tongji.baidu.com/hm-web/welcome/ico
Source: chromsetup.exe, 00000000.00000003.1790713098.0000000003F84000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790458322.0000000003F80000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790658293.0000000003F81000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1790766085.0000000003F85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://tongji.baidu.com/hm-web/welcome/ico//ada.baidu.com/phone-tracker/insert_bdtj?sid=https://hmcd
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698419073.0000000007440000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698419073.0000000007440000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698419073.0000000007440000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: chromsetup.exe, 00000000.00000003.1698964381.0000000001412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/
Source: chromsetup.exe, 00000000.00000003.1698964381.0000000001423000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/sj.txt
Source: chromsetup.exe, 00000000.00000002.2100938017.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097042684.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/sj.txt4d52ca668f78edb40c8add7e9785abcfffe60e76d81f860c097439050b798a419fa9d1dc43
Source: chromsetup.exe, 00000000.00000003.1715306387.00000000013EB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698964381.00000000013EB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/sj.txtY
Source: chromsetup.exe, 00000000.00000003.1715306387.0000000001423000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698964381.0000000001423000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/sj.txtr
Source: chromsetup.exe, 00000000.00000003.1698964381.0000000001412000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://uzhuanjia.cn/sj.txtyI
Source: ???????????2025-01-15.exe, 0000001B.00000003.2049202103.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049339513.0000015F3EC27000.00000004.00000020.00020000.00000000.sdmp, ???????????2025-01-15.exe, 0000001B.00000003.2049083419.0000015F3EC30000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: chromsetup.exe, 00000000.00000002.2098859441.0000000000464000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.openssl.org/support/faq.html....................
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll-
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.winimage.com/zLibDll1.2.3
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xunlei.com/
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xunlei.com/GET
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.xunlei.com/no-cache
Source: MiniThunderPlatform.exe, 00000016.00000003.1802966861.000000000CC5A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xz6.w3766.com/down/lds/gool109.exe
Source: MiniThunderPlatform.exe, 00000016.00000003.1804543592.000000000CC68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xz6.w3766.com/down/lds/gool109.exe#
Source: MiniThunderPlatform.exe, 00000016.00000003.1804543592.000000000CC68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xz6.w3766.com/down/lds/gool109.exe#4j
Source: MiniThunderPlatform.exe, 00000016.00000003.1804543592.000000000CC68000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xz6.w3766.com/down/lds/gool109.exe$
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/C
Source: chromsetup.exe, 00000000.00000002.2101254211.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102113577.0000000003356000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122652527.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2021691820.0000000003F67000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2079466887.00000000070BB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2014347032.0000000003F62000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020713005.00000000070B9000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=z
Source: chromsetup.exe, 00000000.00000003.2094797420.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101037688.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=z81263746&t=z
Source: chromsetup.exe, 00000000.00000003.2094797420.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.00000000013F4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=z:~v
Source: chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=z?w
Source: chromsetup.exe, 00000000.00000003.2076538218.0000000007119000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020689930.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122652527.00000000070BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2079466887.00000000070BB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020713005.00000000070B9000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zC:
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zWN-
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zXg.
Source: chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zhttps://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a07
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zx)
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/c.js?web_id=1281263746&t=zz
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/m
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://c.cnzz.com/y
Source: chromsetup.exe, 00000000.00000003.1715210735.00000000033AB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://chrome.google.com/webstore
Source: setup.exe, 0000001D.00000002.2060044263.00000203D1C90000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report
Source: setup.exe, 0000001D.00000002.2076534576.0000487400234000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/report--annotation=channel=--annotation=plat=Win64--annotation=prod=C
Source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://clients2.google.com/cr/reportCopyright
Source: setup.exe, 0000001D.00000002.2079217486.0000487400290000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reportHt)
Source: setup.exe, 0000001D.00000002.2078356475.000048740025C000.00000004.00001000.00020000.00000000.sdmp	String found in binary or memory: https://clients2.google.com/cr/reportp
Source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://crashpad.chromium.org/
Source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://crashpad.chromium.org/bug/new
Source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new
Source: chromsetup.exe, 00000000.00000003.1690166937.0000000002D20000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2098859441.0000000000464000.00000002.00000001.01000000.00000003.sdmp	String found in binary or memory: https://curl.haxx.se/docs/http-cookies.html
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	String found in binary or memory: https://fclog.baidu.com/log/ocpcagl?type=behavior&emd=euc
Source: chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://fclog.baidu.com/log/ocpcagl?type=behavior&emd=euce.te.c
Source: chromsetup.exe, 00000000.00000002.2106094033.0000000003F60000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://fclog.baidu.com/log/ocpcagl?type=behavior&emd=eucf
Source: chromsetup.exe, 00000000.00000002.2121182915.0000000006713000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097152063.00000000066FE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goutong.ba
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2106094033.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	String found in binary or memory: https://goutong.baidu.com/site/
Source: chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://goutong.baidu.com/site/c.idH.lengthc.id
Source: chromsetup.exe, 00000000.00000003.1789193509.0000000003F76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://goutong.baidu.com/site/tongji.baidu.com/hm-web/js///ers.baidu.com/app/s.js?
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101189251.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097008417.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/
Source: chromsetup.exe, 00000000.00000002.2101189251.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097008417.00000000013E0000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.00000000013E0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/#
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/44a632f2016a071857
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/44a632f2016a071857wzN
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/Gg
Source: chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020689930.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.0000000003396000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.gif?hca=D3BBBF28603AC2CB&cc=1&ck=1&cl=32-bit&ds=1280x1024&vl=496&ep=24346%2C
Source: chromsetup.exe, 00000000.00000003.2075837165.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.gif?hca=D3BBBF28603AC2CB&cc=1&ck=1&cl=32-bit&ds=1280x1024&vl=496&ep=382%2C38
Source: chromsetup.exe, 00000000.00000003.2095552255.00000000033C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.gif?hca=D3BBBF28603AC2CB&cc=1&ck=1&cl=32-bit&ds=1280x1024&vl=496&et=0&ja=1&l
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d4
Source: chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a07185746
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a07185746rset=
Source: chromsetup.exe, 00000000.00000003.2021807097.000000000481B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a0718578
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857C:
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857D
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857I
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857LMEMx
Source: chromsetup.exe, 00000000.00000002.2122982128.000000000710C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094674565.0000000007108000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857NNC:
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857Z
Source: chromsetup.exe, 00000000.00000003.2020735744.000000000340A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857__=
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857charset=
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857dl
Source: chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857e30
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857i
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857ln=eC:
Source: chromsetup.exe, 00000000.00000003.1736414253.00000000033C9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857q
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857tm.
Source: chromsetup.exe, 00000000.00000002.2102280233.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033FA000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857x
Source: chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857y
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/nes
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/nzz.com/c.js?web_id=1281263746&t=z
Source: chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hm.baidu.com/o_
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2106094033.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	String found in binary or memory: https://hmcdn.baidu.com/static
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2013931321.0000000003F86000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2021433155.0000000003F87000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	String found in binary or memory: https://hmcdn.baidu.com/static/tongji/plugins/
Source: chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hmcdn.baidu.com/static/tongji/plugins///ada.baidu.com/phone-tracker/insert_bdtj?sid=http://t
Source: chromsetup.exe, 00000000.00000003.1789193509.0000000003F76000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://hmcdn.baidu.com/static3
Source: chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://hmcdn.baidu.com/statica
Source: chromsetup.exe, 00000000.00000003.1715270525.000000000336C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.com
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://login.live.comN28
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070F5000.00000004.00000020.00020000.00000000.sdmp, c[1].js.0.dr	String found in binary or memory: https://quanjing.cnzz.com
Source: chromsetup.exe	String found in binary or memory: https://sectigo.com/CPS0
Source: chromecache_217.31.dr	String found in binary or memory: https://sp1.baidu.com/5b1ZeDe5KgQFm2e88IuM_a/mwb2.gif
Source: setup.exe	String found in binary or memory: https://support.googl
Source: setup.exe	String found in binary or memory: https://support.google.com/chr
Source: setup.exe, 0000001D.00000002.2084874503.00007FF6D8762000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://support.google.com/chrome/?p=usage_stats_crash_reports
Source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	String found in binary or memory: https://support.google.com/chrome?p=chrome_uninstall_surveymicrosoft-edge:open..
Source: chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2100665793.0000000001386000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/
Source: chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/8H
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2106094033.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070D7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2075837165.0000000007101000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2078376060.00000000070D7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746.52supan.cn;
Source: chromsetup.exe, 00000000.00000002.2101037688.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.00000000013DB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746C
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746C:
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746H
Source: chromsetup.exe, 00000000.00000003.2094797420.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101037688.00000000013C3000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746IZ.DAT
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746Zh
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746cript9.dll.mui
Source: chromsetup.exe, 00000000.00000003.2020817802.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746d
Source: chromsetup.exe, 00000000.00000003.2014297914.0000000003F61000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2014391385.0000000003F69000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2014347032.0000000003F62000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746https://v1.cnzz.com/z_stat.php?id=1281
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746ll
Source: chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746mber
Source: chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746rset=
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://v1.cnzz.com/z_stat.php?id=1281263746j7
Source: chromsetup.exe, 00000000.00000003.2078376060.00000000070F5000.00000004.00000020.00020000.00000000.sdmp, c[1].js.0.dr	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=
Source: chromsetup.exe, 00000000.00000003.2021923038.0000000004821000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=1281263746
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=12812637463746
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=1281263746X
Source: chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=1281263746Y
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.cnzz.com/stat/website.php?web_id=1281263746o
Source: chromsetup.exe, 00000000.00000003.1715576200.000000000337E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.google.com/
Source: chromecache_244.31.dr	String found in binary or memory: https://www.yoojia.com/car/
Source: chromecache_244.31.dr	String found in binary or memory: https://www.yoojia.com/rank/1-0-0-0-0-0.html?from_src=hao123_tab_sale
Source: chromecache_244.31.dr	String found in binary or memory: https://www.yoojia.com/rank/2-0-0-0-0-0.html?from_src=hao123_tab_heat
Source: chromecache_244.31.dr	String found in binary or memory: https://www.yoojia.com/s-
Source: chromecache_244.31.dr	String found in binary or memory: https://youjia.cdn.bcebos.com/hao123-more-brand.png
Source: chromecache_244.31.dr	String found in binary or memory: https://youjia.cdn.bcebos.com/hao123/bronze-medal.svg
Source: chromecache_244.31.dr	String found in binary or memory: https://youjia.cdn.bcebos.com/hao123/gold-medal.svg
Source: chromecache_244.31.dr	String found in binary or memory: https://youjia.cdn.bcebos.com/hao123/silver-medal.svg
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/%(17.79MB/S
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/=Z
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/EZY
Source: chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/ows
Source: chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/stat.htm?id=1281263746&r=&lg=en-gb&ntime=1736975345&cnzz_eid=1149197605-17369753
Source: chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/stat.htm?id=1281263746&r=&lg=en-gb&ntime=1736975370&cnzz_eid=1149197605-17369753
Source: chromsetup.exe, 00000000.00000003.2097042684.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://z6.cnzz.com/stat.htm?id=1281263746&r=&lg=en-gb&ntime=none&cnzz_eid=1149197605-1736975345-&sh

System Summary

PE file has a writeable .text section

Source: chromsetup.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: chromsetup.exe	Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)
Source: chromsetup.exe	Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)
Source: chromsetup.exe	Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)
Source: chromsetup.exe	Static PE information: Resource name: PNG type: DOS executable (COM, 0x8C-variant)
Source: chromsetup.exe	Static PE information: Resource name: RT_GROUP_CURSOR type: DOS executable (COM, 0x8C-variant)
Source: ___________2025-01-15.exe.td.22.dr	Static PE information: Resource name: B7 type: 7-zip archive data, version 0.4
Source: ___________2025-01-15.exe.td.22.dr	Static PE information: Resource name: BL type: Microsoft Cabinet archive data, Windows 2000/XP setup, 1628494 bytes, 1 file, at 0x2c +A "setup.exe", number 1, 152 datablocks, 0x1203 compression
Source: setup.exe.27.dr	Static PE information: Resource name: RT_STRING type: PDP-11 pure executable not stripped

Source: setup.exe.27.dr

Static PE information: Number of sections : 15 > 10

Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameminizip.dll> vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCP71.DLL\ vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698608491.00000000071C0000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXLBugHan.dll8 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexldl4 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniThunderPlatform4 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMiniTPFw.exeJ vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThunderFW2 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameThunderFW( vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXLBugReport.exe. vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameATL71.DLL< vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedl_peer_id2 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedl_peer_id( vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamedownload_interface.dll0 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698608491.00000000071DB000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCR71.DLL\ vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.00000000062FA000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameMSVCR71.DLL\ vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698419073.0000000007440000.00000004.00001000.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamezlib1.dll* vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameXLBugHan.dll8 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenamexldl4 vs chromsetup.exe
Source: chromsetup.exe, 00000000.00000003.1698964381.00000000013CE000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilename7zxa.dll, vs chromsetup.exe

Source: chromsetup.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: chromsetup.exe

Static PE information: Section: .reloc IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

Source: chromsetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESERVED size: 0x100000 address: 0x0

Source: chromsetup.exe	Static PE information: Section: .rdata ZLIB complexity 0.9989923367834395
Source: chromsetup.exe	Static PE information: Section: .data ZLIB complexity 0.9931857638888889
Source: chromsetup.exe	Static PE information: Section: .gfids ZLIB complexity 0.9952734375
Source: chromsetup.exe	Static PE information: Section: .reloc ZLIB complexity 0.9997793079096046

Source: classification engine

Classification label: mal57.spyw.evad.winEXE@78/365@0/52

Source: C:\Users\user\Desktop\chromsetup.exe

File created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\IE\3D003UC5\sj[1].txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1780:120:WilError_03
Source: C:\Users\user\Desktop\chromsetup.exe	Mutant created: \Sessions\1\BaseNamedObjects\???????????????
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2200:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Mutant created: \Sessions\1\BaseNamedObjects\F8730FC7_1436_4121_9FA6_C0FBF4817482
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupExitEventMutex_6348257196320397901
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3156:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2032:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Mutant created: \Sessions\1\BaseNamedObjects\c:/users/user/appdata/local/temp/d59o7n5j16/download/minithunderplatform.exe_mini_tpka_m_2013515_360_a
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Mutant created: \Sessions\1\BaseNamedObjects\Global\ChromeSetupMutex_6348257196320397901

Source: C:\Users\user\Desktop\chromsetup.exe

File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16

Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe

File read: C:\Users\user\AppData\Local\Temp\d59O7n5J16\task.ini

Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Source: chromsetup.exe

Virustotal: Detection: 9%

Source: setup.exe	String found in binary or memory: t ng internet sa Google Chrome, ang web browser na naka-install sa iyong PC</span> </td> </tr> </table> </div> <div class="main"> Tanggapin ang Mga Tuntunin ng Serbisyo para masimulang gamitin ang Google Chrome: </div> <div class="eula"> <ifram
Source: setup.exe	String found in binary or memory: Nabigo ang pag-install dahil sa hindi natukoy na error. Kung kasalukuyang tumatakbo ang Google Chrome, paki-sara ito at subukan ul
Source: setup.exe	String found in binary or memory: Wala kang naaangkop na mga karapatan para sa pag-install sa antas ng system. Subukan muling patakbuhin ang installer bilang Admini
Source: setup.exe	String found in binary or memory: jrjestelmvirhe. Lataa Google Chrome uudelleen.bNagkaroon ng error sa operating system habang nag-i-install. Paki-download muli a
Source: setup.exe	String found in binary or memory: Jy het nie die gepaste regte vir stelselvlak-installering nie. Probeer om die installeerder weer te laat loop as Administrateur.>
Source: setup.exe	String found in binary or memory: AGoogle Chrome on jo asennettuna kaikille tietokoneen kyttjille.JNaka-install na ang Google Chrome para sa lahat ng user sa iyon
Source: setup.exe	String found in binary or memory: .PAsennus eponnistui tuntemattoman virheen vuoksi. Lataa Google Chrome uudelleen.]Nabigo ang pag-install dahil sa hindi natukoy n
Source: setup.exe	String found in binary or memory: Hindi ma-install ang parehong bersyon ng Google Chrome na kasalukuyang tumatakbo. Mangyaring isara ang Google Chrome at muling sub
Source: setup.exe	String found in binary or memory: t ng internet sa Google Chrome, ang web browser na naka-install sa iyong PC</span> </td> </tr> </table> </div> <div class="main"> Tanggapin ang Mga Tuntunin ng Serbisyo para masimulang gamitin ang Google Chrome: </div> <div class="eula"> <ifram
Source: setup.exe	String found in binary or memory: Nabigo ang pag-install dahil sa hindi natukoy na error. Kung kasalukuyang tumatakbo ang Google Chrome, paki-sara ito at subukan ul
Source: setup.exe	String found in binary or memory: Wala kang naaangkop na mga karapatan para sa pag-install sa antas ng system. Subukan muling patakbuhin ang installer bilang Admini
Source: setup.exe	String found in binary or memory: jrjestelmvirhe. Lataa Google Chrome uudelleen.bNagkaroon ng error sa operating system habang nag-i-install. Paki-download muli a
Source: setup.exe	String found in binary or memory: Jy het nie die gepaste regte vir stelselvlak-installering nie. Probeer om die installeerder weer te laat loop as Administrateur.>
Source: setup.exe	String found in binary or memory: AGoogle Chrome on jo asennettuna kaikille tietokoneen kyttjille.JNaka-install na ang Google Chrome para sa lahat ng user sa iyon
Source: setup.exe	String found in binary or memory: .PAsennus eponnistui tuntemattoman virheen vuoksi. Lataa Google Chrome uudelleen.]Nabigo ang pag-install dahil sa hindi natukoy n
Source: setup.exe	String found in binary or memory: Hindi ma-install ang parehong bersyon ng Google Chrome na kasalukuyang tumatakbo. Mangyaring isara ang Google Chrome at muling sub

Source: C:\Users\user\Desktop\chromsetup.exe

File read: C:\Users\user\Desktop\chromsetup.exe

Jump to behavior

Source: unknown	Process created: C:\Users\user\Desktop\chromsetup.exe "C:\Users\user\Desktop\chromsetup.exe"
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall delete rule name = "???????????"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name = "???????????"
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" -StartTP
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe "C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\CHROME.PACKED.7Z"
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2232,i,1759678746837150058,13767784246195472280,262144 /prefetch:8
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall delete rule name = "???????????"	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" -StartTP	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name = "???????????"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe "C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\CHROME.PACKED.7Z"
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2220 --field-trial-handle=2232,i,1759678746837150058,13767784246195472280,262144 /prefetch:8
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown
Source: C:\Program Files\Google\Chrome\Application\chrome.exe	Process created: unknown unknown

Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: msimg32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: oledlg.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: oleacc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wininet.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: windowscodecs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: textinputframework.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: coreuicomponents.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: coremessaging.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ieframe.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: netapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: wkscli.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dataexchange.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: d3d11.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dcomp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dxgi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: twinapi.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: textshaping.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: msiso.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: mshtml.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: powrprof.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: umpdc.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: srpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: secur32.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: msimtf.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: jscript9.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: resourcepolicyclient.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: msls31.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: schannel.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: d2d1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dwrite.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: d3d10warp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dxcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: uiautomationcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: mskeyprotect.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: ncryptsslp.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Section loaded: imgutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{20D04FE0-3AEA-1069-A2D8-08002B30309D}\InProcServer32

Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe

File written: C:\Users\user\AppData\Local\Temp\d59O7n5J16\task.ini

Jump to behavior

Source: Window Recorder

Window detected: More than 3 window changes detected

Source: chromsetup.exe

Static PE information: certificate valid

Source: chromsetup.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: chromsetup.exe

Static file information: File size 4105640 > 1048576

Source: C:\Users\user\Desktop\chromsetup.exe

File opened: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcr71.dll

Jump to behavior

Source: chromsetup.exe	Static PE information: Raw size of .text is bigger than: 0x100000 < 0x140000
Source: chromsetup.exe	Static PE information: Raw size of .rsrc is bigger than: 0x100000 < 0x21b800

Source: chromsetup.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: chromsetup.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: msvcr71.pdb\ source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\Project\MiniTPFw\MiniTPFw\Release\MiniTPFw.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: atl71.pdbT source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\setup.exe.pdb/ source: setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp
Source:	Binary string: atl71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, atl71.dll.0.dr
Source:	Binary string: cmd_insert_server.icex-conference/x-cooltalk.movievideo/x-sgi-movievideo/x-msvideo.mxuvideo/vnd.mpegurl.qtvideo/quicktimevideo/mpeg.xmltext/xml.etxtext/x-setext.wmlstext/vnd.wap.wmlscript.wmltext/vnd.wap.wml.tsvtext/tab-separated-values.sgmtext/sgml.rtftext/rtf.rtxtext/richtext.txttext/plain.html.csstext/css.mshmodel/mesh.igsmodel/iges.xwdimage/x-xwindowdump.xpmimage/x-xpixmap.xbmimage/x-xbitmap.rgbimage/x-rgb.ppmimage/x-portable-pixmap.bgmimage/x-portable-graymap.pbmimage/x-portable-bitmap.pnmimage/x-portable-anymap.rasimage/x-cmu-raster.wbmpimage/vnd.wap.wbmp.djvimage/vnd.djvu.tiffimage/tiff.pngimage/png.jpgimage/jpeg.iefimage/ief.gifimage/gif.bmpimage/bmp.xyzchemical/x-xyz.pdbchemical/x-pdb.wavaudio/x-wavaudio/x-realaudio.arpmaudio/x-pn-realaudio-pluginaudio/x-pn-realaudio.m3uaudio/x-mpegurl.aifaudio/x-aiffaudio/mpeg.midiaudio/midiapplication/application/zip.xhtmlapplication/xhtml+xml.srcapplication/x-wais-source.ustarapplication/x-ustar.msapplication/x-troff-ms.meapplication/x-troff-me.manapplication/x-troff-man.texiapplication/x-texinfo.texapplication/x-tex.tclapplication/x-tclapplication/x-tar.sv4crcapplication/x-sv4crc.sv4cpioapplication/x-sv4cpio.sitapplication/x-stuffit.swfapplication/x-shockwave-flash.sharapplication/x-shar.shapplication/x-sh.latexapplication/x-latex.jsapplication/x-javascript.hdfapplication/x-hdf.gtarapplication/x-gtar.splapplication/x-futuresplash.dviapplication/x-dvi.cshapplication/x-csh.cpioapplication/x-cpio.pgnapplication/x-chess-pgn.vcdapplication/x-cdlink.bcpioapplication/x-bcpio.wmlscapplication/vnd.wap.wmlscriptc.wmlcapplication/vnd.wap.wmlc.wbxmlapplication/vnd.wap.wbxml.pptapplication/vnd.ms-powerpoint.xlsapplication/vnd.ms-excel.mifapplication/vnd.mif.smiapplication/smil.pdfapplication/pdf.odaapplication/oda.docapplication/msword.cptapplication/mac-compactpro.hqxapplication/mac-binhex40.ezapplication/andrew-inset source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniDownloadLib\branches\bin\Product Release\download_engine.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\MiniThunderPlatform.pdbt source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E61000.00000004.00000020.00020000.00000000.sdmp, MiniThunderPlatform.exe, 00000016.00000000.1728465927.0000000000448000.00000002.00000001.01000000.0000000B.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\ReleseDll.vc7\XLBugHandler.pdb source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\MiniTP\Src\MiniThunderPlatform\pdb\ProductForCommon\xldl.pdb source: chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, xldl.dll.0.dr
Source:	Binary string: msvcp71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, msvcp71.dll.0.dr
Source:	Binary string: C:\b\s\w\ir\cache\builder\src\out\Release_x64\mini_installer.exe.pdb source: ???????????2025-01-15.exe, 0000001B.00000002.2090582167.00007FF736275000.00000002.00000001.01000000.00000019.sdmp, ???????????2025-01-15.exe, 0000001B.00000000.2004683269.00007FF736275000.00000002.00000001.01000000.00000019.sdmp, ___________2025-01-15.exe.td.22.dr
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb0 source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\code_svn\xl_framework\xl_component\minizip\Release\minizip.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\ThunderFW\Release\ThunderFW.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\workspace\xlframework\win32_component\xlbugreport\bin\Release.vc7\XLBugReport.pdbD0B source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: e:\xl7\Product Release\dl_peer_id.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: msvcr71.pdb source: chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp

Data Obfuscation

Detected unpacking (changes PE section rights)

Source: C:\Users\user\Desktop\chromsetup.exe

Unpacked PE file: 0.2.chromsetup.exe.140000.0.unpack .text:EW;.rdata:W;.data:W;.gfids:W;.giats:W;.tls:W;.rsrc:W;.reloc:W;.aspack:EW;.adata:EW; vs .text:ER;.rdata:R;.data:W;.gfids:R;.giats:R;.tls:W;.rsrc:W;.reloc:W;.aspack:EW;.adata:EW;

Source: initial sample

Static PE information: section where entry point is pointing to: .aspack

Source: chromsetup.exe	Static PE information: section name: .giats
Source: chromsetup.exe	Static PE information: section name: .aspack
Source: chromsetup.exe	Static PE information: section name: .adata
Source: 7z.dll.0.dr	Static PE information: section name: .sxdata
Source: MiniThunderPlatform.exe.0.dr	Static PE information: section name: .textbss
Source: ___________2025-01-15.exe.td.22.dr	Static PE information: section name: .00cfg
Source: ___________2025-01-15.exe.td.22.dr	Static PE information: section name: .retplne
Source: ___________2025-01-15.exe.td.22.dr	Static PE information: section name: .voltbl
Source: setup.exe.27.dr	Static PE information: section name: .00cfg
Source: setup.exe.27.dr	Static PE information: section name: .gxfg
Source: setup.exe.27.dr	Static PE information: section name: .retplne
Source: setup.exe.27.dr	Static PE information: section name: .rodata
Source: setup.exe.27.dr	Static PE information: section name: .voltbl
Source: setup.exe.27.dr	Static PE information: section name: CPADinfo
Source: setup.exe.27.dr	Static PE information: section name: LZMADEC
Source: setup.exe.27.dr	Static PE information: section name: _RDATA

Source: C:\Users\user\Desktop\chromsetup.exe	Code function: 0_3_048614A0 push esi; ret	0_3_048614A2
Source: C:\Users\user\Desktop\chromsetup.exe	Code function: 0_2_008BE00A push ebp; ret	0_2_008BE00D
Source: C:\Users\user\Desktop\chromsetup.exe	Code function: 0_2_0033CBD6 push ecx; ret	0_2_0033CBE9

Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcp71.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\___________2025-01-15.exe (copy)	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcr71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\minizip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\___________2025-01-15.exe.td	Jump to dropped file
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniTPFw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\zlib1.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\atl71.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugReport.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe

File created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\___________2025-01-15.exe.td

Jump to dropped file

Source: C:\Users\user\Desktop\chromsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate			Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot			Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Process information set: NOGPFAULTERRORBOX \| NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 5B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 5C30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 6B80000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 6F30000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 3FA0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 4000000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 72C0000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 7360000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 6B60000 memory commit \| memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Memory allocated: 2FF0000 memory commit \| memory reserve \| memory write watch	Jump to behavior

Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\xldl.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\7z.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\minizip.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugHandler.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\download_engine.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniTPFw.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\ThunderFW.exe	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\dl_peer_id.dll	Jump to dropped file
Source: C:\Users\user\Desktop\chromsetup.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugReport.exe	Jump to dropped file

Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe

File opened: PhysicalDrive0

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: chromsetup.exe, 00000000.00000002.2100938017.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097042684.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW
Source: chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW(
Source: chromsetup.exe, 00000000.00000003.1698964381.0000000001412000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\chromsetup.exe

Code function: 0_2_00356027 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

0_2_00356027

Source: C:\Users\user\Desktop\chromsetup.exe

Code function: 0_2_0036EB3B mov eax, dword ptr fs:[00000030h]

0_2_0036EB3B

Source: C:\Users\user\Desktop\chromsetup.exe	Code function: 0_2_00356027 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		0_2_00356027
Source: C:\Users\user\Desktop\chromsetup.exe	Code function: 0_2_0033BBDA SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		0_2_0033BBDA

Source: C:\Users\user\Desktop\chromsetup.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name = "???????????"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=tcp profile=public
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow protocol=udp profile=public
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168

Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe c:\users\user\appdata\local\temp\d59o7n5j16\cr_fcd6e.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\google\chrome\user data\crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=win64 --annotation=prod=chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	Process created: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe c:\users\user\appdata\local\temp\d59o7n5j16\cr_fcd6e.tmp\setup.exe --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=c:\users\user\appdata\local\google\chrome\user data\crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=win64 --annotation=prod=chrome --annotation=ver=109.0.5414.120 --initial-client-data=0x27c,0x280,0x284,0x258,0x288,0x7ff6d8731148,0x7ff6d8731158,0x7ff6d8731168

Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\Windows\Fonts\timesi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\Windows\Fonts\timesbd.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\Windows\Fonts\timesbi.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\Windows\Fonts\times.ttf VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	Queries volume information: C:\Windows\Fonts\simsun.ttc VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior

Source: C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe

Code function: 28_2_00007FF6D8542964 GetSystemTimeAsFileTime,GetCurrentThreadId,GetCurrentProcessId,QueryPerformanceCounter,

28_2_00007FF6D8542964

Source: C:\Users\user\Desktop\chromsetup.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\Desktop\chromsetup.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd /C netsh advfirewall firewall delete rule name = "???????????"

Uses netsh to modify the Windows network and firewall settings

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh advfirewall firewall delete rule name = "???????????"

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Users\user\Desktop\chromsetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences			Jump to behavior
Source: C:\Users\user\Desktop\chromsetup.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences			Jump to behavior

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	12 Command and Scripting Interpreter	1 DLL Side-Loading	11 Process Injection	11 Masquerading	1 OS Credential Dumping	1 System Time Discovery	Remote Services	1 Archive Collected Data	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	1 DLL Search Order Hijacking	1 DLL Side-Loading	2 Virtualization/Sandbox Evasion	LSASS Memory	1 Query Registry	Remote Desktop Protocol	1 Data from Local System	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	Logon Script (Windows)	1 DLL Search Order Hijacking	21 Disable or Modify Tools	Security Account Manager	21 Security Software Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Steganography	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 Extra Window Memory Injection	11 Process Injection	NTDS	2 Virtualization/Sandbox Evasion	Distributed Component Object Model	Input Capture	Protocol Impersonation	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 Remote System Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	11 Software Packing	Cached Domain Credentials	2 File and Directory Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	23 System Information Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Search Order Hijacking	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement
Network Topology	Malvertising	Exploit Public-Facing Application	Command and Scripting Interpreter	At	At	1 Extra Window Memory Injection	/etc/passwd and /etc/shadow	Network Sniffing	Direct Cloud VM Connections	Data Staged	Web Protocols	Exfiltration Over Symmetric Encrypted Non-C2 Protocol	Internal Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
chromsetup.exe	10%	Virustotal		Browse
chromsetup.exe	5%	ReversingLabs

Dropped Files

Source	Detection	Scanner
C:\Users\user\AppData\Local\Temp\d59O7n5J16\7z.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\___________2025-01-15.exe (copy)	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\___________2025-01-15.exe.td	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniTPFw.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe	2%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\ThunderFW.exe	3%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugHandler.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\XLBugReport.exe	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\atl71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\dl_peer_id.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\download_engine.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\minizip.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcp71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\msvcr71.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\zlib1.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\d59O7n5J16\xldl.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://ntj.52supan.cn/?105&step=04q	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05C	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=051857d44a632f2016a071857	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04l	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=051	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04e	0%	Avira URL Cloud	safe
http://uzhuanjia.cn/sj.txt4d52ca668f78edb40c8add7e9785abcfffe60e76d81f860c097439050b798a419fa9d1dc43	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05G	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05Q	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=052	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=03g	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04-8	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=053	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05)	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=058	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05$	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=055	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=01hS	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04I	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04G	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=03l	0%	Avira URL Cloud	safe
https://www.cnzz.com/stat/website.php?web_id=12812637463746	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=02ip	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=051C:	0%	Avira URL Cloud	safe
http://www.winimage.com/zLibDll1.2.3	0%	Avira URL Cloud	safe
http://gool.52supan.cn/	0%	Avira URL Cloud	safe
http://uzhuanjia.cn/sj.txt	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05rk	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=0418577O	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=05z	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?102-03	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=03-8	0%	Avira URL Cloud	safe
https://goutong.ba	0%	Avira URL Cloud	safe
http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=04rk	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105	0%	Avira URL Cloud	safe
http://xz6.w3766.com/down/lds/gool109.exe$	0%	Avira URL Cloud	safe
http://ntj.52supan.cn/?105&step=03RTC	0%	Avira URL Cloud	safe
http://xz6.w3766.com/down/lds/gool109.exe#	0%	Avira URL Cloud	safe

Name	Source	Malicious	Antivirus Detection	Reputation
http://ntj.52supan.cn/?105&step=05Q	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=04q	chromsetup.exe, 00000000.00000003.2078376060.00000000070C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.yoojia.com/rank/2-0-0-0-0-0.html?from_src=hao123_tab_heat	chromecache_244.31.dr	false		high
https://c.cnzz.com/C	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://v1.cnzz.com/8H	chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.sectigo.com/SectigoPublicCodeSigningRootR46.crl0	chromsetup.exe	false		high
http://ntj.52supan.cn/?105&step=051857d44a632f2016a071857	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://z6.cnzz.com/stat.htm?id=1281263746&r=&lg=en-gb&ntime=1736975345&cnzz_eid=1149197605-17369753	chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningCAEVR36.crt0#	chromsetup.exe	false		high
http://ntj.52supan.cn/?105&step=04e	chromsetup.exe, 00000000.00000003.2094674565.0000000007108000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=05C	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://uzhuanjia.cn/sj.txt4d52ca668f78edb40c8add7e9785abcfffe60e76d81f860c097439050b798a419fa9d1dc43	chromsetup.exe, 00000000.00000002.2100938017.00000000013A1000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097042684.00000000013A0000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/https://crashpad.chromium.org/bug/new	setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	false		high
http://ntj.52supan.cn/?105&step=05G	chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=04l	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hmcdn.baidu.com/static3	chromsetup.exe, 00000000.00000003.1789193509.0000000003F76000.00000004.00000800.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=051	chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=052	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=055	chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105458307.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://youjia.cdn.bcebos.com/hao123/silver-medal.svg	chromecache_244.31.dr	false		high
http://ntj.52supan.cn/?105&step=053	chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857C:	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=058	chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105458307.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hmcdn.baidu.com/statica	chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp	false		high
https://youjia.cdn.bcebos.com/hao123-more-brand.png	chromecache_244.31.dr	false		high
https://c.cnzz.com/c.js?web_id=1281263746&t=z81263746&t=z	chromsetup.exe, 00000000.00000003.2094797420.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101037688.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false		high
https://fclog.baidu.com/log/ocpcagl?type=behavior&emd=eucf	chromsetup.exe, 00000000.00000002.2106094033.0000000003F60000.00000004.00000800.00020000.00000000.sdmp	false		high
https://z6.cnzz.com/%(17.79MB/S	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=04-8	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=05$	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=01hS	chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=03g	chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=05)	chromsetup.exe, 00000000.00000002.2122803011.00000000070C5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=04I	chromsetup.exe, 00000000.00000002.2105943050.0000000003EE0000.00000004.00000010.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=04G	chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=02ip	chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ntj.52supan.cn/?105&step=03l	chromsetup.exe, 00000000.00000003.1736414253.00000000033D6000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746IZ.DAT	chromsetup.exe, 00000000.00000003.2094797420.00000000013BC000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101037688.00000000013C3000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=051C:	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.cnzz.com/stat/website.php?web_id=12812637463746	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.winimage.com/zLibDll1.2.3	chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://crashpad.chromium.org/	setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	false		high
http://gool.52supan.cn/	chromsetup.exe, 00000000.00000003.1715210735.000000000338C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001423000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102113577.0000000003356000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1715306387.0000000001410000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.xunlei.com/GET	chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.yoojia.com/car/	chromecache_244.31.dr	false		high
https://chrome.google.com/webstore	chromsetup.exe, 00000000.00000003.1715210735.00000000033AB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://uzhuanjia.cn/sj.txt	chromsetup.exe, 00000000.00000003.1698964381.0000000001423000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://c.cnzz.com/y	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=0418577O	chromsetup.exe, 00000000.00000003.2020735744.000000000340A000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hmcdn.baidu.com/static/tongji/plugins/	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2013931321.0000000003F86000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2021433155.0000000003F87000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	false		high
https://c.cnzz.com/c.js?web_id=1281263746&t=zXg.	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/44a632f2016a071857	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://z6.cnzz.com/EZY	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746mber	chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.gif?hca=D3BBBF28603AC2CB&cc=1&ck=1&cl=32-bit&ds=1280x1024&vl=496&ep=24346%2C	chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020689930.00000000070A7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.00000000013F4000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.0000000003396000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857ln=eC:	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746	chromsetup.exe, 00000000.00000003.2020817802.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094797420.00000000013DB000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033C5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2106094033.0000000003F60000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1736414253.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070D7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2075837165.0000000007101000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2078376060.00000000070D7000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.xunlei.com/no-cache	chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=05rk	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/44a632f2016a071857wzN	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857LMEMx	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=05z	chromsetup.exe, 00000000.00000003.2095552255.00000000033D5000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033D5000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://z6.cnzz.com/=Z	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?102-03	chromsetup.exe, 00000000.00000002.2100665793.000000000134E000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a07185746	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102280233.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033AE000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105&step=03-8	chromsetup.exe, 00000000.00000003.1738015913.0000000003370000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857dl	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://c.cnzz.com/c.js?web_id=1281263746&t=z?w	chromsetup.exe, 00000000.00000002.2108266023.0000000004813000.00000004.00000800.00020000.00000000.sdmp	false		high
https://c.cnzz.com/m	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.yoojia.com/rank/1-0-0-0-0-0.html?from_src=hao123_tab_sale	chromecache_244.31.dr	false		high
https://goutong.ba	chromsetup.exe, 00000000.00000002.2121182915.0000000006713000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2097152063.00000000066FE000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857I	chromsetup.exe, 00000000.00000003.2020817802.00000000033AE000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.xunlei.com/	chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ocsp.sectigo.com0	chromsetup.exe	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a07185746rset=	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false		high
https://crashpad.chromium.org/bug/new	setup.exe, 0000001C.00000000.2051203391.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001C.00000002.2056942152.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000000.2052821701.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp, setup.exe, 0000001D.00000002.2082923276.00007FF6D8690000.00000002.00000001.01000000.0000001A.sdmp	false		high
http://ntj.52supan.cn/?105&step=03RTC	chromsetup.exe, 00000000.00000003.2094797420.0000000001412000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2101254211.0000000001412000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857D	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.gif?hca=D3BBBF28603AC2CB&cc=1&ck=1&cl=32-bit&ds=1280x1024&vl=496&et=0&ja=1&l	chromsetup.exe, 00000000.00000003.2095552255.00000000033C5000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857Z	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2105595218.0000000003426000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false		high
https://c.cnzz.com/c.js?web_id=1281263746&t=zz	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crt.sectigo.com/SectigoPublicCodeSigningRootR46.p7c0#	chromsetup.exe	false		high
https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746ll	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false		high
https://c.cnzz.com/c.js?web_id=1281263746&t=zWN-	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.openssl.org/support/faq.html	chromsetup.exe, 00000000.00000002.2098859441.0000000000464000.00000002.00000001.01000000.00000003.sdmp	false		high
https://hmcdn.baidu.com/static	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2106094033.0000000003F71000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	false		high
https://v1.cnzz.com/	chromsetup.exe, 00000000.00000002.2100665793.0000000001390000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2100665793.0000000001386000.00000004.00000020.00020000.00000000.sdmp	false		high
https://z6.cnzz.com/	chromsetup.exe, 00000000.00000002.2122652527.0000000007080000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857i	chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.thawte.com/ThawteTimestampingCA.crl0	chromsetup.exe, 00000000.00000003.1697748382.0000000006239000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.00000000071EC000.00000004.00001000.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.0000000006357000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1697748382.000000000630B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.1698608491.0000000007238000.00000004.00001000.00020000.00000000.sdmp, xldl.dll.0.dr	false		high
http://tongji.baidu.com/hm-web/welcome/ico	chromsetup.exe, 00000000.00000003.2095435474.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.000000000341F000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2073840263.0000000003409000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000002.2122803011.00000000070ED000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2013931321.0000000003F86000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094079599.000000000673C000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2021433155.0000000003F87000.00000004.00000800.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2094750831.000000000340B000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2040575838.000000000673C000.00000004.00000020.00020000.00000000.sdmp, hm[1].js.0.dr	false		high
http://ntj.52supan.cn/?105&step=04rk	chromsetup.exe, 00000000.00000003.2020759767.0000000003429000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://v1.cnzz.com/z_stat.php?id=1281263746&web_id=1281263746rset=	chromsetup.exe, 00000000.00000002.2102280233.0000000003364000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.0000000003364000.00000004.00000020.00020000.00000000.sdmp	false		high
http://ntj.52supan.cn/?105	chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857	chromsetup.exe, 00000000.00000003.2020507613.0000000003428000.00000004.00000020.00020000.00000000.sdmp	false		high
http://exinfo.bugreport.xunlei.com/getexapp?name=%s&ver=%s&eid=%s	chromsetup.exe, 00000000.00000003.1697748382.0000000005E93000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857y	chromsetup.exe, 00000000.00000002.2102113577.0000000003345000.00000004.00000020.00020000.00000000.sdmp	false		high
https://hm.baidu.com/hm.js?f9c9b17a578b6d44a632f2016a071857x	chromsetup.exe, 00000000.00000002.2102280233.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2095552255.00000000033FA000.00000004.00000020.00020000.00000000.sdmp, chromsetup.exe, 00000000.00000003.2020817802.00000000033FA000.00000004.00000020.00020000.00000000.sdmp	false		high
http://xz6.w3766.com/down/lds/gool109.exe$	MiniThunderPlatform.exe, 00000016.00000003.1804543592.000000000CC68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://xz6.w3766.com/down/lds/gool109.exe#	MiniThunderPlatform.exe, 00000016.00000003.1804543592.000000000CC68000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
121.40.205.23	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
104.193.90.89	unknown	United States	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
116.132.218.191	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
104.193.90.87	unknown	United States	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
124.239.243.38	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
103.235.47.188	unknown	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
223.109.148.173	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
142.250.185.106	unknown	United States	15169	GOOGLEUS	false
142.251.168.84	unknown	United States	15169	GOOGLEUS	false
36.110.219.204	unknown	China	23724	CHINANET-IDC-BJ-APIDCChinaTelecommunicationsCorporation	false
220.169.152.38	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
199.91.74.185	unknown	United States	21859	ZNETUS	false
140.206.220.33	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	false
14.215.183.79	unknown	China	58466	CT-GUANGZHOU-IDCCHINANETGuangdongprovincenetworkCN	false
142.250.185.67	unknown	United States	15169	GOOGLEUS	false
1.1.1.1	unknown	Australia	13335	CLOUDFLARENETUS	false
106.225.241.95	unknown	China	134238	CT-JIANGXI-IDCCHINANETJiangxprovinceIDCnetworkCN	false
47.101.159.232	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
61.170.99.48	unknown	China	4812	CHINANET-SH-APChinaTelecomGroupCN	false
142.250.185.234	unknown	United States	15169	GOOGLEUS	false
185.10.104.124	unknown	European Union	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
220.202.21.136	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
58.254.180.65	unknown	China	136958	UNICOM-GUANGZHOU-IDCChinaUnicomGuangdongIPnetworkCN	false
142.250.185.193	unknown	United States	15169	GOOGLEUS	false
239.255.255.250	unknown	Reserved	unknown	unknown	false
121.14.156.38	unknown	China	134763	CT-DONGGUAN-IDCCHINANETGuangdongprovincenetworkCN	false
118.212.224.48	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
118.212.224.38	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
140.206.225.232	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	false
103.235.46.98	unknown	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
112.64.218.154	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	false
36.156.202.70	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
118.212.230.38	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
47.92.164.165	unknown	China	37963	CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	false
1.193.146.38	unknown	China	139018	CHINANET-HENAN-LUOYANG-IDCHenanLuoyangIDCCN	false
211.93.211.101	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
112.64.218.64	unknown	China	17621	CNCGROUP-SHChinaUnicomShanghainetworkCN	false
142.250.74.195	unknown	United States	15169	GOOGLEUS	false
142.250.184.202	unknown	United States	15169	GOOGLEUS	false
60.190.116.48	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
199.91.74.209	unknown	United States	21859	ZNETUS	false
124.237.180.66	unknown	China	4134	CHINANET-BACKBONENo31Jin-rongStreetCN	false
119.188.9.130	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false
172.217.16.206	unknown	United States	15169	GOOGLEUS	false
223.109.148.140	unknown	China	56046	CMNET-JIANGSU-APChinaMobilecommunicationscorporationCN	false
45.113.194.250	unknown	Hong Kong	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
185.10.104.109	unknown	European Union	55967	BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	false
183.240.98.228	unknown	China	56040	CMNET-GUANGDONG-APChinaMobilecommunicationscorporation	false
116.163.33.38	unknown	China	4837	CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	false

Private

IP
192.168.2.1
192.168.2.4
127.0.0.1

General Information

Joe Sandbox version:	42.0.0 Malachite
Analysis ID:	1592190
Start date and time:	2025-01-15 22:08:06 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 53s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	34
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	chromsetup.exe
Detection:	MAL
Classification:	mal57.spyw.evad.winEXE@78/365@0/52
EGA Information:	Successful, ratio: 33.3%
HCA Information:	Failed
Cookbook Comments:	Found application associated with file extension: .exe

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, dllhost.exe, WMIADAP.exe, SIHClient.exe, conhost.exe, svchost.exe
Execution Graph export aborted for target setup.exe, PID 5328 because there are no executed function
Execution Graph export aborted for target setup.exe, PID 5780 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtEnumerateKey calls found.
Report size getting too big, too many NtOpenKeyEx calls found.
Report size getting too big, too many NtProtectVirtualMemory calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Skipping network analysis since amount of network traffic is too extensive

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
104.193.90.89	http://metamask-zhwallet.org/	Get hash	malicious	Unknown	Browse
	http://www.baidu.com	Get hash	malicious	Unknown	Browse
	kernelbase_32.dll.dll	Get hash	malicious	Unknown	Browse
	http://14.215.177.38	Get hash	malicious	Unknown	Browse
	http://www.baidu.com/	Get hash	malicious	Unknown	Browse
116.132.218.191	VZ7xFmeuPX.exe	Get hash	malicious	Unknown	Browse	116.132.218.191:80/
104.193.90.87	7J4bYHR4n3.exe	Get hash	malicious	Unknown	Browse
	http://www.baidu.com	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Packed.NoobyProtect.B.6251.20806.exe	Get hash	malicious	Unknown	Browse
	SecuriteInfo.com.Win32.Packed.NoobyProtect.B.6251.20806.exe	Get hash	malicious	Unknown	Browse
	kernelbase_32.dll.dll	Get hash	malicious	Unknown	Browse
	test_restart.exe	Get hash	malicious	Unknown	Browse
	https://www.baidu.com/?Open=normal&BaiduPartner=360&BaiduVIP=e0r45hdwela@bs-dsya@bcom	Get hash	malicious	Unknown	Browse
	104723298.exe	Get hash	malicious	Unknown	Browse
	http://14.215.177.38	Get hash	malicious	Unknown	Browse
	http://www.baidu.com/	Get hash	malicious	Unknown	Browse
124.239.243.38	7J4bYHR4n3.exe	Get hash	malicious	Unknown	Browse
103.235.47.188	VIP-#U4f1a#U5458#U7248.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	Iifpj4i2kC.exe	Get hash	malicious	FormBook	Browse	www.zruypj169g.top/md02/?oHH8=VZUPDXU8mXkToFn&0PG4QdD=KBMih/6UmjMCLIvQj8A+JVJ0ZduXlvkac/jrKRN7UGcA2YCWIWeuvW479UURmW6VwJBRFqK2PA==
	3.exe	Get hash	malicious	BlackMoon, XRed	Browse	www.baidu.com/
	CZyOWoN2hiszA6d.exe	Get hash	malicious	FormBook	Browse	www.vicmvm649n.top/v15n/?Yn=UsBn8mn1PUl4czyMQZxenuqc6dPBc+Q3khu6MN2NNQj7YA4ug5lWpId+R/K0fD87Hm6v&mv=Y4QppplhSjwxWBd
	f2.exe	Get hash	malicious	BlackMoon	Browse	www.baidu.com/
	f1.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	SecuriteInfo.com.FileRepMalware.29184.31872.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	chAJcIK6ZO.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	LisectAVT_2403002A_489.exe	Get hash	malicious	Unknown	Browse	www.baidu.com/
	d48c236503a4d2e54e23d9ebc9aa48e86300fd24955c871a7b8792656c47fb6a.exe	Get hash	malicious	Bdaejec	Browse	www.baidu.com/

Domains

⊘No context

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
CNNIC-ALIBABA-CN-NET-APHangzhouAlibabaAdvertisingCoLtd	ET6LdJaK54.dll	Get hash	malicious	Wannacry	Browse	121.43.141.1
	GeW4GzT8G8.dll	Get hash	malicious	Virut, Wannacry	Browse	8.188.251.4
	bot.x86.elf	Get hash	malicious	Unknown	Browse	8.182.167.42
	bot.spc.elf	Get hash	malicious	Unknown	Browse	106.14.214.150
	bot.arm5.elf	Get hash	malicious	Unknown	Browse	47.92.204.241
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	8.186.115.128
	xd.arm7.elf	Get hash	malicious	Mirai	Browse	139.247.78.81
	Qj9gUbJBkY.dll	Get hash	malicious	Wannacry	Browse	101.133.154.1
	x86_64.elf	Get hash	malicious	Mirai	Browse	182.92.142.6
	138745635-72645747.116.exe	Get hash	malicious	Unknown	Browse	118.178.60.9
CHINA169-BACKBONECHINAUNICOMChina169BackboneCN	1U9rHEz9Rg.dll	Get hash	malicious	Wannacry	Browse	42.230.216.1
	zTrDsX9gXl.dll	Get hash	malicious	Wannacry	Browse	119.163.139.1
	bot.x86.elf	Get hash	malicious	Unknown	Browse	218.12.108.24
	bot.spc.elf	Get hash	malicious	Unknown	Browse	120.13.105.98
	bot.m68k.elf	Get hash	malicious	Unknown	Browse	1.58.95.53
	bot.sh4.elf	Get hash	malicious	Unknown	Browse	182.127.195.47
	bot.arm7.elf	Get hash	malicious	Mirai	Browse	110.53.232.223
	bot.arm.elf	Get hash	malicious	Unknown	Browse	112.234.116.161
	bot.ppc.elf	Get hash	malicious	Unknown	Browse	123.190.80.3
	i686.elf	Get hash	malicious	Mirai	Browse	175.19.79.106
BAIDUBeijingBaiduNetcomScienceandTechnologyCoLtd	https://imtcoken.im/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.toekan.im/	Get hash	malicious	Unknown	Browse	103.235.46.96
	https://wap.sunblock-pro.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	5vrRrFN56j.exe	Get hash	malicious	Bdaejec	Browse	103.235.47.188
	http://m.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.47.188
	https://www.xietaoz.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://wap.escritoresunidos.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://m.ccsurj.org/	Get hash	malicious	Unknown	Browse	103.235.46.96
	http://www.activeselfie.com/	Get hash	malicious	Unknown	Browse	103.235.46.96

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\d59O7n5J16\7z.dll	cfrv_4_0_setup_ALL.exe	Get hash	malicious	Unknown	Browse
	cfrv_4_0_setup_ALL.exe	Get hash	malicious	Unknown	Browse
	Resa Launcher Install.exe	Get hash	malicious	Unknown	Browse
	8ue90oYkrv.exe	Get hash	malicious	Unknown	Browse
	8ue90oYkrv.exe	Get hash	malicious	Unknown	Browse
	cfrv_4_0_setup_ALL.exe	Get hash	malicious	Unknown	Browse
	SaasAntTransactions-Setup (1).exe	Get hash	malicious	RedLine	Browse
	k3yYC4F6nT.exe	Get hash	malicious	Unknown	Browse
	ojSIQVSgby.exe	Get hash	malicious	Unknown	Browse
	FA3TCAsA9E.exe	Get hash	malicious	Unknown	Browse

Input	Output
URL: email Model: Joe Sandbox AI	{ "risk_score": 1, "reasoning": [ "No headers provided to analyze", "Cannot make security assessment without header information", "Default to low risk score due to lack of evidence" ] }
Date: unknown
URL: http://52supan.cn Model: Joe Sandbox AI	{ "typosquatting": false, "unusual_query_string": false, "suspicious_tld": true, "ip_in_url": false, "long_subdomain": false, "malicious_keywords": false, "encoded_characters": false, "redirection": false, "contains_email_address": false, "known_domain": false, "brand_spoofing_attempt": false, "third_party_hosting": false, "reasoning": "The URL uses a .cn (China) TLD which can be considered suspicious for non-Chinese legitimate businesses. The domain name '52supan' appears to be an unknown or non-established brand, and the combination of numbers with letters can sometimes be indicative of suspicious activity." }
URL: http://52supan.cn

Process:	C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	173
Entropy (8bit):	4.456742553864959
Encrypted:	false
SSDEEP:	3:+AlVNmgihHRWDh+MKUGkTXCPwRd8LninlmnShcQwFNCKLgTWLy6EHWmhSXEBR:+iFiBRZUGkes8uf9wFNCKLgiLE
MD5:	713774E49D036A518A5AF410140E92EC
SHA1:	B7F7ED207392E68FBF93EA12C1418943B65BA002
SHA-256:	A925E0EFD5D5CC43FA65EDDDE39AC9DE0E6DFBCDF8E9D4C0E157727652E3D7BE
SHA-512:	64D4455FDFFD186A5ABCE3B465406FF2B7A1DA7E2225A0E6D3E03BDAE5EB0207A0ACDAE4CA2791763FE4EA51650EF8EBC6C4142750D84FA5E25F4FEF1ACF46E6
Malicious:	false
Preview:	[peerid]..computer=874FE54D4E64D095F2B70E28F91BB89813993B6237904AED43488ABBB9C68E85BFCC5B8BEFB7D961311AF92CD5776D7A23D91246B69F88E7E638DB02CDE2827A905214D3CD721133A59D8157..

Process:	C:\Users\user\Desktop\chromsetup.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	2845
Entropy (8bit):	4.835508948790737
Encrypted:	false
SSDEEP:	48:Uh96LW6SB5Di0jQXGigeN4wnAHBtaGgNYpaYtAakhSfE5Ria6l:86LEbyg84wnuWDJY9khS8qaO
MD5:	EE085E95C17BAFFA9A507C90775D6F07
SHA1:	169A69D70056C22B77839785D7A545DC4F2BBF6F
SHA-256:	7CA5117EDB110BA4FA6F028F8624F6566F2C9164FC6F5D3923B1AAE9A8D67D38
SHA-512:	EFD250984B237A1CD82973217FFDCF8553A6CB4F708BD868FF49D74DAAC6326F4CD86ACA459DEC20C8D03925587AF0D3DF8E344F054ED191C0A684950252872D
Malicious:	true
Preview:	{.. "protection": {.. "macs": {.. "browser": {.. "show_home_button": "9DDE23BD288B95F7CE675BBD01A9E2B63A7624B8C3CDB431097FDF3F63AB4E51".. },.. "default_search_provider_data": {.. "template_url_data": "705F2D2FDD2FF483A1A9E675DFD71CCB223E81A2CEBF5D20C031A68B0020CF77".. },.. "google": {.. "services": {.. "account_id": "07620F46EF9994C94D86883494C13E89DC6509B3D4E8978B2E18F6776C85CDBF",.. "last_account_id": "8452449E1468A5CF585BF23BDC52A3CA1BED67E36262AAE4BAC3583936F8B7AB",.. "last_username": "C202CF3B01A560B8B7D71D3B0076B61126EF72F4B11D79B3EA6E3661DB757E93".. }.. },.. "homepage": "B2A199504AEACAAD5C3A7BB4A96D9C3A9536D7A29672EB4DA3B9552B8D39C49C",.. "homepage_is_newtabpage": "306C67E79E036278678ED45B3C668C4421665A206FC4B97F053015981C8BAAE2",.. "media": {.. "cdm": {.. "origin_data": "0D2AD0D302B3BF94B192

Process:	C:\Program Files\Google\Chrome\Application\chrome.exe
File Type:	ASCII text, with very long lines (16559), with no line terminators
Category:	downloaded
Size (bytes):	16559
Entropy (8bit):	5.397548067189193
Encrypted:	false
SSDEEP:	384:eXLphOyGcMKe2fChYew4hgl+v8nvR7y7AyWyxw4On3JzDJ+aJqZtb/Xai0k:IphOW4hxKk8nvRe7AyRY3JzDJ+aJq3a2
MD5:	0BC52801D2514D1C964C45BBFC63DE1D
SHA1:	1695F86A4FDF23A0F8723638122840A93ABFE904
SHA-256:	D26C75EF26CAE369C12AD6807E7BFECA244EEAF04ADF473963851EC4DEE8935E
SHA-512:	82FA3745651A834E821F234D660389492C1FA123BFB4AAEFA3AF9EAC740F6987B0FCC8D175082675AB67FD4909FBAD8F358FEC1A717A62721879B265190989D6
Malicious:	false
URL:	https://dgss0.bdstatic.com/5eR1dDebRNRTm2_p8IuM_a/res/js/t_https.js?_482493
Preview:	var ALog=ALog\|\|{};void function(e){function t(e){V[e]=+new Date}function n(){T\|\|(T={},"AdivBliCaDulEdlFddGspanHtableIbodyJtrKsectionLtdMolNpOarticlePdtQformRimgSh3TinputUasideViWbXthYemZfont".replace(/([A-Z])([a-z]+)/g,function(e,t,n){T[T[t]=n]=t}))}function o(e,t,n,r){if(!e\|\|1!=e.nodeType)return"";var i=/^[^u]/.test(typeof e.getAttribute)&&e.getAttribute(t)\|\|"";return"#"==i?i="[id]":"."==i&&(i="[class]"),i.replace(/\[([\w-_]+)\]/,function(t,n){i=e.getAttribute(n)}),r&&(r.target=e),i\|\|n&&o(e.parentNode,t,1,r)\|\|""}function r(e,t,i){if(i&&n(),t=t\|\|S.body,!e\|\|e==t\|\|/^body$/i.test(e.tagName))return"";if(1!=e.nodeType\|\|/html/i.test(e.tagName))return e.tagName\|\|"";for(var a=o(e,L),c=1,s=e.previousSibling,u=e.nodeName.toLowerCase();s;)c+=s.nodeName==e.nodeName,s=s.previousSibling;return a=(i&&T[u]\|\|u)+(2>c?"":c)+(a&&"("+a+")"),e.parentNode==t?a:r(e.parentNode,t,i)+(/^[A-Z]/.test(a)?"":"-")+a}function i(e,t){if(t=t\|\|S,!e\|\|e==t)return"";var n=o(e,"monkey",0);return e.parentNode==t\|\|null==e.pare

Process:	C:\Windows\SysWOW64\netsh.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	7
Entropy (8bit):	2.2359263506290326
Encrypted:	false
SSDEEP:	3:t:t
MD5:	F1CA165C0DA831C9A17D08C4DECBD114
SHA1:	D750F8260312A40968458169B496C40DACC751CA
SHA-256:	ACCF036232D2570796BF0ABF71FFE342DC35E2F07B12041FE739D44A06F36AF8
SHA-512:	052FF09612F382505B049EF15D9FB83E46430B5EE4EEFB0F865CD1A3A50FDFA6FFF573E0EF940F26E955270502D5774187CD88B90CD53792AC1F6DFA37E4B646
Malicious:	false
Preview:	Ok.....

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	7.979104758348101
TrID:	Win32 Executable (generic) a (10002005/4) 99.96% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02% Autodesk FLIC Image File (extensions: flc, fli, cel) (7/3) 0.00%
File name:	chromsetup.exe
File size:	4'105'640 bytes
MD5:	41da209c453b8562a89db09f041b4ad9
SHA1:	8cd14bcbc349f5d2aa92834800939f0df09687af
SHA256:	4289b29d107b1ab367ab5ce45e9c457c5f33c9b2fba3f25305bc654855f4fca8
SHA512:	240be8cea379d1d87d34286964bc0c4e09866f7327112a10f7d3521cc504de5a87a788d60390b5dffac580fe3409c6196d614eb28a28471b5d208026c9c20760
SSDEEP:	98304:I8UH54VJXf5EyRWy+KdCCY9c6SpFbLCBoL/HlRb4:Izujhhr1dCf9cjmoL/Hnb4
TLSH:	8A162324B5EF6919F078F6B91FDAD6BFE71CF4E9614B4A3B2280424B8B51B413E42431
File Content Preview:	MZ......................@...................................8...........!..L.!This program cannot be run in DOS mode....$.........o..............b.......b.......b......U^......................f.......f.......f...J.......*...........~.......a.......~......

Entrypoint:	0xb7e001
Entrypoint Section:	.aspack
Digitally signed:	true
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, 32BIT_MACHINE
DLL Characteristics:	DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE
Time Stamp:	0x653B2E9C [Fri Oct 27 03:29:32 2023 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	5
OS Version Minor:	1
File Version Major:	5
File Version Minor:	1
Subsystem Version Major:	5
Subsystem Version Minor:	1
Import Hash:	08c13b38fc3caa49bf2d33f4d7664f01

Signature Valid:	true
Signature Issuer:	CN=Sectigo Public Code Signing CA EV R36, O=Sectigo Limited, C=GB
Signature Validation Error:	The operation completed successfully
Error Number:	0
Not Before, Not After	24/07/2023 01:00:00 24/07/2024 00:59:59
Subject Chain	CN=\u56fa\u9547\u53bf\u6781\u901f\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, O=\u56fa\u9547\u53bf\u6781\u901f\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8, S=\u5b89\u5fbd\u7701, C=CN, OID.2.5.4.15=Private Organization, OID.1.3.6.1.4.1.311.60.2.1.3=CN, SERIALNUMBER=91340323MA2NKMTJ0B
Version:	3
Thumbprint MD5:	AC74509AB5843C9866A1F3E005F5343B
Thumbprint SHA-1:	4FF95A79DB18D62B60E9C059E254C16B5C191313
Thumbprint SHA-256:	8AA9D80C0316627B358D8328CA56B647C4A5DBB22419D9B61B50B54EFFB2ACF9
Serial:	00FF1336372D9037964B17C5B7F43D842B

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x77f014	0x4d0	.aspack
IMAGE_DIRECTORY_ENTRY_RESOURCE	0x466000	0x2e3728	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x3e7400	0x31a8	.rdata
IMAGE_DIRECTORY_ENTRY_BASERELOC	0x785040	0x10	.aspack
IMAGE_DIRECTORY_ENTRY_DEBUG	0x4044e0	0x38	.rdata
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0x77efa4	0x18	.aspack
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x100000

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x323000	0x140000	09eaaf22756b1fa5543805a94cd16f3e	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0x324000	0x108000	0x62200	454c6e15f30bb1eadfc6af5862fcbd1d	False	0.9989923367834395	data	7.99931592692112	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.data	0x42c000	0x1c000	0x5a00	80c4f7985acc4155339dcc4c10c3d9cd	False	0.9931857638888889	data	7.976746636323057	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.gfids	0x448000	0x1c000	0x6400	8761c200eba49d9ad9ae866e396a7906	False	0.9952734375	data	7.987298672159335	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.giats	0x464000	0x1000	0x200	7bfd3da0db2ba24f0ab307a26fcaefb1	False	0.05078125	data	0.15517757530476972	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0x465000	0x1000	0x200	1f354d76203061bfdd5a53dae48d5435	False	0.033203125	data	0.020393135236084953	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rsrc	0x466000	0x2e4000	0x21b800	ae060dde9ce412eb3ed43f21d5b6a0f8	unknown	unknown	unknown	unknown	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.reloc	0x74a000	0x34000	0x16200	cb9668b5fbb3e9f57d16c6e7bf016674	False	0.9997793079096046	data	7.994207016757099	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.aspack	0x77e000	0x8000	0x7200	c05ecafc79ec0fe7bff657f27dab1985	False	0.3241159539473684	data	5.187398513681889	IMAGE_SCN_CNT_CODE, IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.adata	0x786000	0x1000	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE

DLL	Import
kernel32.dll	GetProcAddress, GetModuleHandleA, LoadLibraryA
ws2_32.dll	send
user32.dll	SetRectEmpty
gdi32.dll	SetTextAlign
msimg32.dll	TransparentBlt
winspool.drv	ClosePrinter
advapi32.dll	RegOpenKeyExW
shell32.dll	SHGetDesktopFolder
comctl32.dll	InitCommonControlsEx
shlwapi.dll	PathStripToRootW
uxtheme.dll	CloseThemeData
ole32.dll	CoInitialize
oleaut32.dll	VariantChangeType
oledlg.dll	OleUIBusyW
urlmon.dll	CoInternetSetFeatureEnabled
gdiplus.dll	GdipGetImagePixelFormat
version.dll	GetFileVersionInfoW
oleacc.dll	LresultFromObject
wininet.dll	InternetGetLastResponseInfoW
imm32.dll	ImmGetContext
winmm.dll	PlaySoundW
crypt32.dll	CertOpenStore

Target ID:	0
Start time:	16:08:58
Start date:	15/01/2025
Path:	C:\Users\user\Desktop\chromsetup.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\chromsetup.exe"
Imagebase:	0x140000
File size:	4'105'640 bytes
MD5 hash:	41DA209C453B8562A89DB09F041B4AD9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Target ID:	1
Start time:	16:09:01
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C netsh advfirewall firewall delete rule name = "???????????"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Target ID:	13
Start time:	16:09:02
Start date:	15/01/2025
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /C netsh advfirewall firewall add rule name = "???????????" dir=in program = "C:\Users\user\AppData\Local\Temp\d59O7n5J16\download\MiniThunderPlatform.exe" action=allow
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	27
Start time:	16:09:30
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe
Wow64 process (32bit):	false
Commandline:	C:\Users\user\AppData\Local\Temp\d59O7n5J16\???????????2025-01-15.exe
Imagebase:	0x7ff736270000
File size:	93'122'600 bytes
MD5 hash:	F2009C81F52C13C3876CB72339F9D225
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Target ID:	28
Start time:	16:09:34
Start date:	15/01/2025
Path:	C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe
Wow64 process (32bit):	false
Commandline:	"C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\setup.exe" --install-archive="C:\Users\user\AppData\Local\Temp\d59O7n5J16\CR_FCD6E.tmp\CHROME.PACKED.7Z"
Imagebase:	0x7ff6d8300000
File size:	4'956'952 bytes
MD5 hash:	B42B8AC29EE0A9C3401AC4E7E186282D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Antivirus matches:	Detection: 0%, ReversingLabs
Has exited:	true

Target ID:	30
Start time:	16:09:35
Start date:	15/01/2025
Path:	C:\Program Files\Google\Chrome\Application\chrome.exe
Wow64 process (32bit):	false
Commandline:	"C:\Program Files\Google\Chrome\Application\chrome.exe" --force-first-run
Imagebase:	0x7ff76e190000
File size:	3'242'272 bytes
MD5 hash:	45DE480806D1B5D462A7DDE4DCEFC4E4
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	false

Execution Coverage:	11.8%
Dynamic/Decrypted Code Coverage:	0%
Signature Coverage:	5.5%
Total number of Nodes:	255
Total number of Limit Nodes:	8

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report chromsetup.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Cryptography

Privilege Escalation

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

Private

General Information

Warnings

Simulations

Behavior and APIs

LLM Input / Output

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Thunder Network\DownloadLib\pub_store.dat

C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAyMTE=\KO3U

C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAyMTE=\Version_3_2_1_40\Profiles\asyn_frame.dat

C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAyMTE=\Version_3_2_1_40\Profiles\download.cfg

C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAyMTE=\Version_3_2_1_40\Profiles\error.dat

C:\Users\Public\Thunder Network\Mini_downloadlib\ODAwMDAyMTE=\Version_3_2_1_40\Profiles\stat.dat

C:\Users\Public\Thunder Network\cid_store.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Crashpad\settings.dat

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Preferences

C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\css\newtab.css

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\images\128.png

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\images\16.png

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\images\48.png

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\images\loading.gif

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\manifest.json

C:\Users\user\AppData\Local\Google\MyExt\defTool\feljldlekefblcgojebjjkoojnhoaonp\newtab.html

Windows Analysis Report
chromsetup.exe

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject malicious code into process via Extra Window Memory (EWM) in order to evade process-based defenses as well as possibly elevate privileges. EWM injection is a method of executing arbitrary code in the address space of a separate live process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	Process: OS API Execution
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may perform software packing or virtual machine software protection to conceal their code. Software packing is a method of compressing or encrypting an executable. Packing an executable changes the file signature in an attempt to avoid signature-based detection. Most decompression techniques decompress the executable code in memory. Virtual machine software protection translates an executable's original code into a special format that only a special virtual machine can run. A virtual machine is then called to run this code.
Tactics:	Defense Evasion
Data Sources:	File: File Metadata
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may gather the system time and/or time zone from a local or remote system. The system time is set and stored by the Windows Time Service within a domain to maintain time synchronization between systems and services in an enterprise network.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may interact with the Windows Registry to gather information about the system, configuration, and installed software.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Windows
Url:	Open detailed description by Mitre