asyncrat | hxxps://mega[.]nz/file/BUJyhLgD#yGZ5H0TGS1lxoRxQ-t7--AXmj__pK1X6ImhvJczRjqc

Analysis

max time kernel
600s
max time network
616s
platform
windows10_x64
resource
win10v20210410
submitted
24-07-2021 00:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/BUJyhLgD#yGZ5H0TGS1lxoRxQ-t7--AXmj__pK1X6ImhvJczRjqc
Sample

210724-1p6sc2mh56

Score

10^/10

asyncrat discovery evasion persistence pyinstaller rat suricata trojan

Malware Config

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers.
rat asyncrat
Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Modify Existing Service
T1031

Processes:

Defender.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3" Defender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinDefend\Start = "3"	Defender.exe

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs

Processes:

WerFault.exe

description pid process target process

PID 5776 created 4652 5776 WerFault.exe PaintStudio.View.exe
Suspicious use of NtCreateUserProcessOtherParentProcess 2 IoCs

Processes:

svchost.exe

description pid process target process

PID 5124 created 5056 5124 svchost.exe Defender.exe
PID 5124 created 5176 5124 svchost.exe Defender.exe
suricata: ET MALWARE Observed Malicious SSL Cert (AsyncRAT Server)
suricata

description	pid	process	target process
PID 5776 created 4652	5776	WerFault.exe	PaintStudio.View.exe

description	pid	process	target process
PID 5124 created 5056	5124	svchost.exe	Defender.exe
PID 5124 created 5176	5124	svchost.exe	Defender.exe

Async RAT payload 1 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/1468-550-0x000000000040C71E-mapping.dmp	asyncrat

Downloads MZ/PE file

Executes dropped EXE 22 IoCs

Processes:

uninstall.exeWinRAR.exeWinRAR.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeSystem.exeSystem.exeSystem.exeSystem.exeBypass.exeDefender.exeDefender.exeDefender.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exeCraftrise_CHRAT.exe

pid	process
3440	uninstall.exe
3212	WinRAR.exe
3092	WinRAR.exe
4348	Craftrise_CHRAT.exe
4292	Craftrise_CHRAT.exe
4132	Craftrise_CHRAT.exe
4180	Craftrise_CHRAT.exe
4576	Craftrise_CHRAT.exe
1832	System.exe
4356	System.exe
4436	System.exe
3784	System.exe
2792	Bypass.exe
5056	Defender.exe
5176	Defender.exe
5432	Defender.exe
5612	Craftrise_CHRAT.exe
5780	Craftrise_CHRAT.exe
5908	Craftrise_CHRAT.exe
5836	Craftrise_CHRAT.exe
5284	Craftrise_CHRAT.exe
304	Craftrise_CHRAT.exe

Drops startup file 6 IoCs

Processes:

System.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe	System.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Defender.exe	System.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	System.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Process.exe	System.exe

Loads dropped DLL 36 IoCs

Processes:

System.exeSystem.exesoftware_reporter_tool.exe

pid	process
2756
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
4356	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
3784	System.exe
2756
2756
2756
2756
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe
5924	software_reporter_tool.exe

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disabling Security Tools

T1089

Modify Registry

T1112

Processes:

Defender.exeDefender.exeDefender.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\DisableAntiSpyware = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection\DisableRealtimeMonitoring = "1"	Defender.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Real-Time Protection	Defender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in System32 directory 2 IoCs

Processes:

Defender.exe

description	ioc	process
File created	C:\Windows\System32\GroupPolicy\Machine\Registry.pol	Defender.exe
File opened for modification	C:\Windows\System32\GroupPolicy\gpt.ini	Defender.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Craftrise_CHRAT.exe

description pid process target process

PID 4348 set thread context of 1468 4348 Craftrise_CHRAT.exe MSBuild.exe

description	pid	process	target process
PID 4348 set thread context of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe

Drops file in Program Files directory 56 IoCs

Processes:

winrar-x64-602tr.exeuninstall.exe

description	ioc	process
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Rar.lng	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.lng	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Default.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Rar.lng	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.lng	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Rar.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\RarExt.lng	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\rarnew.dat	uninstall.exe
File opened for modification	C:\Program Files\WinRAR\Rar.txt	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_259375375	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lng	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Uninstall.lng	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WinRAR.lng	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Zip64.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\Descript.ion	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-602tr.exe
File opened for modification	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-602tr.exe
File created	C:\Program Files\WinRAR\Default64.SFX	winrar-x64-602tr.exe

Drops file in Windows directory 1 IoCs

Processes:

WerFault.exe

description ioc process

File created C:\Windows\AppCompat\Programs\Amcache.hve.tmp WerFault.exe

description	ioc	process
File created	C:\Windows\AppCompat\Programs\Amcache.hve.tmp	WerFault.exe

Detects Pyinstaller 5 IoCs

pyinstaller

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\System.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\System.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\System.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\System.exe	pyinstaller
C:\Users\Admin\AppData\Local\Temp\System.exe	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Program crash 5 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exeWerFault.exeWerFault.exe

pid	pid_target	process	target process
644	3212	WerFault.exe	WinRAR.exe
4828	2792	WerFault.exe	Bypass.exe
5292	4132	WerFault.exe	Craftrise_CHRAT.exe
5528	4576	WerFault.exe	Craftrise_CHRAT.exe
5776	4652	WerFault.exe	PaintStudio.View.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WerFault.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WerFault.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

5084 schtasks.exe

pid	process
5084	schtasks.exe

Enumerates system info in registry 2 TTPs 2 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WerFault.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WerFault.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WerFault.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

WinRAR.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies registry class 64 IoCs

Processes:

PaintStudio.View.exeuninstall.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1"	PaintStudio.View.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r25	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r07	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r23\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	PaintStudio.View.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r11	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command\ = "\"C:\\Program Files\\WinRAR\\WinRAR.exe\" \"%1\""	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR	uninstall.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

PaintStudio.View.exe

pid process

4652 PaintStudio.View.exe

pid	process
4652	PaintStudio.View.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeWerFault.exeCraftrise_CHRAT.exeDefender.exeWerFault.exe

pid	process
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4328	chrome.exe
4352	chrome.exe
4352	chrome.exe
1544	chrome.exe
1544	chrome.exe
4564	chrome.exe
4564	chrome.exe
4244	chrome.exe
4244	chrome.exe
4352	chrome.exe
4352	chrome.exe
1536	chrome.exe
1536	chrome.exe
5116	chrome.exe
5116	chrome.exe
4572	chrome.exe
4572	chrome.exe
4832	chrome.exe
4832	chrome.exe
4508	chrome.exe
4508	chrome.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
644	WerFault.exe
4348	Craftrise_CHRAT.exe
4348	Craftrise_CHRAT.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe
4828	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

WinRAR.exe

pid process

3092 WinRAR.exe

pid	process
3092	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 31 IoCs

Processes:

WerFault.exeCraftrise_CHRAT.exeBypass.exeDefender.exeWerFault.exesvchost.exeMSBuild.exeWerFault.exeDefender.exeWerFault.exePaintStudio.View.exeWerFault.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exesoftware_reporter_tool.exe

description	pid	process
Token: SeDebugPrivilege	644	WerFault.exe
Token: SeDebugPrivilege	4348	Craftrise_CHRAT.exe
Token: SeDebugPrivilege	2792	Bypass.exe
Token: SeDebugPrivilege	5056	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	5056	Defender.exe
Token: SeIncreaseQuotaPrivilege	5056	Defender.exe
Token: 0	5056	Defender.exe
Token: SeRestorePrivilege	4828	WerFault.exe
Token: SeBackupPrivilege	4828	WerFault.exe
Token: SeBackupPrivilege	4828	WerFault.exe
Token: SeTcbPrivilege	5124	svchost.exe
Token: SeTcbPrivilege	5124	svchost.exe
Token: SeDebugPrivilege	4828	WerFault.exe
Token: SeDebugPrivilege	1468	MSBuild.exe
Token: SeDebugPrivilege	5292	WerFault.exe
Token: SeDebugPrivilege	5176	Defender.exe
Token: SeAssignPrimaryTokenPrivilege	5176	Defender.exe
Token: SeIncreaseQuotaPrivilege	5176	Defender.exe
Token: SeDebugPrivilege	5528	WerFault.exe
Token: SeDebugPrivilege	4652	PaintStudio.View.exe
Token: SeDebugPrivilege	4652	PaintStudio.View.exe
Token: SeDebugPrivilege	4652	PaintStudio.View.exe
Token: SeDebugPrivilege	5776	WerFault.exe
Token: 33	1764	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	1764	software_reporter_tool.exe
Token: 33	5812	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5812	software_reporter_tool.exe
Token: 33	5924	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5924	software_reporter_tool.exe
Token: 33	5540	software_reporter_tool.exe
Token: SeIncBasePriorityPrivilege	5540	software_reporter_tool.exe

Suspicious use of FindShellTrayWindow 9 IoCs

Processes:

WinRAR.exeWinRAR.exeDefender.exe

pid process

3212 WinRAR.exe
3092 WinRAR.exe
3092 WinRAR.exe
3092 WinRAR.exe
3092 WinRAR.exe
3092 WinRAR.exe
5056 Defender.exe
5056 Defender.exe
5056 Defender.exe

pid	process
3212	WinRAR.exe
3092	WinRAR.exe
3092	WinRAR.exe
3092	WinRAR.exe
3092	WinRAR.exe
3092	WinRAR.exe
5056	Defender.exe
5056	Defender.exe
5056	Defender.exe

Suspicious use of SetWindowsHookEx 9 IoCs

Processes:

winrar-x64-602tr.exeuninstall.exeWinRAR.exemspaint.exePaintStudio.View.exe

pid	process
3464	winrar-x64-602tr.exe
3464	winrar-x64-602tr.exe
3464	winrar-x64-602tr.exe
3440	uninstall.exe
3212	WinRAR.exe
3212	WinRAR.exe
5300	mspaint.exe
4652	PaintStudio.View.exe
4652	PaintStudio.View.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exechrmstp.exewinrar-x64-602tr.exeCraftrise_CHRAT.exeSystem.exeSystem.exeSystem.exeSystem.exeBypass.exesvchost.exesoftware_reporter_tool.exe

description	pid	process	target process
PID 4208 wrote to memory of 4488	4208	chrome.exe	chrome.exe
PID 4208 wrote to memory of 4488	4208	chrome.exe	chrome.exe
PID 296 wrote to memory of 2132	296	chrmstp.exe	chrmstp.exe
PID 296 wrote to memory of 2132	296	chrmstp.exe	chrmstp.exe
PID 3464 wrote to memory of 3440	3464	winrar-x64-602tr.exe	uninstall.exe
PID 3464 wrote to memory of 3440	3464	winrar-x64-602tr.exe	uninstall.exe
PID 4348 wrote to memory of 1832	4348	Craftrise_CHRAT.exe	System.exe
PID 4348 wrote to memory of 1832	4348	Craftrise_CHRAT.exe	System.exe
PID 4348 wrote to memory of 1832	4348	Craftrise_CHRAT.exe	System.exe
PID 4348 wrote to memory of 5084	4348	Craftrise_CHRAT.exe	schtasks.exe
PID 4348 wrote to memory of 5084	4348	Craftrise_CHRAT.exe	schtasks.exe
PID 4348 wrote to memory of 5084	4348	Craftrise_CHRAT.exe	schtasks.exe
PID 1832 wrote to memory of 4356	1832	System.exe	System.exe
PID 1832 wrote to memory of 4356	1832	System.exe	System.exe
PID 1832 wrote to memory of 4356	1832	System.exe	System.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4348 wrote to memory of 1468	4348	Craftrise_CHRAT.exe	MSBuild.exe
PID 4356 wrote to memory of 4436	4356	System.exe	System.exe
PID 4356 wrote to memory of 4436	4356	System.exe	System.exe
PID 4356 wrote to memory of 4436	4356	System.exe	System.exe
PID 4436 wrote to memory of 3784	4436	System.exe	System.exe
PID 4436 wrote to memory of 3784	4436	System.exe	System.exe
PID 4436 wrote to memory of 3784	4436	System.exe	System.exe
PID 3784 wrote to memory of 2792	3784	System.exe	Bypass.exe
PID 3784 wrote to memory of 2792	3784	System.exe	Bypass.exe
PID 3784 wrote to memory of 2792	3784	System.exe	Bypass.exe
PID 2792 wrote to memory of 5056	2792	Bypass.exe	Defender.exe
PID 2792 wrote to memory of 5056	2792	Bypass.exe	Defender.exe
PID 2792 wrote to memory of 5056	2792	Bypass.exe	Defender.exe
PID 5124 wrote to memory of 5176	5124	svchost.exe	Defender.exe
PID 5124 wrote to memory of 5176	5124	svchost.exe	Defender.exe
PID 5124 wrote to memory of 5176	5124	svchost.exe	Defender.exe
PID 5124 wrote to memory of 5432	5124	svchost.exe	Defender.exe
PID 5124 wrote to memory of 5432	5124	svchost.exe	Defender.exe
PID 5124 wrote to memory of 5432	5124	svchost.exe	Defender.exe
PID 5812 wrote to memory of 1764	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 1764	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe
PID 5812 wrote to memory of 5924	5812	software_reporter_tool.exe	software_reporter_tool.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" https://mega.nz/file/BUJyhLgD#yGZ5H0TGS1lxoRxQ-t7--AXmj__pK1X6ImhvJczRjqc
1⤵
- Suspicious use of WriteProcessMemory
PID:4208

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffa3f374f50,0x7ffa3f374f60,0x7ffa3f374f70
2⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6324 /prefetch:8
1⤵
PID:4424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6216 /prefetch:8
1⤵
PID:4416

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5320 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1952 /prefetch:2
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
1⤵
PID:4708

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --configure-user-settings --verbose-logging --system-level --channel --force-configure-user-settings
1⤵
- Suspicious use of WriteProcessMemory
PID:296

C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\Installer\chrmstp.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0x23c,0x240,0x244,0x1ec,0x248,0x7ff7c1e4a890,0x7ff7c1e4a8a0,0x7ff7c1e4a8b0
2⤵
PID:2132

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2288 /prefetch:8
1⤵
PID:3436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5912 /prefetch:8
1⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5820 /prefetch:8
1⤵
PID:2352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5728 /prefetch:8
1⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5916 /prefetch:8
1⤵
PID:3816

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
1⤵
PID:4112

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5740 /prefetch:8
1⤵
PID:4540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5616 /prefetch:8
1⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5500 /prefetch:8
1⤵
PID:4640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x3a4
1⤵
PID:4760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5848 /prefetch:8
1⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3564 /prefetch:8
1⤵
PID:4660

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5292 /prefetch:8
1⤵
PID:4524

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4044 /prefetch:8
1⤵
PID:2124

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5532 /prefetch:8
1⤵
PID:1812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6416 /prefetch:8
1⤵
PID:1476

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5428 /prefetch:8
1⤵
PID:1388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4988 /prefetch:8
1⤵
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6408 /prefetch:8
1⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4320 /prefetch:8
1⤵
PID:2192

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6436 /prefetch:8
1⤵
PID:3848

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:8
1⤵
PID:3532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6680 /prefetch:8
1⤵
PID:3164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7260 /prefetch:8
1⤵
PID:3652

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7288 /prefetch:8
1⤵
PID:4092

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7504 /prefetch:8
1⤵
PID:4456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7644 /prefetch:8
1⤵
PID:4580

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7392 /prefetch:8
1⤵
PID:4732

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7896 /prefetch:8
1⤵
PID:2436

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7932 /prefetch:8
1⤵
PID:4516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7660 /prefetch:8
1⤵
PID:5088

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8316 /prefetch:8
1⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8416 /prefetch:8
1⤵
PID:1376

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8548 /prefetch:8
1⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8840 /prefetch:8
1⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8948 /prefetch:8
1⤵
PID:1240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9092 /prefetch:8
1⤵
PID:4396

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9076 /prefetch:8
1⤵
PID:4604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6828 /prefetch:8
1⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2140 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4244

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6436 /prefetch:1
1⤵
PID:4596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9096 /prefetch:1
1⤵
PID:4116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9084 /prefetch:1
1⤵
PID:4488

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7912 /prefetch:1
1⤵
PID:4496

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8204 /prefetch:8
1⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9144 /prefetch:8
1⤵
PID:3004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8840 /prefetch:8
1⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6388 /prefetch:8
1⤵
PID:1856

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7364 /prefetch:1
1⤵
PID:3632

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8748 /prefetch:1
1⤵
PID:1772

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8492 /prefetch:1
1⤵
PID:3644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
1⤵
PID:4668

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=7912 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8364 /prefetch:1
1⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8132 /prefetch:1
1⤵
PID:3692

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8868 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8920 /prefetch:1
1⤵
PID:4640

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8104 /prefetch:1
1⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9048 /prefetch:1
1⤵
PID:1844

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8928 /prefetch:1
1⤵
PID:1032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7888 /prefetch:1
1⤵
PID:4392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9040 /prefetch:1
1⤵
PID:1468

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6936 /prefetch:8
1⤵
PID:2064

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5760 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7772 /prefetch:8
1⤵
PID:2284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7184 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4572

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4916 /prefetch:1
1⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5128 /prefetch:1
1⤵
PID:5116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5552 /prefetch:8
1⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6412 /prefetch:1
1⤵
PID:4352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7028 /prefetch:8
1⤵
PID:1536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4324 /prefetch:8
1⤵
PID:2060

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
1⤵
PID:3380

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4156 /prefetch:1
1⤵
PID:5108

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2000 /prefetch:8
1⤵
PID:4120

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3408 /prefetch:8
1⤵
PID:2564

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5904 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4832

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4960 /prefetch:8
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4508

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3752 /prefetch:8
1⤵
PID:4020

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6296 /prefetch:8
1⤵
PID:3448

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8744 /prefetch:8
1⤵
PID:5028

C:\Users\Admin\Downloads\winrar-x64-602tr.exe
"C:\Users\Admin\Downloads\winrar-x64-602tr.exe"
1⤵
- Drops file in Program Files directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3464

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
2⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Drops file in Program Files directory
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3440

C:\Windows\system32\compattelrunner.exe
C:\Windows\system32\compattelrunner.exe -m:aeinv.dll -f:UpdateSoftwareInventoryW
1⤵
PID:2980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6776 /prefetch:1
1⤵
PID:4092

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Craftrise_HACK.rar"
1⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:3212

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3212 -s 3112
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:644

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Craftrise_HACK.rar"
1⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:3092

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4348

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1832

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe"
3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4356

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe" C:\Users\Admin\AppData\Local\Temp\System.exe asadmin
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4436

C:\Users\Admin\AppData\Local\Temp\System.exe
"C:\Users\Admin\AppData\Local\Temp\System.exe" C:\Users\Admin\AppData\Local\Temp\System.exe asadmin
5⤵
- Executes dropped EXE
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3784

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Bypass.exe"
6⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /D
7⤵
- Executes dropped EXE
- Windows security modification
- Drops file in System32 directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5056

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /SYS 1
8⤵
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
PID:5176

C:\Users\Admin\AppData\Local\Temp\Defender.exe
"C:\Users\Admin\AppData\Local\Temp\Defender.exe" /TI 1
9⤵
- Modifies security service
- Executes dropped EXE
- Windows security modification
PID:5432

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2792 -s 996
7⤵
- Drops file in Windows directory
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4828

C:\Windows\SysWOW64\schtasks.exe
"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\hSCsVPiQwyd" /XML "C:\Users\Admin\AppData\Local\Temp\tmpF9DD.tmp"
2⤵
- Creates scheduled task(s)
PID:5084

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
"{path}"
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1468

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:4292

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4444 /prefetch:8
1⤵
PID:2808

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:4132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4132 -s 1164
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5292

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:4180

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4576 -s 1172
2⤵
- Program crash
- Suspicious use of AdjustPrivilegeToken
PID:5528

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k netsvcs -s seclogon
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -s WPDBusEnum
1⤵
PID:5164

\??\c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k localsystemnetworkrestricted -s fhsvc
1⤵
PID:5156

\??\c:\windows\system32\gpscript.exe
gpscript.exe /RefreshSystemParam
1⤵
PID:5468

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:5612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6664 /prefetch:8
1⤵
PID:5712

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:5780

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3936 /prefetch:8
1⤵
PID:5852

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:5908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2060 /prefetch:8
1⤵
PID:6016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8916 /prefetch:8
1⤵
PID:6108

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\ExpandRename.jpeg" /ForceBootstrapPaint3D
1⤵
- Suspicious use of SetWindowsHookEx
PID:5300

C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe
"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca
1⤵
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4652

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4652 -s 4304
2⤵
- Suspicious use of NtCreateProcessExOtherParentProcess
- Program crash
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious use of AdjustPrivilegeToken
PID:5776

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7656 /prefetch:8
1⤵
PID:1240

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:5836

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8416 /prefetch:8
1⤵
PID:5964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3664 /prefetch:8
1⤵
PID:5216

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4104 /prefetch:8
1⤵
PID:4920

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=808 /prefetch:8
1⤵
PID:5932

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:5284

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
1⤵
PID:5792

C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
"C:\Users\Admin\Downloads\Craftrise_CHRAT.exe"
1⤵
- Executes dropped EXE
PID:304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5144 /prefetch:8
1⤵
PID:4464

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7188 /prefetch:8
1⤵
PID:5892

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe
"C:\Users\Admin\AppData\Local\Google\Chrome\User Data\SwReporter\92.267.200\software_reporter_tool.exe" --engine=2 --scan-locations=1,2,3,4,5,6,7,8,10 --disabled-locations=9,11 --session-id=Mj03Rz4UvhWHcSutvJxwle5AcT5ql8woi7OS7g4n --registry-suffix=ESET --srt-field-trial-group-name=NewCleanerUIExperiment
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5812

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --crash-handler "--database=c:\users\admin\appdata\local\Google\Software Reporter Tool" --url=https://clients2.google.com/cr/report --annotation=plat=Win32 --annotation=prod=ChromeFoil --annotation=ver=92.267.200 --initial-client-data=0x244,0x248,0x24c,0x220,0x250,0x7ff63ac062b0,0x7ff63ac062c0,0x7ff63ac062d0
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1764

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5812_AOZYCLZNUAHVVATY" --sandboxed-process-id=2 --init-done-notifier=716 --sandbox-mojo-pipe-token=17506569237521527748 --mojo-platform-channel-handle=692 --engine=2
2⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
PID:5924

\??\c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe
"c:\users\admin\appdata\local\google\chrome\user data\swreporter\92.267.200\software_reporter_tool.exe" --use-crash-handler-with-id="\\.\pipe\crashpad_5812_AOZYCLZNUAHVVATY" --sandboxed-process-id=3 --init-done-notifier=916 --sandbox-mojo-pipe-token=9201519908748041327 --mojo-platform-channel-handle=912
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:5540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1480,13419653695387566283,3035061813321290969,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7080 /prefetch:8
1⤵
PID:1240

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Modify Existing Service

T1031

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Disabling Security Tools

T1089

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt
MD5
e3e92d933a7887710508d1a9a64f8e16

SHA1
191d054e3f48caa446322d9620fa9776dcd0eac7

SHA256
a4d41d73f7e56ab9f6254807e48bc94af3b214fbac9a17d24b8140a99aad26b3

SHA512
75c65e9c145b4980fc58460daa14da1ea45784943454eca2dc7ed69154a8d2cf92a6a213ad8a3dfdfa3045b4e1a8772372019f4c1d5e0e4dd407ee3f2348d75c

Download Submit
C:\Program Files\WinRAR\Uninstall.exe
MD5
87f1fca0a6de2bc800307ae0e98d0947

SHA1
c202000e35bdc68c60f9a355b7ddac9d1f891400

SHA256
f13d5b6a33929f890dab2445c14c6be03630beab05a5a7adb004ff14718131a6

SHA512
4a60e9a99e4b955219695897356faf8d3c54c8fbdc580c4d2af30352e04d4cb0b3217adb1c510b8eaec98ad8f5dba1b43808be7c6d28ace6851d7fbf7f0fc430

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt
MD5
9965bee67e4b4556f14558fb541defa4

SHA1
76657102bd53ddaa42a85128201e57d2adf27695

SHA256
f8e9c3be9c76ee13f7fc7a5ae8dd397440adb1dd6745b17e0ffce89e2d0fccad

SHA512
9e966914a8449d371fdd46e6ddbd47ae2fb40ee1f8e7c82d04584a42cda68d60d15441c90e54e9a8b0aed9dce95110a65c7e3ac3e358d950300f279d07f6aa7e

Download Submit
C:\Program Files\WinRAR\WinRAR.chm
MD5
eca0e0be50f4f0dc5f2ccdbbc0338365

SHA1
1978b9d6ef60d5cd4258f0668d683be87fca0497

SHA256
750e5efc4ebb5e051b17efad93708ea2d5c27d22de720db0fea2408be85b3d42

SHA512
d9af9cc3c6cbf73818d6ab1c57c5ee7eb9345d03e5cd6b0e49b5d1c57728b183776dc83c9c0a5353bd15155d3d981886edbeaae202f2bb734841225b31bb619f

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
MD5
40cc85ec7b1ba5b7efa8aee50715f201

SHA1
df97b75a0fe58732adb0ce34d39f901bc8ea2a0e

SHA256
54c441b939c9fd0ac96f3939437f0e8e259d13ab2d549f71f089f90b6c0c6b70

SHA512
aa1ac54d26f28b4aafeb5ebb341301360369661cea8f7fa5f941ff5c6b78bd5dba0792e3702130a8fffe5978339abd59beffbdf9e5c25c54520f09e6db57d2f7

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
MD5
40cc85ec7b1ba5b7efa8aee50715f201

SHA1
df97b75a0fe58732adb0ce34d39f901bc8ea2a0e

SHA256
54c441b939c9fd0ac96f3939437f0e8e259d13ab2d549f71f089f90b6c0c6b70

SHA512
aa1ac54d26f28b4aafeb5ebb341301360369661cea8f7fa5f941ff5c6b78bd5dba0792e3702130a8fffe5978339abd59beffbdf9e5c25c54520f09e6db57d2f7

Download Submit
C:\Program Files\WinRAR\WinRAR.exe
MD5
40cc85ec7b1ba5b7efa8aee50715f201

SHA1
df97b75a0fe58732adb0ce34d39f901bc8ea2a0e

SHA256
54c441b939c9fd0ac96f3939437f0e8e259d13ab2d549f71f089f90b6c0c6b70

SHA512
aa1ac54d26f28b4aafeb5ebb341301360369661cea8f7fa5f941ff5c6b78bd5dba0792e3702130a8fffe5978339abd59beffbdf9e5c25c54520f09e6db57d2f7

Download Submit
C:\Program Files\WinRAR\uninstall.exe
MD5
87f1fca0a6de2bc800307ae0e98d0947

SHA1
c202000e35bdc68c60f9a355b7ddac9d1f891400

SHA256
f13d5b6a33929f890dab2445c14c6be03630beab05a5a7adb004ff14718131a6

SHA512
4a60e9a99e4b955219695897356faf8d3c54c8fbdc580c4d2af30352e04d4cb0b3217adb1c510b8eaec98ad8f5dba1b43808be7c6d28ace6851d7fbf7f0fc430

Download Submit
C:\Program Files\WinRAR\uninstall.lng
MD5
23f89dba4de17e15d4c785a40e225689

SHA1
edaa5cb48c35d9e44f1805f392e7585c324a1e93

SHA256
dba95d306b2450d54bd9e58ecd792df25df9abb14d764fe9480b12f8ae7f4eb2

SHA512
7cea271cdc01a9be22175789781af1e6688dbff7f651607981afee148f9bdf999263f5288a8221ab97bb3cc73541749c4ea658ee2ccd8627165cb53d0fdf5921

Download Submit
C:\Program Files\WinRAR\winrar.lng
MD5
4cb86c9206062e66cc5dba1e51574281

SHA1
eb4f43b07ee87b0e8a2a4e753bf11c923fb6f0ac

SHA256
f7b3ef1a5c9ada42aa7c21aad53100be92e20e5a7100d9113f3229332f4da852

SHA512
4f8e6783537fe50fb33d296fec2a18fa028db6546e9518385067e5184e2e3e82ae9a3fd8f0ba0e5115073faeefa1a8e275cf8b43db4b4a1f0cd5f0c24f3d4d70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Craftrise_CHRAT.exe.log
MD5
0c2899d7c6746f42d5bbe088c777f94c

SHA1
622f66c5f7a3c91b28a9f43ce7c6cabadbf514f1

SHA256
5b0b99740cadaeff7b9891136644b396941547e20cc7eea646560d0dad5a5458

SHA512
ab7a3409ed4b6ca00358330a3aa4ef6de7d81eb21a5e24bb629ef6a7c7c4e2a70ca3accfbc989ed6e495fdb8eb6203a26d6f2a37b2a5809af4276af375b49078

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
MD5
dc110d5253885cfef8a0a041f0a08ca7

SHA1
a8cd699d0755999afebff6dfc3aa47c4306a6390

SHA256
f276786cd45cb0aa0bd28b04370436f33083f7523805280cab30840306cdea59

SHA512
a3caddf82d1e223921343295f7f62e499583816ef065cd7accf25c3794a13070c5c4579314f5651314602c5c91972788bf9c874cedb6a5d8c79f611f6a334093

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
MD5
dc110d5253885cfef8a0a041f0a08ca7

SHA1
a8cd699d0755999afebff6dfc3aa47c4306a6390

SHA256
f276786cd45cb0aa0bd28b04370436f33083f7523805280cab30840306cdea59

SHA512
a3caddf82d1e223921343295f7f62e499583816ef065cd7accf25c3794a13070c5c4579314f5651314602c5c91972788bf9c874cedb6a5d8c79f611f6a334093

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
MD5
dc110d5253885cfef8a0a041f0a08ca7

SHA1
a8cd699d0755999afebff6dfc3aa47c4306a6390

SHA256
f276786cd45cb0aa0bd28b04370436f33083f7523805280cab30840306cdea59

SHA512
a3caddf82d1e223921343295f7f62e499583816ef065cd7accf25c3794a13070c5c4579314f5651314602c5c91972788bf9c874cedb6a5d8c79f611f6a334093

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
MD5
dc110d5253885cfef8a0a041f0a08ca7

SHA1
a8cd699d0755999afebff6dfc3aa47c4306a6390

SHA256
f276786cd45cb0aa0bd28b04370436f33083f7523805280cab30840306cdea59

SHA512
a3caddf82d1e223921343295f7f62e499583816ef065cd7accf25c3794a13070c5c4579314f5651314602c5c91972788bf9c874cedb6a5d8c79f611f6a334093

Download Submit
C:\Users\Admin\AppData\Local\Temp\System.exe
MD5
dc110d5253885cfef8a0a041f0a08ca7

SHA1
a8cd699d0755999afebff6dfc3aa47c4306a6390

SHA256
f276786cd45cb0aa0bd28b04370436f33083f7523805280cab30840306cdea59

SHA512
a3caddf82d1e223921343295f7f62e499583816ef065cd7accf25c3794a13070c5c4579314f5651314602c5c91972788bf9c874cedb6a5d8c79f611f6a334093

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\VCRUNTIME140.dll
MD5
87dd91c56be82866bf96ef1666f30a99

SHA1
3b78cb150110166ded8ea51fbde8ea506f72aeaf

SHA256
49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f

SHA512
58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_bz2.pyd
MD5
aaf8987c856cf8bef5e4d44f988faf9b

SHA1
74c6969fc3260da77f415814da11aa73e145b7b8

SHA256
01182e4ad15a5255213dcdd193eba94243732ffdf531a55dfea7e9aab155003f

SHA512
730d5b05bc5acd57c2834024e4ca4b71f556f1d711dc840500687b92f302039e9c9108f4ed1752d788c3b1f987aa0f3ec602f1987119439cf150636d0eb3852d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_ctypes.pyd
MD5
01c6a2525adad89427d5b03673f5de18

SHA1
6762cfad8dba498526272289322d297b88b8eb03

SHA256
bbf6d32fd8159e7c55ab2e49fddd810985268af5f47a3fcf00b11103ab0ce033

SHA512
6ad151dc8d154357081254bbd3cad876c0139a6fe3b7c8eb482492f7c9dad20f834a6215b7877c8d62608741f87591f0d776d51a90d588526badf9ba950c28c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_lzma.pyd
MD5
58e39c90bf8ceeb6744bc6f8c895bafa

SHA1
e79f327daa2b02f70517785a8369a2257bc98511

SHA256
d7b50ef280e7218bf839f6020ddd353de89f627c4daccccd12290bf1d57ed7e2

SHA512
ee5ec80768d6d1c36c2b4b7126addb5174a9733bd32e51e94e6a0e1fc6c852bc262f775e44e91d09897eb62708314d9add6e81685fcbf0f803ebbbb40ccb2322

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\_socket.pyd
MD5
62cbc5049fb9ae6bc54655daa36896e3

SHA1
51e16526c8d03f00ad2d4dc6e5f6aa136ec95061

SHA256
2d4926b1f7ce0660bb452528f914abdff9a56429d835ca4437b5e50e24830aa0

SHA512
df9d0eb431a32d71437135bd8f95e9f6be0983f4497cead6a39fb265be4f2167a970b7e380569559a09cba426ca09f66351768952b0967799a7e3f7a697a06ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\base_library.zip
MD5
174bb26af0a7c7669d1fb2e54d150971

SHA1
ef1ac2b122265f0bca3f776b6ae2a7becc276c35

SHA256
02f81520a69cf2a1d901755f61c139f67b6e727ddcd91c46f89b74fb882d6cf6

SHA512
ed4f08dbefc4a9b5a4b0051d10fb2efa80add6cf9fab258d8b1f83bcc249a1171146e89716699a3f3ad067a23f04dda28b6f7d9cf1bdcd23b945d97751f8ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\python38.dll
MD5
c0e8d2836de32a57da655be8cdee3baf

SHA1
745a3a0083b50ed870f0f906df6b73a305b45082

SHA256
e51e560d8d4a3d3e04edb5137da83bf7819cfa18c0439d5afe65848ff9c189ab

SHA512
065b3893942331f72893da391bb9bfcc8c670332c94c52f4a6a09f8960e482c462c7e89620f3950182051624490a2e3b7de65f49a0dfe184537c4a9c476d36a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\pythoncom38.dll
MD5
ba03e764a5cf403c9161a46adf02b86e

SHA1
767871753b139c7da22f0d9648e7bdcaaa7efcb6

SHA256
7baec45074608ea6d03967f69b5aa1c11125002da82a1211907e04c321b827f4

SHA512
72efbf8335cfa4ca561779b49272dda8f9f8793d9a4f2a45b49a7967b56940fb05faac748dd5a90257bc406c36b7cb145145420beb24e296596b4acda5472ce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\pywintypes38.dll
MD5
3206cf4cd05b9e993a822c0dac05b1d0

SHA1
f49e809fb19bc1e24f1a7904663375554bd4d5cd

SHA256
9a3b70353bb9346bf1ecd2784164feaf6dbc9cb969298091f549ef8269aef930

SHA512
a6a4aa66e264e2438df573d31da0827650f48f4877ecabf391d284c99019e041f3333a708e2657ffc565b0cb9933d9c7a77b3726b8f4ec0dda5da3c5e8ab68c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\select.pyd
MD5
b76401951c64387136739bcbb319daad

SHA1
9e3aeec14e545e380dbbc8a380890891bcca6b39

SHA256
4e4fc6b3db6be0b3d814e2149ff13c91ddbddce1349b73e90743625fa2bc896e

SHA512
65c1ccf54ed19aa26649bf593f935bf7a243a057f04fded72d3b6df6498ab4f0ed0a6d9c7c968c14add0c576317526529dcbc6b736b74c330b452248db32c65b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\win32api.pyd
MD5
2866bf1a085564a0f63b76173943ba64

SHA1
caf810657651b1ec3f667a671e8f9307eeea98b7

SHA256
3021294b610e01abd37289ddbe2bf0507e7de3fcb678e07525ec4e0892747955

SHA512
d1090831ba6d06c09f1dfe2790b435020854e328f9826937244c13cddb1080cab35f3679ab34eb44d88f9becf4ccf933cd2ebe1b5cc853758bfa9bc04b002068

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI18322\win32com\shell\shell.pyd
MD5
25b02b51bc927b39fb5bb7c7caeba4d9

SHA1
bc8728093de7b1bfd9ff67ec27d5038a6ff63cf4

SHA256
8d29f88413d6351d9d36e7ce10243164c0c37ff484baa20752de50db39ef1b27

SHA512
84753eefc133b85f9c75bb3041cba8f4b35e7689b154ebc8dcca172e1017f3fb2233cd1e24327482d253fdbff3b45bda0ae616af8d2a5b984ad4a9c63cf64942

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\VCRUNTIME140.dll
MD5
87dd91c56be82866bf96ef1666f30a99

SHA1
3b78cb150110166ded8ea51fbde8ea506f72aeaf

SHA256
49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f

SHA512
58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\_ctypes.pyd
MD5
01c6a2525adad89427d5b03673f5de18

SHA1
6762cfad8dba498526272289322d297b88b8eb03

SHA256
bbf6d32fd8159e7c55ab2e49fddd810985268af5f47a3fcf00b11103ab0ce033

SHA512
6ad151dc8d154357081254bbd3cad876c0139a6fe3b7c8eb482492f7c9dad20f834a6215b7877c8d62608741f87591f0d776d51a90d588526badf9ba950c28c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\_socket.pyd
MD5
62cbc5049fb9ae6bc54655daa36896e3

SHA1
51e16526c8d03f00ad2d4dc6e5f6aa136ec95061

SHA256
2d4926b1f7ce0660bb452528f914abdff9a56429d835ca4437b5e50e24830aa0

SHA512
df9d0eb431a32d71437135bd8f95e9f6be0983f4497cead6a39fb265be4f2167a970b7e380569559a09cba426ca09f66351768952b0967799a7e3f7a697a06ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\base_library.zip
MD5
174bb26af0a7c7669d1fb2e54d150971

SHA1
ef1ac2b122265f0bca3f776b6ae2a7becc276c35

SHA256
02f81520a69cf2a1d901755f61c139f67b6e727ddcd91c46f89b74fb882d6cf6

SHA512
ed4f08dbefc4a9b5a4b0051d10fb2efa80add6cf9fab258d8b1f83bcc249a1171146e89716699a3f3ad067a23f04dda28b6f7d9cf1bdcd23b945d97751f8ed19

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI44362\python38.dll
MD5
c0e8d2836de32a57da655be8cdee3baf

SHA1
745a3a0083b50ed870f0f906df6b73a305b45082

SHA256
e51e560d8d4a3d3e04edb5137da83bf7819cfa18c0439d5afe65848ff9c189ab

SHA512
065b3893942331f72893da391bb9bfcc8c670332c94c52f4a6a09f8960e482c462c7e89620f3950182051624490a2e3b7de65f49a0dfe184537c4a9c476d36a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF9DD.tmp
MD5
9f202e2da4958272b2f4ee96dedc6446

SHA1
c2eaf780dea75e81e26599b7b0e098e6c536d82d

SHA256
1964fc56565bac359ece7f745fe94a892424fd454316a9cd1208b59b799e3637

SHA512
866e7efd0da969599725861c90a82f4cc2674c78174269426545c9377faf224e21284a390abccdfadb935424fdfd0e9c615b27ca8873671c2ea100c153d25054

Download Submit
C:\Users\Admin\AppData\Roaming\WinRAR\version.dat
MD5
a214070cc833f596fb5cd734fe3951eb

SHA1
65a0059d55cfe561710fac2d625346692252b383

SHA256
6cbad9eb0d990ed7cfb4cca9720f1d6f35636554c41444da8a40afa26db8099a

SHA512
52509c3f1db287081672006d2ea54c568464cadf325eec616fe2f0272fede391cba3081c88efd9b1d14b80de186accd36db9bc2292ed38d8cefbd6f75da70a0f

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
C:\Users\Admin\Downloads\Craftrise_CHRAT.exe
MD5
5b761d75a276181a1a0f09abb9ab78e4

SHA1
6fa16a6db5006b84bec80ea49459c696c701e0b6

SHA256
c0a191b94b644c978f452015e137632a2364b53b7ef7dd380d882ae084cea619

SHA512
b474ad06ac2c6d1dd365b589524e985e4fa21ed7dd5f1bb83a4ae1f20e1cbaf2c3690b0e01f42214dad6ea503641ed2d248ac2b3ff19fb6ef533121be5b536ac

Download Submit
\Program Files\WinRAR\RarExt.dll
MD5
b59c22e399a5e62a6d1453f2a2d64e40

SHA1
5da7ed245e9863185cb6c22715ba9e057e3fd259

SHA256
1e258b921ca85248a29530ed46577d4c7286e6e7d260aa78e468d0c93175b893

SHA512
dcca3f891afa3157b9726fd162b36e5fd49697599029c3a30263550073878ff4a3d0bded483414f721391034d8196cd9c3116a6dbb0324d3ef4099c7f3e1a8a1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\VCRUNTIME140.dll
MD5
87dd91c56be82866bf96ef1666f30a99

SHA1
3b78cb150110166ded8ea51fbde8ea506f72aeaf

SHA256
49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f

SHA512
58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\_bz2.pyd
MD5
aaf8987c856cf8bef5e4d44f988faf9b

SHA1
74c6969fc3260da77f415814da11aa73e145b7b8

SHA256
01182e4ad15a5255213dcdd193eba94243732ffdf531a55dfea7e9aab155003f

SHA512
730d5b05bc5acd57c2834024e4ca4b71f556f1d711dc840500687b92f302039e9c9108f4ed1752d788c3b1f987aa0f3ec602f1987119439cf150636d0eb3852d

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\_ctypes.pyd
MD5
01c6a2525adad89427d5b03673f5de18

SHA1
6762cfad8dba498526272289322d297b88b8eb03

SHA256
bbf6d32fd8159e7c55ab2e49fddd810985268af5f47a3fcf00b11103ab0ce033

SHA512
6ad151dc8d154357081254bbd3cad876c0139a6fe3b7c8eb482492f7c9dad20f834a6215b7877c8d62608741f87591f0d776d51a90d588526badf9ba950c28c2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\_lzma.pyd
MD5
58e39c90bf8ceeb6744bc6f8c895bafa

SHA1
e79f327daa2b02f70517785a8369a2257bc98511

SHA256
d7b50ef280e7218bf839f6020ddd353de89f627c4daccccd12290bf1d57ed7e2

SHA512
ee5ec80768d6d1c36c2b4b7126addb5174a9733bd32e51e94e6a0e1fc6c852bc262f775e44e91d09897eb62708314d9add6e81685fcbf0f803ebbbb40ccb2322

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\_socket.pyd
MD5
62cbc5049fb9ae6bc54655daa36896e3

SHA1
51e16526c8d03f00ad2d4dc6e5f6aa136ec95061

SHA256
2d4926b1f7ce0660bb452528f914abdff9a56429d835ca4437b5e50e24830aa0

SHA512
df9d0eb431a32d71437135bd8f95e9f6be0983f4497cead6a39fb265be4f2167a970b7e380569559a09cba426ca09f66351768952b0967799a7e3f7a697a06ae

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\python38.dll
MD5
c0e8d2836de32a57da655be8cdee3baf

SHA1
745a3a0083b50ed870f0f906df6b73a305b45082

SHA256
e51e560d8d4a3d3e04edb5137da83bf7819cfa18c0439d5afe65848ff9c189ab

SHA512
065b3893942331f72893da391bb9bfcc8c670332c94c52f4a6a09f8960e482c462c7e89620f3950182051624490a2e3b7de65f49a0dfe184537c4a9c476d36a0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\pythoncom38.dll
MD5
ba03e764a5cf403c9161a46adf02b86e

SHA1
767871753b139c7da22f0d9648e7bdcaaa7efcb6

SHA256
7baec45074608ea6d03967f69b5aa1c11125002da82a1211907e04c321b827f4

SHA512
72efbf8335cfa4ca561779b49272dda8f9f8793d9a4f2a45b49a7967b56940fb05faac748dd5a90257bc406c36b7cb145145420beb24e296596b4acda5472ce0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\pywintypes38.dll
MD5
3206cf4cd05b9e993a822c0dac05b1d0

SHA1
f49e809fb19bc1e24f1a7904663375554bd4d5cd

SHA256
9a3b70353bb9346bf1ecd2784164feaf6dbc9cb969298091f549ef8269aef930

SHA512
a6a4aa66e264e2438df573d31da0827650f48f4877ecabf391d284c99019e041f3333a708e2657ffc565b0cb9933d9c7a77b3726b8f4ec0dda5da3c5e8ab68c0

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\select.pyd
MD5
b76401951c64387136739bcbb319daad

SHA1
9e3aeec14e545e380dbbc8a380890891bcca6b39

SHA256
4e4fc6b3db6be0b3d814e2149ff13c91ddbddce1349b73e90743625fa2bc896e

SHA512
65c1ccf54ed19aa26649bf593f935bf7a243a057f04fded72d3b6df6498ab4f0ed0a6d9c7c968c14add0c576317526529dcbc6b736b74c330b452248db32c65b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\win32api.pyd
MD5
2866bf1a085564a0f63b76173943ba64

SHA1
caf810657651b1ec3f667a671e8f9307eeea98b7

SHA256
3021294b610e01abd37289ddbe2bf0507e7de3fcb678e07525ec4e0892747955

SHA512
d1090831ba6d06c09f1dfe2790b435020854e328f9826937244c13cddb1080cab35f3679ab34eb44d88f9becf4ccf933cd2ebe1b5cc853758bfa9bc04b002068

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI18322\win32com\shell\shell.pyd
MD5
25b02b51bc927b39fb5bb7c7caeba4d9

SHA1
bc8728093de7b1bfd9ff67ec27d5038a6ff63cf4

SHA256
8d29f88413d6351d9d36e7ce10243164c0c37ff484baa20752de50db39ef1b27

SHA512
84753eefc133b85f9c75bb3041cba8f4b35e7689b154ebc8dcca172e1017f3fb2233cd1e24327482d253fdbff3b45bda0ae616af8d2a5b984ad4a9c63cf64942

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44362\VCRUNTIME140.dll
MD5
87dd91c56be82866bf96ef1666f30a99

SHA1
3b78cb150110166ded8ea51fbde8ea506f72aeaf

SHA256
49b0fd1751342c253cac588dda82ec08e4ef43cebc5a9d80deb7928109b90c4f

SHA512
58c3ec6761624d14c7c897d8d0842dbeab200d445b4339905dac8a3635d174cdfb7b237d338d2829bc6c602c47503120af5be0c7de6abf2e71c81726285e44d6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44362\_ctypes.pyd
MD5
01c6a2525adad89427d5b03673f5de18

SHA1
6762cfad8dba498526272289322d297b88b8eb03

SHA256
bbf6d32fd8159e7c55ab2e49fddd810985268af5f47a3fcf00b11103ab0ce033

SHA512
6ad151dc8d154357081254bbd3cad876c0139a6fe3b7c8eb482492f7c9dad20f834a6215b7877c8d62608741f87591f0d776d51a90d588526badf9ba950c28c2

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44362\libffi-7.dll
MD5
bc20614744ebf4c2b8acd28d1fe54174

SHA1
665c0acc404e13a69800fae94efd69a41bdda901

SHA256
0c7ec6de19c246a23756b8550e6178ac2394b1093e96d0f43789124149486f57

SHA512
0c473e7070c72d85ae098d208b8d128b50574abebba874dda2a7408aea2aabc6c4b9018801416670af91548c471b7dd5a709a7b17e3358b053c37433665d3f6b

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI44362\python38.dll
MD5
c0e8d2836de32a57da655be8cdee3baf

SHA1
745a3a0083b50ed870f0f906df6b73a305b45082

SHA256
e51e560d8d4a3d3e04edb5137da83bf7819cfa18c0439d5afe65848ff9c189ab

SHA512
065b3893942331f72893da391bb9bfcc8c670332c94c52f4a6a09f8960e482c462c7e89620f3950182051624490a2e3b7de65f49a0dfe184537c4a9c476d36a0

Download Submit
memory/304-674-0x0000000004F40000-0x000000000543E000-memory.dmp

Filesize
5.0MB

Download
memory/1468-550-0x000000000040C71E-mapping.dmp

Download
memory/1468-577-0x00000000050B0000-0x00000000050B1000-memory.dmp

Filesize
4KB

Download
memory/1764-685-0x0000000000000000-mapping.dmp

Download
memory/1832-521-0x0000000000000000-mapping.dmp

Download
memory/2132-140-0x0000000000000000-mapping.dmp

Download
memory/2792-578-0x0000000004B20000-0x0000000004B21000-memory.dmp

Filesize
4KB

Download
memory/2792-572-0x0000000000000000-mapping.dmp

Download
memory/2792-579-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/3440-437-0x0000000000000000-mapping.dmp

Download
memory/3784-560-0x0000000000000000-mapping.dmp

Download
memory/4132-498-0x0000000005290000-0x000000000578E000-memory.dmp

Filesize
5.0MB

Download
memory/4180-507-0x0000000005660000-0x0000000005B5E000-memory.dmp

Filesize
5.0MB

Download
memory/4292-486-0x0000000004E80000-0x000000000537E000-memory.dmp

Filesize
5.0MB

Download
memory/4348-475-0x0000000004AB0000-0x0000000004FAE000-memory.dmp

Filesize
5.0MB

Download
memory/4356-525-0x0000000000000000-mapping.dmp

Download
memory/4416-120-0x00007FFA459C0000-0x00007FFA459C1000-memory.dmp

Filesize
4KB

Download
memory/4436-558-0x0000000000000000-mapping.dmp

Download
memory/4488-122-0x0000000000000000-mapping.dmp

Download
memory/4576-514-0x0000000005060000-0x000000000555E000-memory.dmp

Filesize
5.0MB

Download
memory/5056-576-0x0000000000000000-mapping.dmp

Download
memory/5084-524-0x0000000000000000-mapping.dmp

Download
memory/5176-580-0x0000000000000000-mapping.dmp

Download
memory/5284-668-0x0000000004FE0000-0x00000000054DE000-memory.dmp

Filesize
5.0MB

Download
memory/5432-588-0x0000000000000000-mapping.dmp

Download
memory/5540-695-0x0000000000000000-mapping.dmp

Download
memory/5612-598-0x00000000027C0000-0x00000000027C1000-memory.dmp

Filesize
4KB

Download
memory/5780-609-0x0000000002600000-0x0000000002601000-memory.dmp

Filesize
4KB

Download
memory/5836-641-0x0000000004D70000-0x000000000526E000-memory.dmp

Filesize
5.0MB

Download
memory/5908-620-0x0000000005080000-0x000000000557E000-memory.dmp

Filesize
5.0MB

Download
memory/5924-689-0x0000000000000000-mapping.dmp

Download
memory/5924-707-0x000001BD80F00000-0x000001BD80F01000-memory.dmp

Filesize
4KB

Download
memory/5924-708-0x000001BD80F00000-0x000001BD80F40000-memory.dmp

Filesize
256KB

Download
memory/5924-710-0x000001BD81800000-0x000001BD81840000-memory.dmp

Filesize
256KB

Download
memory/5924-709-0x000001BD81800000-0x000001BD81801000-memory.dmp

Filesize
4KB

Download