rhadamanthys | 940d0e9a9879f1454432a8a11a4f34d2f632b0229067a7a5d3371d315af0d752

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
31/01/2025, 20:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New V1.0.1.exe
Size

1.2MB
MD5

ad290b652fa45465b8b87fe80de65a30
SHA1

169f51bef8092c6ca211e97de741c61cd5961345
SHA256

940d0e9a9879f1454432a8a11a4f34d2f632b0229067a7a5d3371d315af0d752
SHA512

4b1d5791c2d5cff1ee7c974a1e2a74500c2c2ad611533c440610f4b65fc7309d1a848f17a67f5d414bdf3eca23fbcd96ca2ec4e79a6608206ba26682164041c8
SSDEEP

24576:4dvoA4syS9NDce76ZSFivPtCm//rJwOiHxWPOzTEDRcc+UH7h3HsXMncRv:Wz79NDr6kivVCGJwPRWP2EKc+UbdM3d

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral2/memory/3160-730-0x00000000046E0000-0x0000000004761000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3160-732-0x00000000046E0000-0x0000000004761000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3160-733-0x00000000046E0000-0x0000000004761000-memory.dmp	Rhadamanthys_v8
behavioral2/memory/3160-734-0x00000000046E0000-0x0000000004761000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 3160 created 2636	3160	Mls.com	44
PID 2244 created 2636	2244	Mls.com	44

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	New V1.0.1.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000\Control Panel\International\Geo\Nation	New V1.0.1.exe

Executes dropped EXE 2 IoCs

pid	Process
3160	Mls.com
2244	Mls.com

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
133	pastebin.com
134	pastebin.com
135	pastebin.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
184	tasklist.exe
4948	tasklist.exe
920	tasklist.exe
1612	tasklist.exe

Probable phishing domain 1 TTPs 1 IoCs

Phishing

T1566

description	flow	ioc	stream
HTTP URL	134	https://pastebin.com/cdn-cgi/challenge-platform/h/b/orchestrate/chl_page/v1?ray=90aca45cdbfa957e	5

Drops file in Windows directory 10 IoCs

description	ioc	Process
File opened for modification	C:\Windows\VarietyFired	New V1.0.1.exe
File opened for modification	C:\Windows\BombDisciplines	New V1.0.1.exe
File opened for modification	C:\Windows\ClaimsMeeting	New V1.0.1.exe
File opened for modification	C:\Windows\VarietyFired	New V1.0.1.exe
File opened for modification	C:\Windows\BombDisciplines	New V1.0.1.exe
File opened for modification	C:\Windows\DealtimeSubscriber	New V1.0.1.exe
File opened for modification	C:\Windows\MilitaryDepends	New V1.0.1.exe
File opened for modification	C:\Windows\DealtimeSubscriber	New V1.0.1.exe
File opened for modification	C:\Windows\ClaimsMeeting	New V1.0.1.exe
File opened for modification	C:\Windows\MilitaryDepends	New V1.0.1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3800	3160	WerFault.exe	112
2396	2244	WerFault.exe	157

System Location Discovery: System Language Discovery 1 TTPs 28 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New V1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mls.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mls.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New V1.0.1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133828308153946815"	chrome.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0 = 4e003100000000003f5a32a8100054656d7000003a0009000400efbe3d5a87493f5a32a82e00000073e1010000000100000000000000000000000000000046424000540065006d007000000014000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Downloads"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 19002f433a5c000000000000000000000000000000000000000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "2"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0\NodeSlot = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616193"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0\0\0	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0 = 78003100000000003d5a87491100557365727300640009000400efbe874f77483f5a05a82e000000c70500000000010000000000000000003a0000000000ba34910055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616193"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\ComDlg	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\0\0 = 50003100000000003d5a3d56100041646d696e003c0009000400efbe3d5a87493f5a05a82e00000054e101000000010000000000000000000000000000005b675800410064006d0069006e00000014000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1412605595-2147700071-3468511006-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3160	Mls.com
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
3500	svchost.exe
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com
4016	svchost.exe
4016	svchost.exe
4016	svchost.exe
4016	svchost.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe
3812	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2876	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 49 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeDebugPrivilege	1612	tasklist.exe
Token: SeDebugPrivilege	184	tasklist.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe
Token: SeShutdownPrivilege	4452	chrome.exe
Token: SeCreatePagefilePrivilege	4452	chrome.exe

Suspicious use of FindShellTrayWindow 32 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
3160	Mls.com
3160	Mls.com
3160	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
4452	chrome.exe
3160	Mls.com
3160	Mls.com
3160	Mls.com
2244	Mls.com
2244	Mls.com
2244	Mls.com

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
2876	chrome.exe
4604	chrome.exe
4604	chrome.exe
4604	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3800 wrote to memory of 1820	3800	New V1.0.1.exe	87
PID 3800 wrote to memory of 1820	3800	New V1.0.1.exe	87
PID 3800 wrote to memory of 1820	3800	New V1.0.1.exe	87
PID 4452 wrote to memory of 4880	4452	chrome.exe	91
PID 4452 wrote to memory of 4880	4452	chrome.exe	91
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3560	4452	chrome.exe	92
PID 4452 wrote to memory of 3236	4452	chrome.exe	93
PID 4452 wrote to memory of 3236	4452	chrome.exe	93
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94
PID 4452 wrote to memory of 3028	4452	chrome.exe	94

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2636
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3500
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:4016

C:\Users\Admin\AppData\Local\Temp\New V1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\New V1.0.1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3800
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Loud Loud.cmd & Loud.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:1612
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3312
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:184
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4104
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 613100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4520
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nick
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4748
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Lines" Bar
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 613100\Mls.com + Centuries + Preferences + Calculator + Shore + Mothers + Zshops + Stories + Chi + Adobe + Assists 613100\Mls.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4048
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Terrace + ..\Icon + ..\Entertainment + ..\Champagne + ..\Technology + ..\Templates + ..\Cambodia + ..\Percentage V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:544
- - C:\Users\Admin\AppData\Local\Temp\613100\Mls.com
    Mls.com V
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:3160
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3160 -s 908
      4⤵
      Program crash
      PID:3800
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffcc6c4cc40,0x7ffcc6c4cc4c,0x7ffcc6c4cc58
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1800,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  PID:3560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2068,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2124 /prefetch:3
  2⤵
  PID:3236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2204,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2072 /prefetch:8
  2⤵
  PID:3028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3132,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:2440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3268,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3380 /prefetch:1
  2⤵
  PID:4448
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3648,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4532 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4900,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4940,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4948 /prefetch:8
  2⤵
  PID:1572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=4800,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=4472,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4912 /prefetch:1
  2⤵
  PID:184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3504,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:3636
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5432,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3476,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5308 /prefetch:1
  2⤵
  PID:3736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=3148,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5344 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4492,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4816 /prefetch:1
  2⤵
  PID:908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5280,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3804 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=3316,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4968 /prefetch:1
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --field-trial-handle=5492,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --field-trial-handle=5568,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5548 /prefetch:1
  2⤵
  PID:1360
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4380,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3156 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of SetWindowsHookEx
  PID:2876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5552 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:4604
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=5228,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3280 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --field-trial-handle=5220,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5552 /prefetch:1
  2⤵
  PID:920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --field-trial-handle=3448,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4368 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --field-trial-handle=5412,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --field-trial-handle=5332,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5900 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --field-trial-handle=4968,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:1108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --field-trial-handle=5908,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:3384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --field-trial-handle=5384,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --field-trial-handle=3300,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4716 /prefetch:1
  2⤵
  PID:4592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --field-trial-handle=5392,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=33 --field-trial-handle=4736,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3484 /prefetch:1
  2⤵
  PID:4488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --field-trial-handle=4768,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --field-trial-handle=6008,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6028 /prefetch:1
  2⤵
  PID:4440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --field-trial-handle=4500,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6220 /prefetch:1
  2⤵
  PID:2556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --field-trial-handle=3168,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:3392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --field-trial-handle=5408,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5944 /prefetch:1
  2⤵
  PID:4356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=39 --field-trial-handle=6648,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6676 /prefetch:1
  2⤵
  PID:968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=40 --field-trial-handle=6800,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6824 /prefetch:1
  2⤵
  PID:220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=41 --field-trial-handle=6972,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=6832 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=42 --field-trial-handle=7112,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7140 /prefetch:1
  2⤵
  PID:744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=43 --field-trial-handle=6948,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7272 /prefetch:1
  2⤵
  PID:4672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=44 --field-trial-handle=7256,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7448 /prefetch:1
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=45 --field-trial-handle=6976,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7572 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=46 --field-trial-handle=6980,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7728 /prefetch:1
  2⤵
  PID:5244
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=47 --field-trial-handle=7440,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7888 /prefetch:1
  2⤵
  PID:5304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=48 --field-trial-handle=7760,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8016 /prefetch:1
  2⤵
  PID:5316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=49 --field-trial-handle=8036,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8160 /prefetch:1
  2⤵
  PID:5528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=50 --field-trial-handle=8324,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=7464 /prefetch:1
  2⤵
  PID:5540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=51 --field-trial-handle=8456,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8464 /prefetch:1
  2⤵
  PID:5640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=52 --field-trial-handle=7768,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8488 /prefetch:1
  2⤵
  PID:5648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=53 --field-trial-handle=8444,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8516 /prefetch:1
  2⤵
  PID:5748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=54 --field-trial-handle=8760,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8212 /prefetch:1
  2⤵
  PID:5804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=55 --field-trial-handle=8884,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=9020 /prefetch:1
  2⤵
  PID:5812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=56 --field-trial-handle=7480,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8864 /prefetch:1
  2⤵
  PID:5664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=57 --field-trial-handle=7544,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8700 /prefetch:1
  2⤵
  PID:5592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=58 --field-trial-handle=8344,i,617386298549430940,3683903601604438911,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=8476 /prefetch:1
  2⤵
  PID:5756

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3740

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1472

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 3160 -ip 3160
1⤵
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2556

C:\Users\Admin\AppData\Local\Temp\New V1.0.1.exe
"C:\Users\Admin\AppData\Local\Temp\New V1.0.1.exe"
1⤵
- Checks computer location settings
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3316
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy Loud Loud.cmd & Loud.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3664
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4948
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2948
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:920
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4360
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 613100
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1676
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Nick
    3⤵
    - System Location Discovery: System Language Discovery
    PID:316
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "Lines" Bar
    3⤵
    - System Location Discovery: System Language Discovery
    PID:512
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 613100\Mls.com + Centuries + Preferences + Calculator + Shore + Mothers + Zshops + Stories + Chi + Adobe + Assists 613100\Mls.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Terrace + ..\Icon + ..\Entertainment + ..\Champagne + ..\Technology + ..\Templates + ..\Cambodia + ..\Percentage V
    3⤵
    - System Location Discovery: System Language Discovery
    PID:920
- - C:\Users\Admin\AppData\Local\Temp\613100\Mls.com
    Mls.com V
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:2244
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2244 -s 924
      4⤵
      Program crash
      PID:2396
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1788

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 2244 -ip 2244
1⤵
PID:4184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Phishing

T1566

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\567ec7d1-c208-4531-a126-909ccf793218.tmp

Filesize
9KB

MD5
f1202cdb6e032476ce661798d9cd4718

SHA1
c770a584dd888d5b63d1d29b8072f8ac8dbdc842

SHA256
dc32abb07b428285b2029a8f0b6a79feb1a339a45bef542f8430e185352f5b49

SHA512
eb706f161d8dd6e97f296fb63da58be2a1c4251a0905b14b741b65e441b590e4cf9d42235666b74f5fbc310022deeaadd97715c6d9702801f0154c904b509341

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000001

Filesize
214KB

MD5
ba958dfa97ba4abe328dce19c50cd19c

SHA1
122405a9536dd824adcc446c3f0f3a971c94f1b1

SHA256
3124365e9e20791892ee21f47763d3df116763da0270796ca42fd63ecc23c607

SHA512
aad22e93babe3255a7e78d9a9e24c1cda167d449e5383bb740125445e7c7ddd8df53a0e53705f4262a49a307dc54ceb40c66bab61bec206fbe59918110af70bf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000002

Filesize
41KB

MD5
7978a9e6312aeef2fb75a5184b971312

SHA1
312d46ef07ed60cb3c48cd586a5189d4a7cb030d

SHA256
bbb5da7e7ba55a3059a77cdbad6147129d94d7ad45fd15f10ebea2bc4537f649

SHA512
e738bbf00a4218607c1d13aa06792bb3245fa7999a844cfdb251caeefe0c2df0be42b9bc2aa8497927161fcee6593d9e9f9d69cd02ca9b213350223c78ae5e85

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
648B

MD5
37f38899990b8910eadfe933be5e13a5

SHA1
fc47357e61ee2618c7ca8b0f01cf8dea593647be

SHA256
6d485be3013b9b654795dc67d346f2347de3a43cccd032f3d7368e4b318df6e5

SHA512
871aed3dec3bb3344fb199dcb4ce96df591bee95a50b8416b2139ecd520611c926f7a5d5a2c5058f52b580ca35248d2d3e8422d01495315843300a4583353a53

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
686576b93c697392ef9ac904968a959d

SHA1
dc350cd4ef38dbbc665d24d80c37dc573eb13b50

SHA256
903c766a033e06eb9192c165266e57a3968df324aaa80dd8f2649ea8deae918d

SHA512
b052c4fbf475281307466de8516588bf4802d64707eeb3709bb2ad53faec1990a1ec598b5ac7f267db80164b92d67d148e1a7ff295b7cd1499eb2c1ca0a29806

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
acd9ed6d9f5a2d8214d6428ce9b9265f

SHA1
3e9ffcd6acdf536e775f865193be3a8f71785762

SHA256
27d15076c24d85b92adc923b0a54a0b1ae0553a7921255734885c10242dc5955

SHA512
bc45e64e36b55f83621e4acafef00db38f601a76cf2c74a9a58bbb3755b967b7473ae7a6070fa7bab0117032401fd1c2b5828bc426577648c6ad2280922c3fe1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
4KB

MD5
181c6d2e625792b2a0180a0a38c09a18

SHA1
54cc68c519736056495547b314bda9acfd829047

SHA256
fb32a015c15debe86744cb56e6d37e81fc12e3ed40d7fbbeab5362d17f272abf

SHA512
3a99d9b1cc3cc93abc4b562c3dbc1a33de25065853a06c13be1007ef2bc503e8f274ba2106cb3c5e39ecb5e42ea2319f35baed9b29acb727e33e952543e1f1eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
ed8044523d7f279db4a1622b8ce8b783

SHA1
1249fe266b38839123c47eb3b6da1eae0735e28d

SHA256
76dd4dfcde1e49ce24ad170c316ea6b6dedd998323bc79a50582b8892ca7f42b

SHA512
159db2b96e9e6a1eba84a6b964238e2929a1251265c0009f05dfa8cd2e6455dfcb8067e27f79662ff4046db3a24082d74eb9c19287c90fb02d8f81ec01f4a383

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
4467c167606881170ff47d590f68d66f

SHA1
1b5cd0e870d3db7689fa105989cf2a4f9abe4972

SHA256
d2ebfa0864ef2ee4bcb3ca485ded5b8785bbfc44b95c9a75910675b95ed22ff2

SHA512
310b428419ed7549d335d603847b041bd40ac5e2c54c449854bc50421cde102de9b7f0826d53d4677f0720ee7f6e50bff0449f95af936d19cddc513277193553

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
b801c8e6508c108f207e56c4987918d2

SHA1
1652d37bace247619271926c9cc55890f0b9487a

SHA256
29069bfc69361c5ddc4f36d396e97f93e22e49e678b17a3434ab86d2a7f196d1

SHA512
0432fe01450ce52a4fb306f7b6202839c2c8bac33ef90a48faffb416c6355c09f6662f381d7c7edd33f773bae6b02a46b9adb581ff9afa31f43ee6bb9b001fa6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
32dc5a5eb0ef7587fb3bb2f8deda94b3

SHA1
11b71db7b6e5abc8ab68afda9cbf3455edd22fd6

SHA256
6dbb40316aa1b7fe01cd38d8c82538f19711db13b305f911334d1fd51f080762

SHA512
5b30a7d579dc2d85883efd5899ebf7035cdf3f7e8e0f40407e0434e45b3a0d440f0f58bbe83549af07af3c57c63232b3f575215eef658cff5b85e80e1314405f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
0b86f8f925b61dade12b5a0499046c39

SHA1
edcb682de9116d4bd1b463ea5724f5cdc19785e1

SHA256
d776e8d4bc6906cc9d9f2b31aaf518cc1fba15fc832543a40d857c164a4d1e45

SHA512
6e6dab9ac8077fa3dd6e75274d1b95b430b4c1dc300039b02fbecd205cfe60d6934d640fd507fdf826084b24026a78d18b1d5671aaa49baf13f10dbd9a149ddd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\fce3c770-8fb9-4f29-baba-f9e0c56760a4.tmp

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
7842a3a54cd03fe9f6063fe5bd146f47

SHA1
f711f9cf14157f632049319838590eb690f805f1

SHA256
d0f64a72619bb0c5e2130029ff1cff168c7b18d5a30bc802858a40b1a8dc19ee

SHA512
919eb70d4096477b247c57f6c5ef3c34f9f5c47ffad9b9e5ac65bcfd6074ae856738e3008af1ab8216941155936ab96b4153fff3d2dfd9c6b2603650ea840b75

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7d8a1b230f78f2e724dbc5af439cc89e

SHA1
db900017e86472b7667d369024ebac119e0433e2

SHA256
e3f6c56dad0bcad893a10562fe848521587e0cc3497a1b37c4bf4f5150eb861c

SHA512
1d18215ecb971e38df533f017d6ab73f4b41a92d50723b67339b1fbdee22738792d8cc4f5b18de0ee42cb6eebb611453d7151a9b556afdd0fb324f9ed693a8b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
62857845bbf502560faf16f94d12498e

SHA1
d5b6d334d7143b42a80f3af28044141c77194ba5

SHA256
d2905cd9ac4fb41e338701e07e4c97d8d5810cfd7019da90964a8f6751360104

SHA512
aefb0a3e456d2ac2cae495d7fc0ebc8c524cb43e34e0d426e4b77b6d54abdd2004f979af32b780e6b867146852983f31a02f76daef5c23483bd395564ddc354e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72fcb4c033d0b50e7c98f6bd7267aa69

SHA1
dd3144fd171daa11f2584d3508a2d5d408966242

SHA256
2efc1c397983439d3b9fde5397ef6b46b656ee90f39fccc7498a054268d0f1a1

SHA512
4f5fa32de22c57b92545ecf14f6cade8631b9dd7b7f81975c39639840657f6a19cd553434473eb99bc6f01f13af7963e815bc0ae4c31ba420660a4c2ce39cdd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
a5bbe8c7659fa017bcd381403f7abca8

SHA1
ba8ad374e8704fd810a5c9993d3dec55adee89a4

SHA256
f9a9ecf4258516109c461a96a8e2eebffbbac816b6715b0156653a1db0a81c3c

SHA512
0c2d3622116617ef8da948452609daf6ab91791c0a618bff9c0ecb0c3319e9e649df7e7f8470745e6c57199f806b843da5980ae9ea0de3b85c5ba4cecd435fc0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5f311deb8a81c114902d6eef7c0e2068

SHA1
89402f71cc0e456898e6ee1cfdca0a9a28e52738

SHA256
62289392f8beca8cfa11c8bc25c131c8f8768d71f249c1f6993360fe26b9f096

SHA512
e4ae006c2b8168abca5f2fe6d717862ab020eef109f6750d534e7d610ff5daf200fa64064bad628b7d5a330a0905eec5555de0d440525a425062d77b9a51432c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
46149563aa39657b87bdc881eff82b41

SHA1
a77eb12f6a2d719c876a29e30ebe05f1fe6ff8c7

SHA256
a07ad53bd7c7057e91fd6d2593b3efdcb320100cfed5abe195621c1d6ad7b750

SHA512
2628d5491c7bf02d00e16d2e692bdb14ea939edb6041574f94220898735a8669dc951764b9fc9604a988610911781e941a78bfc806bbc52ace3147ce462c029a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8703ae81d306d0cda37db7db864d133e

SHA1
f14f4ce61ec9a87c5c8bfc686e6c15d90028f54f

SHA256
f51eab29adadf27a486f09fbbfb11aa89d402b4599c74efb3877f107f4393b21

SHA512
46d00487c87b799fb78a29aefd8ca803548c4f7c901639273a6c5cd182770adf1a6b7f9f2ed39d7c924bb8b46757bcc75feca61a6c20845919f7086da61f5b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
bfd4aed5c5709f5a55180cdeaf1e1973

SHA1
f59788ce9d786a7c367e6c42cca68daf51ab6ff5

SHA256
1709722e53d794840617765be7f6682ae671cad90364173257f53695d84da4d1

SHA512
23132a1d3419694ff2311850f9165a7aafa511a9f14d215489ef95d6d9602d0ed35b1dfc54594991a03fa40709289d1c91c3b0578f1e0444ff16a12326fd9ee7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\c421bbda-d5c3-4daf-b772-96f549dbde41.tmp

Filesize
9KB

MD5
9d1892638772816783e552982ca252bd

SHA1
3ef5896df1f2e53727e95cc0ee51d3a942fb31bb

SHA256
300768e00cb661d3ae548af3ecdb725165688251512826d06fcb89c7210331ed

SHA512
daa0acfd8c95f5269f6bac588199b9738bf170fcdd37987f2da39b1a2cf0b9cf9a85ecf538228ff01eac6493eb991e75e5937add64a5e9b47da8530a17a46af3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
bb500874dbf79f1c7bbf166be3edc105

SHA1
5cb9d684b59cacd891734da887f5e8fcf2febd92

SHA256
14b7da519073837ed68cb129c2f587e31b4522970747d25eb91a6b9cf7ddf3c4

SHA512
9bdd5e77248093d79e94f3755f6af062c10c135f031fa49086c7909b3a3cad1f36741d58b6d3a7b73a7b64eab522b326dad69abde52dc09df4599068e6229bd6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
a81f523664d4bfe0cd54e8d501e8be8c

SHA1
ab59f86e15c451b33577ced8a52ac92d83315591

SHA256
0436d2ff9997b962246298fb32b344da43194c9978fb4f19062320ce08d50e70

SHA512
fbab5be3f725cfd91df4ed90414d5c255e62bef0d9ffc3db766a829d2e53113b6be8e74d759d190494f35b147c62d71185dc101e7f5477647e5d8bc3065cefb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
640265b6c9efe3cc76882f9d53b2096d

SHA1
b6b71a824e9cbd422060be52713d6e8a8557aef4

SHA256
b9b0a6575ff6172781ed4a79a3ecf4a5f0633ee919a10e78d6f9adeb0dfc2219

SHA512
4010e75b0d086a9539ba6cd666cbe870a5ee6f7fe26a8574ec2ff673cfe7c54923c6ee07aef24a18d65e2dc04eb66be4d668ffd67a28486ea673b571be800292

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
243KB

MD5
68d936d95dcb446c4ab2c77b164d63df

SHA1
6e0c4cb3e8fc8916193d1f7310dd6670461d1db3

SHA256
cb18ac2e86a1e27124cbcc011458259096f7bbfc883321b386c5c20dd40a196e

SHA512
f5a4113beb6e977f5f40d3694f55265a01dab1381b9097e818ec3975edf07657a21a933691b04695c17150a81530e20c9d33e08cb6af5a5b2320261bfb574c5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\613100\Mls.com

Filesize
2B

MD5
ac6ad5d9b99757c3a878f2d275ace198

SHA1
439baa1b33514fb81632aaf44d16a9378c5664fc

SHA256
9b8db510ef42b8ed54a3712636fda55a4f8cfcd5493e20b74ab00cd4f3979f2d

SHA512
bfcdcb26b6f0c288838da7b0d338c2af63798a2ece9dcd6bc07b7cadf44477e3d5cfbba5b72446c61a1ecf74a0bccc62894ea87a40730cd1d4c2a3e15a7bb55b

Download Submit
C:\Users\Admin\AppData\Local\Temp\613100\Mls.com

Filesize
1KB

MD5
9f8fdb145ae982c734994c3cae048c35

SHA1
241e1ed46ec515e66342d93b307b615731caf691

SHA256
1e61c0f836ca2e6dd92b66a36242e9ce423a15ba2f8447a71436359b9c84cd08

SHA512
d361782d8c31ea609d0a3f8aa3803bd6598691c39472f60e033aaf961b06da19cc833956d59d4e8c43012ad6c6c83c461aecaf99d2d5dfbb2afb5ec2eb678477

Download Submit
C:\Users\Admin\AppData\Local\Temp\613100\Mls.com

Filesize
205KB

MD5
b8d02476b357d63aec356ef75dc736af

SHA1
bc890b19d18b6b2d2052bfef30588d635c7532d2

SHA256
43fdbc290861413aa24df5c6836769d10a6907bb046157ae84f49c2540da32b8

SHA512
ac5f8ad93faa790240b905db72b52d101ee891bc495623e0ce1cc16023baa7f674150932bed46b98bfd48b43ad4b7fffcda537efe7e969fa96e4bba23a5e7706

Download Submit
C:\Users\Admin\AppData\Local\Temp\613100\Mls.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\613100\V

Filesize
639KB

MD5
9d371d77852e550c52328d7a18279b7a

SHA1
988d310d86779afc9be7eeb797d0c9f1927f3b62

SHA256
d3dc4f7795675c6d5fda5671e8f1a3f483a5a915b3201a485b01d75257ac3b6c

SHA512
c10e1c98a63bc7447496daacd1aa1a97211aaac2ef2c9c8ac79cda2f12727a30c6d0b01a9e1903c451c5d9fa30dbf970ec0d57a89bcd9b77dad9339caa37eb17

Download Submit
C:\Users\Admin\AppData\Local\Temp\Adobe

Filesize
128KB

MD5
fc335e6571f89947a8f8b442ddd4acd5

SHA1
d79186a36a862e1546581febf6395c9cac488455

SHA256
c8b582427a22298b005de5243e4181b98308e6b78305c0c946ce1454d02416f5

SHA512
4c91153acdd78c0e3006009ea88c267af89f628d5d50601d04720a73a1ab5fe9547b8357829cae0d6a2db40e792c1b39c5b88053dd6a78a36609eec7fd8f3ec9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Assists

Filesize
61KB

MD5
3de0b4aaed991c2e88b4c79614182216

SHA1
f3f6b38731916274ae9c5b0e092233db0875f2bd

SHA256
cba49364ba44051c7007e8d9d12ed90ba9dd7f14ca86168cc888d0372f9b8d34

SHA512
8f0972e78e7f4b3483d35f16b931a4236df3c97359277673b640ecaf521619e981c13b7efe2e1a15ec275e53e83e119960925293602801ffb5fc11ad7883eddd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bar

Filesize
1KB

MD5
5dd63ac0385dd916653c1b30dacc526e

SHA1
2e55083dde1c73b8a25386dd1fb04efea8a2a6dc

SHA256
b6192346328d8568c597c47ffdae09ddf9832ce215ae8ac4c498a45c9d12bca9

SHA512
a88c7fee567b549d4ea7b62621cacffc48e2a9c83704905dc59794b1ce435e2e212b1e41939a035631ab7d54750db9f0f548469fb2f0aa8b876607691616ec5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Calculator

Filesize
85KB

MD5
5a2c706fb6185acf3861d83d33fdf040

SHA1
f304f59ea847836fcbca528c1ee5263050ebe02e

SHA256
f33adaa8ede19c3f668f3d3fa089f23cc937fe6afc828673b30ad98ca4ea7c27

SHA512
9d931472caa5e1b65911439e4a8cb0982bf5255b4078f3f2779d5b74233dce300916471d586d7d9d1e01c56994c38afa9f14779d91b5f47d25d17c73a3a2c24b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cambodia

Filesize
95KB

MD5
427caf33d6206bb7044615f161de0e11

SHA1
4bdbdc6736caa0effb6e28dc2b382946a049a9c2

SHA256
eaaaed3d7ff418c8fbefea64de28ed4c0d477ee9c3c13b48b008fa28845de0a8

SHA512
4048265176b4ed94b8ed9b527f63deaf5312d69df87418af3c5ee61ef1116141dd388a92098aafc217770339165361fb29806d159bae5c84753d56d675dab947

Download Submit
C:\Users\Admin\AppData\Local\Temp\Centuries

Filesize
96KB

MD5
7201eb21350a2d3875dee0c6a768da6f

SHA1
868cb8a2e4db03395fa658faae504b29dbaa8f66

SHA256
796ab5cdc74235ceb0c43f07f1f38657d626d214a9e448eeced31208ffae35b6

SHA512
095e17135e4d01cc9cbc3ed00e83175663a1ac155b9ba9df85f2d35973255ff1f2a10a2930317112f777952e5d1b7a4a8da45bc7c07484f325eedfa52cbedf8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Champagne

Filesize
68KB

MD5
d61ba6f1a97f431c1ef14ba7fd6cc531

SHA1
54edb5f6863b2815ae071128261bab143d093cb9

SHA256
c1766f6cd9b2dd960d8eede12bda72f875dff55f889a2329076000048e3eb101

SHA512
f3aeb354f0e9aba1f521c5b084453e4e1c7cc2f217e188e14c13b8db19b1e8df95fe90a772b22f64eea46fb9e91a7f839ebdf7cc6bedb3be92d92d1bcc48a291

Download Submit
C:\Users\Admin\AppData\Local\Temp\Chi

Filesize
88KB

MD5
be6517e2634f3a239d90a8ec63f7dd15

SHA1
8ed767d928a557155b4281bfa210e7490deca233

SHA256
f35cf1024cb25ace89f31b7f4baf7078b1b8bb550c956801c173aa4eecf57ac2

SHA512
70dae8f9f7b9bd75d1d3eda80370580ad40984de093a2f8a904764a1e2b93672d781b1ceed13cf3497bedf7601b6f5b3c3cd107f3df4b35029e0ee37907a392d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Entertainment

Filesize
75KB

MD5
2667edefedec13342246a9d8637f2085

SHA1
30a9c8150b7a5ec93bbb397981c72c04367540af

SHA256
aaf91cfca0dc83da45af33d38c08ac0c631d54066f301653a20f962d2c44baa2

SHA512
12f058aa79fdb9c7dbac6ac1794cd5ddca2498ec7ef06d8e2eb1c98bfb67b9fbcd4c3379d75bfcff83376e703a60dedc328a5059b5fda4cc9a7c201945c432df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Icon

Filesize
67KB

MD5
be09d1d79850ba274e63527e08b648be

SHA1
8d01f36721f300e979c53430ccf640a5a0bf7e35

SHA256
b9488a520f4c6dbcc6337471bdbced5d921f811d6e71977e7ad3e658c60395c3

SHA512
3d15ab537e40eb334ee1cd4218199f03e5cfe8de17c0eb4aae0726bf785e5d34bad6fa7d554d419afb41437dc073b4b99bd24426d02898f7232b708b343321cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loud

Filesize
27KB

MD5
8fc9f737d5e21933bb830cb6b057f6a7

SHA1
3a02e650aa682c2adc57fc326dd0238e5d0c07f4

SHA256
6a60c9db31bae2610c6150255033cb4d895125667f3da90c05550ece52715dbd

SHA512
0cec6ffdc1040b622f5a7368b727555c36af0576f9c46ef9e01be6a1ccc9b912610a254e862ce460f7e6131c8266cbb385bdc10b0a9e04afb509702ac161817a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mothers

Filesize
58KB

MD5
c07b072552a67dfd3826871ef28344fb

SHA1
2154529d23856a1a68368f2ce2b483886028e5dc

SHA256
5db744c64f10b16f33d13b938c3ffb2ca82714009ac8bda768fda7846eb4af89

SHA512
61eee8374050174851223194438997309ab0d01dd962b70d05fa2f1c24e10b7b4ab37f9066add66e8d5b12e81fc43678cdef7f0341781e5ea81705c5365b1dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nick

Filesize
476KB

MD5
8cb2c629d5c460c8e69f5cc9675c6148

SHA1
7ea62e1c1f3a18cfdf96d479edc260fd6a247f71

SHA256
f9d189483b81c8233e373492cc6e534f2234ddc44d0acfa7fc22d8d51ccb79f7

SHA512
809fde00b6f7de0c6424641134636cd7747c296e48c4d67678b5b5f786b86c7c43aab3d5d04170bc8388bdfdaf74ccde758c23abbd61d77efa5a96ead7b1a56b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Percentage

Filesize
78KB

MD5
d0fed44913db4101ff868dd025950f28

SHA1
730f60d28078e8cc6ff78e084dca474e1b8d113f

SHA256
100555830dba82a89aba17e592a19bd77dd722bfad90d34190dd4f3de2ac0c7c

SHA512
0c302b59de893a395c2ee7b2d486e94857f4c9025b13958324cf80336182b341c6d47c6c2d8040f082f318bace6befbcd75d40207aea9c5521c3cf3c8f2f4a9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Preferences

Filesize
108KB

MD5
68a36c38cdc539f986fa9332b3ebd329

SHA1
bae6dbee1481d097be5d43240975f11d2144b4ca

SHA256
ba7653935e701008fa66165426151432b5ed2dd75e1166c83dc4fe7f6571cf1b

SHA512
392b603b2189b79ccb890a4f988d076cc63cd631ca8ea7136509323c75a1bc02c9f8c843891f264ea3b78992117671c2f38e6f75c0f31b165c16bb8f5f20da50

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shore

Filesize
97KB

MD5
9a8fba9fb3bab328fe47878b25d5943b

SHA1
0aa416dc8f04b43b97d1689cac8daedee292a43e

SHA256
d2abb4bced74360827e099eb3ebbbfffdf56befffc73a00ca064c78cc6c30282

SHA512
8624f0fe9ccd2445b55fe6dbb423015371a8074795f46c8ea65eceb12d6df2f770c4ab0456644befb5efbf4fa8a05534324007d33be4f2ab063758c7ea75a990

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stories

Filesize
59KB

MD5
e22766db1829a8718dd103fd27cac40d

SHA1
54bedda027b2dece491c3793c0c2b02fe13169f3

SHA256
dee5de9f3dd28d1820b8578d2115ad9e50341cf32c5e2d21985cbe756258ce0d

SHA512
d9045e18e17c0845d253c1508e3abe4f895c7182f202b3a0dfc70b3aaf75a2eee04b5049d799f34cbec5e877f656baca72992ae62833151acff8d999d07d48e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Technology

Filesize
74KB

MD5
3372490f53753e3e23755ddbb7c53c8f

SHA1
8ea1c1520434d06631e56cd3f8978de11645b5eb

SHA256
1dae0b4b3bb526097b4a7f8ca650764068939fc96fa2092c917d7de53abf0ee5

SHA512
8b40d3a3bf1e4fa83fbf7d460f4b67ad71bac54bc5520adb3c3e2b1317b34508528a6ea13c946ac0c75f0894ce6237b0302fe3493576886dddf8868d7c199e82

Download Submit
C:\Users\Admin\AppData\Local\Temp\Templates

Filesize
97KB

MD5
11ffffff2c35c8642a0578cd119eccff

SHA1
dd6b3f2e5072cc88d68237afed0b3554990b693e

SHA256
9c92ed96c9f4dc780318abe215685a1cc8243b4b008cdfa5be7369cb02aea2d3

SHA512
c79f5492fe8529386a6d0560d59815b51722e4a3d44784e8727fb24e12ad297d9ed17da0b1a447fc2c146ce6d47cd6f8ae485bd5e7ad4cc7cc4149923c55d9d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Terrace

Filesize
85KB

MD5
2046da89dcdd3c4b3f9e4571449d18d7

SHA1
ea639fc7a6a5873c3c196c210562666b23455ccb

SHA256
4f037b2a9e8429a11e27f0c7ce05949c80b8d68bd29671352674734ef7def5b2

SHA512
2785bd2b7ee1730fb985e1fbc71d59acb2f64aa15e01a16726b55c1664453f1948c3effdf93a9267d995bd1e6e691ce128b0f7c187653e3f006b802d4a43a811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zshops

Filesize
143KB

MD5
725e82fd38c5a62f527e733aa29685a5

SHA1
994d67ae50269802b3814ad91c966f8ceec59402

SHA256
70826b22317c365ffbb2533f292215064e9da72a14e1d2bef03fc76209245fd8

SHA512
2c11c0642b5ae0d07f84a5fc109c145c7d054dee653be84cd3ae0a8824dc2387bdcd62357b4fe4c3858082b0d05059c29256fcce5531493ddecf7aa0450093a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Spelling\en-US\default.dic

Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
memory/2244-1613-0x00007FFCE5210000-0x00007FFCE5405000-memory.dmp

Filesize
2.0MB

Download
memory/2244-1615-0x0000000075690000-0x00000000758A5000-memory.dmp

Filesize
2.1MB

Download
memory/2244-1612-0x0000000004050000-0x0000000004450000-memory.dmp

Filesize
4.0MB

Download
memory/3160-734-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-735-0x0000000004770000-0x0000000004B70000-memory.dmp

Filesize
4.0MB

Download
memory/3160-729-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-730-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-732-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-728-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-733-0x00000000046E0000-0x0000000004761000-memory.dmp

Filesize
516KB

Download
memory/3160-739-0x0000000075690000-0x00000000758A5000-memory.dmp

Filesize
2.1MB

Download
memory/3160-737-0x00007FFCE5210000-0x00007FFCE5405000-memory.dmp

Filesize
2.0MB

Download
memory/3160-736-0x0000000004770000-0x0000000004B70000-memory.dmp

Filesize
4.0MB

Download
memory/3500-745-0x0000000075690000-0x00000000758A5000-memory.dmp

Filesize
2.1MB

Download
memory/3500-742-0x0000000001240000-0x0000000001640000-memory.dmp

Filesize
4.0MB

Download
memory/3500-740-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/3500-743-0x00007FFCE5210000-0x00007FFCE5405000-memory.dmp

Filesize
2.0MB

Download
memory/4016-1616-0x00000000003C0000-0x00000000003CA000-memory.dmp

Filesize
40KB

Download
memory/4016-1619-0x00007FFCE5210000-0x00007FFCE5405000-memory.dmp

Filesize
2.0MB

Download
memory/4016-1621-0x0000000075690000-0x00000000758A5000-memory.dmp

Filesize
2.1MB

Download
memory/4016-1618-0x0000000000B50000-0x0000000000F50000-memory.dmp

Filesize
4.0MB

Download