rhadamanthys | hxxps://darknessonyx[.]com/ryos

Analysis

max time kernel
145s
max time network
141s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
06/02/2025, 20:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://darknessonyx.com/ryos

Score

10^/10

rhadamanthys discovery stealer

Malware Config

Signatures

Detects Rhadamanthys payload 4 IoCs

resource	yara_rule
behavioral1/memory/5008-502-0x0000000000410000-0x0000000000491000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/5008-506-0x0000000000410000-0x0000000000491000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/5008-505-0x0000000000410000-0x0000000000491000-memory.dmp	Rhadamanthys_v8
behavioral1/memory/5008-504-0x0000000000410000-0x0000000000491000-memory.dmp	Rhadamanthys_v8

Rhadamanthys
Rhadamanthys is an info stealer written in C++ first seen in August 2022.
stealer rhadamanthys
Rhadamanthys family
rhadamanthys

Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

description	pid	Process	procid_target
PID 5008 created 2448	5008	Simulation.com	42
PID 4916 created 2448	4916	Simulation.com	42

Executes dropped EXE 2 IoCs

pid	Process
5008	Simulation.com
4916	Simulation.com

Enumerates processes with tasklist 1 TTPs 4 IoCs

discovery

Process Discovery

T1057

pid	Process
3696	tasklist.exe
4344	tasklist.exe
2140	tasklist.exe
4020	tasklist.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\YesHilton	BootstrapperExec.exe
File opened for modification	C:\Windows\YesHilton	BootstrapperExec.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Program crash 2 IoCs

pid	pid_target	Process	procid_target
3824	5008	WerFault.exe	154
3524	4916	WerFault.exe	169

System Location Discovery: System Language Discovery 1 TTPs 29 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Simulation.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	expand.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Simulation.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	extrac32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tasklist.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	findstr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133833482499045092"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2211717155-842865201-3404093980-1000\{1D914B49-664E-4059-BB60-34C03F213AD2}	chrome.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
4504	chrome.exe
4504	chrome.exe
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
396	svchost.exe
396	svchost.exe
396	svchost.exe
396	svchost.exe
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe
2732	svchost.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe
Token: SeShutdownPrivilege	1240	chrome.exe
Token: SeCreatePagefilePrivilege	1240	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe

Suspicious use of SendNotifyMessage 30 IoCs

pid	Process
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
1240	chrome.exe
5008	Simulation.com
5008	Simulation.com
5008	Simulation.com
4916	Simulation.com
4916	Simulation.com
4916	Simulation.com

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1240 wrote to memory of 376	1240	chrome.exe	84
PID 1240 wrote to memory of 376	1240	chrome.exe	84
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2008	1240	chrome.exe	86
PID 1240 wrote to memory of 2012	1240	chrome.exe	87
PID 1240 wrote to memory of 2012	1240	chrome.exe	87
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88
PID 1240 wrote to memory of 1252	1240	chrome.exe	88

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2448
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:396
- C:\Windows\SysWOW64\svchost.exe
  "C:\Windows\System32\svchost.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:2732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://darknessonyx.com/ryos
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff16bacc40,0x7fff16bacc4c,0x7fff16bacc58
  2⤵
  PID:376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1904,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1892 /prefetch:2
  2⤵
  PID:2008
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2164,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1728 /prefetch:3
  2⤵
  PID:2012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2240,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:1252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2808,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3116 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3080,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3948
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4468,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3592 /prefetch:1
  2⤵
  PID:2804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4640,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=4624 /prefetch:1
  2⤵
  PID:3400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3152,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3340 /prefetch:8
  2⤵
  PID:544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4244,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3336 /prefetch:8
  2⤵
  - Modifies registry class
  PID:3772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5052,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5064 /prefetch:8
  2⤵
  PID:2744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4900,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=1568 /prefetch:1
  2⤵
  PID:2688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5384,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=3164 /prefetch:1
  2⤵
  PID:3464
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3100,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5416 /prefetch:1
  2⤵
  PID:4436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1040,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=728 /prefetch:8
  2⤵
  PID:736
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4420,i,6942990485430759581,2145496110984533051,262144 --variations-seed-version=20250128-180236.310000 --mojo-platform-channel-handle=5640 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4504

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3380

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2932

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2112

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\R-e-s-o-u-r-c-e--x64\README.txt
1⤵
PID:2892

C:\Users\Admin\Downloads\R-e-s-o-u-r-c-e--x64\Resource\Resource\BootstrapperExec.exe
"C:\Users\Admin\Downloads\R-e-s-o-u-r-c-e--x64\Resource\Resource\BootstrapperExec.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:3300
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c expand Crimes.psd Crimes.psd.cmd & Crimes.psd.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2708
- - C:\Windows\SysWOW64\expand.exe
    expand Crimes.psd Crimes.psd.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4344
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4496
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:2140
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1320
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662815
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2820
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Prague.psd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:636
- - C:\Windows\SysWOW64\findstr.exe
    findstr /V "FUTURE" Stack
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662815\Simulation.com + Rape + Near + Internship + Monte + Card + Supported + Honest + Evaluated + Backgrounds + Environmental 662815\Simulation.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4504
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Tractor.psd + ..\Diet.psd + ..\Purposes.psd + ..\Popular.psd + ..\Mercy.psd + ..\Norwegian.psd + ..\Structure.psd + ..\Disease.psd + ..\Evaluating.psd l
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3244
- - C:\Users\Admin\AppData\Local\Temp\662815\Simulation.com
    Simulation.com l
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:5008
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 5008 -s 912
      4⤵
      Program crash
      PID:3824
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1864

C:\Users\Admin\Downloads\R-e-s-o-u-r-c-e--x64\Resource\Resource\BootstrapperExec.exe
"C:\Users\Admin\Downloads\R-e-s-o-u-r-c-e--x64\Resource\Resource\BootstrapperExec.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:908
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c expand Crimes.psd Crimes.psd.cmd & Crimes.psd.cmd
  2⤵
  - System Location Discovery: System Language Discovery
  PID:1748
- - C:\Windows\SysWOW64\expand.exe
    expand Crimes.psd Crimes.psd.cmd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1460
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:4020
- - C:\Windows\SysWOW64\findstr.exe
    findstr /I "opssvc wrsa"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2660
- - C:\Windows\SysWOW64\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - System Location Discovery: System Language Discovery
    PID:3696
- - C:\Windows\SysWOW64\findstr.exe
    findstr "AvastUI AVGUI bdservicehost nsWscSvc ekrn SophosHealth"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c md 662815
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1736
- - C:\Windows\SysWOW64\extrac32.exe
    extrac32 /Y /E Prague.psd
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b 662815\Simulation.com + Rape + Near + Internship + Monte + Card + Supported + Honest + Evaluated + Backgrounds + Environmental 662815\Simulation.com
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c copy /b ..\Tractor.psd + ..\Diet.psd + ..\Purposes.psd + ..\Popular.psd + ..\Mercy.psd + ..\Norwegian.psd + ..\Structure.psd + ..\Disease.psd + ..\Evaluating.psd l
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1372
- - C:\Users\Admin\AppData\Local\Temp\662815\Simulation.com
    Simulation.com l
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SendNotifyMessage
    PID:4916
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4916 -s 896
      4⤵
      Program crash
      PID:3524
- - C:\Windows\SysWOW64\choice.exe
    choice /d y /t 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3688

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 5008 -ip 5008
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 416 -p 4916 -ip 4916
1⤵
PID:1376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\0a694ca7-c958-4a10-ad6f-632390b9aa4a.tmp

Filesize
122KB

MD5
0e91a16e903b138aace083a85049809c

SHA1
2079649fdcfb2d02d8a18c1ae50f48d644a69a2c

SHA256
97c2bc0ee13a4dfc8ae065e519310176a04980a0d9abe8d2985bcbb763a6c04f

SHA512
bf9fb38e19d74e5df5fa87a513beb17a7a71a9879209f35901356330fdbdbce6800f12a6d43baa6549038e72cdcdf21b57c03f929281d8bdd5472bcb8d41f9aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
70dd5746e635d95ca50054572bb8c16f

SHA1
b90dfa955d8f7196faafa63ba089dce8ee66a0bd

SHA256
c451347046c0647c6a923bc1b596fc96fa670020a34e42dffeecb621738c48bc

SHA512
5101de34508f0da963c8217c7e5e9c37cf14689c3cbf5d7ed81a974c438aa54723629ed903a87603de82859bb8c0e451896632aa96bc8b2c68dfefb7d5cf8390

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
504B

MD5
9ffd5ed149d4551c146531c52ba6b4d3

SHA1
3637d59dbd31c82b2636210e95ca065877ac43fd

SHA256
23ebe98755813dd64071218fc55b50f600ba7d248fb044bbc61bd377aa386336

SHA512
5ada7c4d882900da078f12bc20e0920a1994c3e22868b90f6a7153718515a79e148d4695e2c8735eaa8132de3b9714283c1a4f4709e80fb8adc616e380d8121b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
8KB

MD5
868b894a2e065ad90987fb8b981d328d

SHA1
3193d1a589016de4a6d0664f5437ba8546fd74d7

SHA256
c99c4dc27df94a3902f71c3aa2dc44fd5cb0744ea8b61f2ed1f8baf3290469f2

SHA512
e0037ec79325d8d7effe1fcb2aa334157096c9b2080c9ba700788989a8fce58fea5d99f44511fa1cad617c3ca5694129175c1cb51701f19e69a323401b92c010

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
3b51a18bb8afa94811d0a5ec4cb36113

SHA1
34d38282350c748640f1d3701624a727ee0ff201

SHA256
61f9fafa23a8cc7632e365e086e53b7776d9b2b90afd1efcf39558890e702757

SHA512
b0cf2c911f1c70e61bc19f124983f19e84ca97349de3d69bb993e9c2c39b1ca5d9559bb6c4600ac7e88e448d46179024585571c6cbc8c5e7915d3b39faa04363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
0793ffcbc518ad25b2a526f04b303615

SHA1
393dd4d7d14ac9698f99b8e443a972d0d4756e5c

SHA256
69706538acdbded1ff598c4b7bb42ea49f5202bd4c34ab6697532b102a99521c

SHA512
029aeb49829faaa01c55dde942074295f885517c719530dfe8e6b99b536eaa2015426c405ac1fe52dc86f91671eb736ef42da6bb76b767198e1a4db4d1cd7793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c784c7ef37c8b216d150ba23c48f8fda

SHA1
7d6d60fc640c8af34d0a1d782868342ff1383024

SHA256
19d0846978fed9610cdd24ed30bd45d850b12c484d920f9f3aa1d5adb82dc24d

SHA512
760f7ace3d4e0a4bf17f06d9ef61a9b6d166f33a07fd4bdc22cc7e583b48241849631f7cba257aba8e74ea90092fa64cf65c40720d684aa24df3c1e609b909c8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e51fddec52bfe393da5e4b5eff3de3d5

SHA1
0e61dba22391df4b30af41f528b6169342447fdb

SHA256
b365cf6914cac33cf383c08b1f7275e6a6d71411024e605e466938214e41f76f

SHA512
bb7df7e449d76e7b6d3c5eeb0221c2baddf2d5d7a274b944f7ea456158d21785a9349738fa9af46e6e48bcc7351a2937751dbbc59e9d7e9033d83f884054bca1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a88ce36c8c7654227cd6bc913a49a0c6

SHA1
44c9a0a44f04c03ace544c9333de569a9ee0542a

SHA256
78886354ee0bfc1a8bf7df8649d41e9694ceaa556a101eb807f6b2ea9b74cf5e

SHA512
fe96869b10551802882aa2a0f2c57393e8a202433bc93c06bbbf2577b53301c09e2eeb1d4ef56520d576e78551ab706d55f5b8ec5f41fe84fdc87219115df7b1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
37469c1cacd4edc966f3ec682e88731d

SHA1
1d459994134f4cec7008bdaf7887eb861155bbad

SHA256
542322e105d1562ee1a46dfbfe8a9af6d394524bee5fca60f435595e38d08df0

SHA512
0f242fb356931fd1619696d69b08fea65baf731ce4b1d19c171654eac590c77935d745ecd44357586491cf42c901db04cbabfedda4cedd5c804df1d75e97144c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
759865ca0d6065a5865291cfef15c0b5

SHA1
88d134c919d1a9259463f95f0b02cc9ee5f2b428

SHA256
5465749cc3a3cf44e6fb494a5b6226e9d289b685af5c59105cb82aabed59fa5a

SHA512
8c724871ea12b221743b5b969d65851a9ab1eb18c4146d92daf53fc2a5450895de21817405efeeb814bd426584d541eec3f790c95559a33a6c4dd61995fb1a38

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9e247bd0d2c0bffa9a7e831843d08189

SHA1
dec0f6ec0103a38c23e05a17b0aa237b3f50ffa4

SHA256
b7fea5df8228905e12f3fd7b380e409e2ec95ef2fcd26da021c2a271d7d5d383

SHA512
2efb19d0b2012b40c4b57595cd9b6b51517cd4e31e49a8475fbe73b6eef2fee17806e959a4f8367228ba4e14d0172b9a81807b4bd40877e87805fcee543313e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
fa0cdeea2996601b45dc027b606ed8bf

SHA1
e64fc4ad7c587dcefad285eccceba92e4126331c

SHA256
df460169ed02d0a4bca8320f6d16e3d3b99e64e77ac919cdbee003a528d2e275

SHA512
66624166659be5d2765ab417531fd63c4dadfe2f00da09fe35103c6b87724a80a270c64e1e40d6e1f59e9ff3bdff5c74f976f5ec2e0c8f3f87ed4e923d141135

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
837c3ee82652c68282053a6dd6ff0cca

SHA1
db693bb73cb51c8e58df4a488b621c29afed4080

SHA256
a5533d0530c99672916e6fed5bacae4a93f183cde98055981107142642e66cbd

SHA512
805f69743c1cee4741ce393d9d2f2de688a51ac51b5e7367267376a7fa23040d69caf97a633e5ff686f584a8e48ceb7d26e158e4d24954a79d50fbdcf92a7bf9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
90ce43214451c6305d21d3e64f15461c

SHA1
119c451f9baa2415d94dfbba772e6effda04c785

SHA256
3b2e1b03175d405dd48e8437e37a1ca47362ee03f846e2c91555aff09935e5b2

SHA512
020ca47a62626391db7bde8f55ccc566cb182a9dc1807abf28755d3917ff2bdb75b1f7fa6bb388eeadbc116e4ac919fb8824d6704ef042fc849f5926f382e283

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt

Filesize
80B

MD5
261f626d1504e276e676c20604af5f14

SHA1
f2e16de79e8295adc6588c414fd05af13239e31d

SHA256
36ef6bb9b5b42f3d5327b9634772bff7fdfc2091a6b70f5135ad23e1fa01560a

SHA512
294d12e1ec7bcedb33595dc087a0f2ff12a06a7898294904155fb03449e9f02364d72cbdecf8522a22eca45fbde4735e6cfce441e2e715fbac945e89589339a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\WebStorage\2\CacheStorage\index.txt~RFe57c0c0.TMP

Filesize
144B

MD5
82ecb6806ed49b802c72aa8f97564b05

SHA1
6861d9134fa824f6fd612b5534d03b06a630a6cf

SHA256
68b5399497acda27e3a6acd4dc5e2eac5ba66c804cf99fb2dd10e71daafe2a7c

SHA512
e9bdd14888d375b4afe8dfc6b4aed2c22dda50ceb2af209b170fa1a6ae001570aa96c2bd4df2c47536bdfba826ec252885911ea4d01643a665f8081f6ae67fd3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
6f3c5b557b849772f1963394e9a96f85

SHA1
1e2425857e94da16ed363073d6a4f9712b44782e

SHA256
4be6464eff896bd5f54df8e32adc70b1827d496991b8719e4b5a8950fdb9e1fe

SHA512
524348fd79f3ab7113f457952a5c81e9283e4da3276345129078ca709976b30d705905109c859f88b5e2308c330a4f792122a17fe9f8b8b5276803d3560355d7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
608ec4bfa69979610cc5fd39fa0dbe3a

SHA1
a7ebb15328edc28ad6adab9fbf24d1897648cb9e

SHA256
be7c84167f255647e709fb73b7732e0650802ff356bdc7e7a6782774a9a4e9e6

SHA512
dc5559e850fcc8cbb07095f1b0ca3cb4a816c77146113f6a2f7b82051e4bf4c6ce1875d5c0d1c658f91eabe60a92d182d6f63517555de804a363ad8bfd94210c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
122KB

MD5
6adfa2ca9a1fef4ad79faa7967ce26c8

SHA1
5083cc838c0501bddb6559b613b753891378206f

SHA256
dee85ade48921353145eaef685cf9ff362f60a477fe651926e27ee7df60be682

SHA512
210bb9453a1130260a49ce8651d4cb5a6c93cb3da654c666279d8933f161f9a2b8eff88ea6422b6e79d8371034a54c7ed40116741e161484a5dd8afa1da275e4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
47cbfa7137d41a2aed40dd9d2b759038

SHA1
9a228ab51e0cf7c49ab9dcc31fbc077c05d87d23

SHA256
fb09bf1e8c7d2f739fcc308a7c1d978567d92fc43e6c9eb71a7ab27197102d0a

SHA512
6d08e3af16b3603725cc59cbc9e4fc9fca39130bfe132b41ed52a0ab1e3162b2ba0167e9ec2772c1049e935f26031019d3f2cb2f0c9c327fff5947a11664b938

Download Submit
C:\Users\Admin\AppData\Local\Temp\662815\Simulation.com

Filesize
1KB

MD5
0be6063644e8486b729afd04b618fdfa

SHA1
d34f6fcdb7db9fd1cc4766136286940f4faf016f

SHA256
fad2a43a6967c9a6cea7f46b9a80e4def5ed2e6d9ee1019d901a5e79ceb1965d

SHA512
aa64781dbc79b6d64e4de365e88c0d4da5bf323cff47459884ad6f9488f055b1f63d8cd71c736e279a1d733a71862e9f5fd0cb56a3acaede4fac61c5431cd499

Download Submit
C:\Users\Admin\AppData\Local\Temp\662815\Simulation.com

Filesize
925KB

MD5
62d09f076e6e0240548c2f837536a46a

SHA1
26bdbc63af8abae9a8fb6ec0913a307ef6614cf2

SHA256
1300262a9d6bb6fcbefc0d299cce194435790e70b9c7b4a651e202e90a32fd49

SHA512
32de0d8bb57f3d3eb01d16950b07176866c7fb2e737d9811f61f7be6606a6a38a5fc5d4d2ae54a190636409b2a7943abca292d6cefaa89df1fc474a1312c695f

Download Submit
C:\Users\Admin\AppData\Local\Temp\662815\l

Filesize
634KB

MD5
6f433f2a323e40e19228ebe061eca074

SHA1
3945ece84a418ab3f3f1e36bfa392b1fa3be95af

SHA256
8a71a973752ec226a887db48f3c9a93a933e6312003cf3e50f16383b803fdcf6

SHA512
f4248745e96dcaeac9a0915840da9ae09902664a58158c7d9bd0d06ae5468b56c637a66b2ed326dffe626dd3f5b71f307a29d134b60dda90ec40a0e67932a3e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Backgrounds

Filesize
143KB

MD5
f52df14ba6b6d2e7dd841403e4c04dea

SHA1
a222b51ae20a51b023361b5e3ab3d4f69cf7f47a

SHA256
cd70ddf63c9ae41cccf02d810a573ea921297fc65ab0e0d4cf75309fb8797fc1

SHA512
78009e3bf28de7f1e19d4cf51a62029b66d790f0db15f3f821216976898f47eced7dc1e98a4741673348c868fdd5c1f4ee3f3413e7cd0f804bac5744f16125a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Card

Filesize
59KB

MD5
1e2b635a5fec4eb3d6cb9042e71e6a8b

SHA1
3f7a4b820da3d0b85d94489951779bfdd3a09f17

SHA256
70bdde084fc3f28aa50773528b31513d1e46465f9c547c22a09e6b0120c0349c

SHA512
b3e1a5040e86200e1e507ab6eb4dffca85e46065150b2b3c912c3fea24c45434c687645638520c9581f139cdf94c937d6e5876e6f16ebea6e23278cab6dda2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Diet.psd

Filesize
81KB

MD5
dd6f0e5b6671ecd195289000ab410840

SHA1
67a103fb9d333ca80090cd6d8246474e635282f2

SHA256
174fdd6d287a13137f35c584bca0f225b035228211b5dd0c7a679882d3fbc3bf

SHA512
6f1167bf417c5fd175d71d102476d687e42a14824dcbaf51539942ebbe45c5a7fc9009f548fee4200ad71116a9eb3d4a77104884e4dd05282e22553f12ffc37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Disease.psd

Filesize
83KB

MD5
6286ecbe1406d2f0221d3f640c2a0753

SHA1
89219ed4500ef0855c4f44d785ae3fa13a9e3f39

SHA256
afc8e79238d73206c30c794e14fcc99ba9069f3b180a27d80f4115f3cdcceaeb

SHA512
296b820ac0faecb650957b401eb1f2f70850e1e75cadb9419b60efbe006e4101857f437a80c0b41a3ac04e045593069793fcc4b7b49eb7106c50a96238bcf5ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Environmental

Filesize
52KB

MD5
53a5cdc5144b41da6991507af9fb4a4f

SHA1
04e013a005b257761b619f3b37dc23483bb53012

SHA256
aeb55a57d8ebb0ae1b78a5783134fcf533364207ab3d9235897482f0f922e011

SHA512
fcd48059dc44d18d336ee5239619ada00bee493e1b6d10f81f260b86f58d011187113d836c11e04593ff9e2f5c539a7782a6c40d7174422b25314bf36b0b7549

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evaluated

Filesize
77KB

MD5
cb4f42e8b2766383779cabfe642e1e98

SHA1
24b8c6277818199a4bce494992a713f6727cf7e1

SHA256
b25c03a61503005b1615f288a3681e5923e7cc166171017c949a7da31ff56ead

SHA512
6e87541b1719feab1dd93a3bf8b7955f73bed7bec9910c1f704b434211f3e6a368f076f79471834f2176171c76a2c450669bb519dea1146f41bcaeab2950f6c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Evaluating.psd

Filesize
39KB

MD5
1c8d796e7d7d0bbde6a62fa139cc03d5

SHA1
fca8e98a72e566c93c2552afa68010796b6571f4

SHA256
5ca0ab077571ec820630703761c3c96d0a390439f533b436b09a844ee17321ca

SHA512
649e80192369a05f45299581267f9512e20ef7aed2d62294c08292762673346ca3921cb08fe411e512d89a2616f2cd6ae52686e0698ab07c75b973d6f617be7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Honest

Filesize
62KB

MD5
ff4a6068bf3bce4fa64aee4f83b7304e

SHA1
69cf1a75bda0687cd8dc4debe3cae4574e59a158

SHA256
ab044eb1c639904ce8de33e7e4dd3ba19b9689b5e5bc63f2224c3d0770558757

SHA512
b55b11049965baafea0f5fbf0c9267dd3520d8fe16103fd1f4f81dfc6982a51760c62753d502b4050a87e2fb55723d4e956eb728d8ac4a5a170e430838f5da04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Internship

Filesize
144KB

MD5
5665b82af743a39c1a1fcd5f4ac20f51

SHA1
a344cf03c0eda205adc85b1f7c9a968c1f717fce

SHA256
ca48d8bf8278a7137fcc5cc8f55c74591da225795e702273735901ad2273deae

SHA512
b1ce12921b2083dbc0e14049bcc5c98966d927dc008da5592fa18fea99babb27743fb9af97ee3251a4e49bfae1f0bfaf2de46abc6fde13c49545b0b51ea94eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mercy.psd

Filesize
59KB

MD5
e41aa1a5b6f6de2e59c45c891a641909

SHA1
4075e1c7e261e7f3cf838b1fc5d5bb5d1341ad84

SHA256
ea765b84016fc1422d4e2e85b7b812c31c8e9d4021ade9a426402ee9a0b06b7b

SHA512
fb77c3b8c794631bde962068e10224cf9c26c1fae26423182d807c91a4f064257bb7b77d035d8db0d371a72e12113033a771f7722837c06b9dd0f0269fcc624a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Monte

Filesize
91KB

MD5
89169e151d7f4bf76cda2843a5f29a2a

SHA1
0c12982c4a44716c3c4886ac01ac055c476f8aad

SHA256
b0ba856e25b3e914db8591db42a16aa81a6356915f22ac525fd76c172794c8ce

SHA512
b09b0b691680c7f8c6c47e176f0bd3dc5b55012f5afae63595fb3bcd9ffaf5bf7aa7d640a1d83c197cde208dc75efa0a00a74e480bdfea425de47ef87de9b0fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Near

Filesize
119KB

MD5
f5bd1414e60521aa017afd459a7218ed

SHA1
8c50ac16e0f0b0dc42daa51b3b2cdf4cddf45edd

SHA256
23c7551caff2458ac5d0e4446985c3d511c4968f523cb36225a42ea634f3996a

SHA512
82bef41bd3e3acb7edf66efd187d2470c1df727578d7b61e387d0987e3d8b54c54029dfe69fb2bc1158f9e4d81f78ff9d6477462d02d814638656448561f66be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Norwegian.psd

Filesize
56KB

MD5
5f54260ec2fd2c3deff3dbffb8c355d1

SHA1
4931c6bcaf2cf157493926d3edc28901c94e6d38

SHA256
60de2fc329950e8a0fb2de894e04c704db912d13dcd4aade7d1b1d19f2a31926

SHA512
d1141bf03135f38704f906eaaeb0c1e6e2e69bdf7a4316522818bf07bb660e78a98f3a801ea61ccf5dd7f309d110f630653a61e2ec2c4fcbe7a2537b0adce78c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Popular.psd

Filesize
75KB

MD5
19ce029b4e6835117bf346ae849f9c31

SHA1
e53b020585990048d058a4d8efa322cbbdc3c679

SHA256
c669d3a8b6e8e1dc92bf9799717e62321e9f2bfb434758426a4781780cbbd320

SHA512
d338eca5db927e019b101ee9b9d1bf7746a0819f05a408ecf48a32ea568250cb0db64c069a59d337578cccc6fb14231e10a70b22c1a6983dbbe542ff3a5542f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Prague.psd

Filesize
478KB

MD5
14ea67fa2ebd7157c34768e8ab3a3410

SHA1
4dd72b8023f65ac3c607184ef93e8c2128f23fb0

SHA256
8ebf963c1a3d87ff485b6378015246b7f65bb021bf49ac399577b4dfb6af374f

SHA512
25050059036fd9eb77e172132af9fcfc7de8bbc0b1af2171544a5dcd353c931b0a67c8485dd4786938f52e25a34b9296c743fc04de5daf3c2c5bb19cc9ce74b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Purposes.psd

Filesize
65KB

MD5
6aff8f262e23240cd15a2032e6b5deb3

SHA1
5978e503ba2d8eeb0bfe72e323a4d06e63d905f8

SHA256
b390f3da4615e438d15bd4a981560fe77c7d5a54e5e4e0fccd3da2ac2ec9f03b

SHA512
d3d465674043a464d7c3a96a7fd67f7508eff0be8d9c9e3fc11b555f2e7af8205fabe0bd1c777618f155c07389c99ea634512c33a0eda71c3e643b1077c8d300

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rape

Filesize
61KB

MD5
c20b9ee3fc54b0380b7879405b93e4fb

SHA1
43a4fcd4f1e5f9dc1e47fc3230516974adc6be4a

SHA256
8185413313cb47d7def1a5d47c734931a527b852a09a75de078dce5fbd37df22

SHA512
c29c762945804208dacdc08fe071e5023895f3571a9c4e6caaa5de6512ba49cbf0bece7b399566f8647c51f1fde88eaa42fa3dfb70eb0814066fb0e9501ea47d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Stack

Filesize
1KB

MD5
2be41b2a7a1b1c8865553200e292c9d5

SHA1
551feb3720975db0d91eba2e2f64699da8800983

SHA256
60943547bc91a93a5256907881d10cd13873b111ac95b3ad2401a321495422e3

SHA512
d4f1bca398cc0ac699d21a61e64c1c68ff98713f8da098273194f95651f06775e9f6a341fb311186c88a269560e457416be16da0b6fe74643b4e6b4941c8952e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Structure.psd

Filesize
84KB

MD5
8acb932f4e79cac77148be7799a3b89c

SHA1
fd0ff42fd4a1b122418bc90e46baa2bdc309d724

SHA256
4ba3cfe39949a75ab3a8555500f7d3b0e1b980ebc61fb324700482d80013a21e

SHA512
969a5f0b14773f59c50ecfc49b520308c8862e76fb7ee9aea195db44e52c3cfb2ffbfa3c20ce3666669cbd164ee986f1b05da792300c1b2da80ca6caad495f20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Supported

Filesize
115KB

MD5
6515a1af69989f4af53df40042aad2e7

SHA1
abd7b6fe9853a3d5e3a42da3ad1bd6dc4d52ec61

SHA256
f03a37fd1e28419edfdfed8e0df4290d91411added5b4f930957c4b2fe3dd74f

SHA512
c86452b88273e731ca586e34771ef7c9a836dae585122c589475d812e054a2a6508efec95e09dcfc5b2e6750cb22d63d0d4cc3b372055c59071fd60753663b2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tractor.psd

Filesize
92KB

MD5
b3e684ba079d48fb9c40a3705b887477

SHA1
d2817d5b833a4cb6d4d2951fe5a5415b855be8ba

SHA256
89278e6fdd7122c1f919f4cb28e0eeaf57dafc7617e86aeb1f8baf00b46e4f32

SHA512
68d61493a1d84f5d66fc7837856f68db185b58699b484a59fa4b643437f4ce9675decf3561ba69a45f0240572511e7999f5e9bc674ca186de989b96e1189bea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\crimes.psd

Filesize
20KB

MD5
410a8bbfd340f0065d30e0532abf6926

SHA1
01b3dbb87247d35eadfe8535f1a4412113d05c26

SHA256
983878702193c2d303075cc1c295608ad4aae6a6b600e9b37a655909c65a57f3

SHA512
17967670250da18f8f649fe7a65ccfd42bf063dced0109f7339b47ff404316deaeebd221df2f2abd48ead3eb0cb09ab73585e90428ef02cc22e66668e4f15d76

Download Submit
memory/396-514-0x0000000000EE0000-0x00000000012E0000-memory.dmp

Filesize
4.0MB

Download
memory/396-515-0x00007FFF25890000-0x00007FFF25A85000-memory.dmp

Filesize
2.0MB

Download
memory/396-517-0x0000000076860000-0x0000000076A75000-memory.dmp

Filesize
2.1MB

Download
memory/396-512-0x0000000000750000-0x000000000075A000-memory.dmp

Filesize
40KB

Download
memory/2732-535-0x0000000076860000-0x0000000076A75000-memory.dmp

Filesize
2.1MB

Download
memory/2732-533-0x00007FFF25890000-0x00007FFF25A85000-memory.dmp

Filesize
2.0MB

Download
memory/2732-532-0x0000000001240000-0x0000000001640000-memory.dmp

Filesize
4.0MB

Download
memory/2732-530-0x0000000000C90000-0x0000000000C9A000-memory.dmp

Filesize
40KB

Download
memory/4916-526-0x0000000004080000-0x0000000004480000-memory.dmp

Filesize
4.0MB

Download
memory/4916-527-0x00007FFF25890000-0x00007FFF25A85000-memory.dmp

Filesize
2.0MB

Download
memory/4916-529-0x0000000076860000-0x0000000076A75000-memory.dmp

Filesize
2.1MB

Download
memory/5008-511-0x0000000076860000-0x0000000076A75000-memory.dmp

Filesize
2.1MB

Download
memory/5008-509-0x00007FFF25890000-0x00007FFF25A85000-memory.dmp

Filesize
2.0MB

Download
memory/5008-507-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/5008-508-0x0000000004E00000-0x0000000005200000-memory.dmp

Filesize
4.0MB

Download
memory/5008-504-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/5008-505-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/5008-506-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/5008-500-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/5008-501-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download
memory/5008-502-0x0000000000410000-0x0000000000491000-memory.dmp

Filesize
516KB

Download