dcrat | 7db3465af572c659119fd7da0d51d1a348016a2f4ee1f5e8af6fbaedd529fd5c

Analysis

max time kernel
570s
max time network
589s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
25-01-2023 21:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Atlas-Fortnite-Spoofer-v3-updated-main/FTSpoofer v4.rar
Size

5.9MB
MD5

b3ff557cdcfc25c9a9758e786e816c74
SHA1

43adc310f4e075934725ff94a9cb75c9309de534
SHA256

184e03f9d289f0b50c3002afe56631ce17c7b9dd69f0d0584c6cf57f315d11d1
SHA512

486e465ba9beb6963821741aa31bce1e975fd27b15936979e4ebb7ebebe39203d34b74418f6d8e6acec2f8b30b14d78277d37991e1bd4165590a283fc423bd8e
SSDEEP

98304:fPkA2UIdH3X3PIQ5e8Rl4/7ZPR0pGvjM42ThuHOqqctTwizmZhIsTAy3nvEcAKC3:kAZVQ5HY/7Zu+jM4quHOawizmvI1yvAZ

Score

10^/10

dcrat discovery infostealer persistence ransomware rat

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.20 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
behavioral1/memory/2620-126-0x0000000000900000-0x00000000009EE000-memory.dmp	dcrat
behavioral1/memory/1588-129-0x0000000000E50000-0x0000000000F3E000-memory.dmp	dcrat
behavioral1/memory/640-132-0x0000000000B50000-0x0000000000C3E000-memory.dmp	dcrat
behavioral1/memory/1356-133-0x0000000000CE0000-0x0000000000DCE000-memory.dmp	dcrat
behavioral1/memory/2796-134-0x0000000001170000-0x000000000125E000-memory.dmp	dcrat
behavioral1/memory/2348-208-0x0000000000A10000-0x0000000000AFE000-memory.dmp	dcrat
behavioral1/memory/2244-209-0x0000000000140000-0x000000000022E000-memory.dmp	dcrat

Blocklisted process makes network request 6 IoCs

Processes:

msiexec.exerundll32.exerundll32.exerundll32.exerundll32.exe

flow pid process

198 1952 msiexec.exe
200 1952 msiexec.exe
202 2184 rundll32.exe
204 2884 rundll32.exe
206 628 rundll32.exe
208 2876 rundll32.exe
Downloads MZ/PE file

flow	pid	process
198	1952	msiexec.exe
200	1952	msiexec.exe
202	2184	rundll32.exe
204	2884	rundll32.exe
206	628	rundll32.exe
208	2876	rundll32.exe

Executes dropped EXE 24 IoCs

Processes:

winrar-x64-620.exeuninstall.exeWinRAR.exeWinRAR.exeWinRAR.exeLoader v4.exeLoader v4.exeWinRAR.exeWinRAR.exeLoader v4.exeLoader v4.exeLoader v4.exeDXSETUP.exeInstallChainer.exeEpicOnlineServices.exeEpicOnlineServicesHost.exeEpicOnlineServicesUserHelper.exeEpicGamesLauncher.exeEpicGamesLauncher.exeEpicGamesLauncher.exeEpicGamesLauncher.exeLoader v4.exeLoader v4.exeLoader v4.exe

pid	process
1512	winrar-x64-620.exe
1904	uninstall.exe
2056	WinRAR.exe
2884	WinRAR.exe
2496	WinRAR.exe
2620	Loader v4.exe
1588	Loader v4.exe
2076	WinRAR.exe
1236	WinRAR.exe
640	Loader v4.exe
1356	Loader v4.exe
2796	Loader v4.exe
2380	DXSETUP.exe
1900	InstallChainer.exe
2344	EpicOnlineServices.exe
2984	EpicOnlineServicesHost.exe
2756	EpicOnlineServicesUserHelper.exe
2388	EpicGamesLauncher.exe
2640	EpicGamesLauncher.exe
2620	EpicGamesLauncher.exe
2736	EpicGamesLauncher.exe
2348	Loader v4.exe
2244	Loader v4.exe
1144	Loader v4.exe

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Processes:

uninstall.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EpicGamesLauncher.exeEpicGamesLauncher.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	EpicGamesLauncher.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Control Panel\International\Geo\Nation	EpicGamesLauncher.exe

Loads dropped DLL 64 IoCs

Processes:

chrome.exechrome.exechrome.exewinrar-x64-620.exeuninstall.exechrome.exechrome.exeMsiExec.exerundll32.exeMsiExec.exerundll32.exeMsiExec.exerundll32.exeDXSETUP.exe

pid	process
2800	chrome.exe
2800	chrome.exe
2792	chrome.exe
2792	chrome.exe
828	chrome.exe
1256
1256
1512	winrar-x64-620.exe
1256
1904	uninstall.exe
1904	uninstall.exe
1256
1256
1256
1256
1256
1528	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
1256
1644	chrome.exe
1644	chrome.exe
1256
1256
1256
1256
1256
1256
1256
772	MsiExec.exe
772	MsiExec.exe
772	MsiExec.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
1636	rundll32.exe
2856	MsiExec.exe
2856	MsiExec.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
2184	rundll32.exe
1528	MsiExec.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2696	rundll32.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe
2380	DXSETUP.exe

Modifies file permissions 1 TTPs 2 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

icacls.exeicacls.exe

pid process

1444 icacls.exe
3052 icacls.exe
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

pid	process
1444	icacls.exe
3052	icacls.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe

Drops file in System32 directory 15 IoCs

Processes:

DXSETUP.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\d3dcsx_43.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SET99B5.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET99B5.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SET98F6.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET98F6.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\d3dx10_43.dll	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET9946.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SET9926.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SET9985.tmp	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET9985.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\D3DCompiler_43.dll	DXSETUP.exe
File created	C:\Windows\SysWOW64\SET9926.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\SET9946.tmp	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\d3dx11_43.dll	DXSETUP.exe
File opened for modification	C:\Windows\SysWOW64\xinput1_3.dll	DXSETUP.exe

Drops file in Program Files directory 64 IoCs

Processes:

msiexec.exewinrar-x64-620.exe

description	ioc	process
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\en_GI.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\curr\ps.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\zone\ks.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\id_ID.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\ksf.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\ha_GH.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Common\ComboArrow.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\ta_IN.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\curr\en_FM.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\region\en_MW.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Portal\Content\New UI\settings_right_arrow.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Config\BaseEditorSettings.ini	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\coll\cs.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\pa_Arab_PK.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\ta_MY.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\zone\bo.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\zone\zh_TW.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Icons\Edit\icon_Edit_Rename_16x.png	msiexec.exe
File created	C:\Program Files\WinRAR\License.txt	winrar-x64-620.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\coll\sh_CS.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\coll\es__TRADITIONAL.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\api-ms-win-core-util-l1-1-0.dll	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\region\en_MO.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Icons\icon_undo_16px.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\brkitr\de.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\lang\saq.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Portal\Content\Localization\App\App.locmeta	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\ee.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\CEF\Win32\Resources\locales\ms.pak	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\lang\si.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\zone\nd.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\no_NO_NY.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\fr_BE.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\lang\sr_Latn.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\es_PE.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\region\pa_PK.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\region\he.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\region\ks_IN.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\curr\pa.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Common\Spinbox_Hovered.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\bs_Cyrl.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\en_KY.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\haw_US.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\pa_Guru_IN.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\zone\vai_Vaii.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\region\uz.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Slate\Common\Spinbox_Fill_Hovered.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\teo.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Docking\ShowTabwellButton_Hovered.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\lang\pa.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\curr\en_TT.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\region\en_PW.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\region\ewo.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\lang\leet.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\leet.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\curr\pt.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Slate\Common\DropZoneIndicator_Onto.png	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\zone\ms_Latn_MY.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\tl.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Epic Online Services\Engine\Content\Internationalization\icudt53l\da_GL.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\curr\ca_FR.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\lang\ga.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\fr_RW.res	msiexec.exe
File created	C:\Program Files (x86)\Epic Games\Launcher\Engine\Content\Internationalization\icudt53l\sr_BA.res	msiexec.exe

Drops file in Windows directory 64 IoCs

Processes:

msiexec.exerundll32.exerundll32.exerundll32.exerundll32.exeDXSETUP.exerundll32.exerundll32.exerundll32.exeDrvInst.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exerundll32.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSI1D5A.tmp	msiexec.exe
File created	C:\Windows\Installer\71e090.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE46A.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3950.tmp	msiexec.exe
File created	C:\Windows\Installer\71e093.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA214.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBA77.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1CBD.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIF221.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E\1.3.51\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Logs\DirectX.log	DXSETUP.exe
File opened for modification	C:\Windows\Installer\MSIA409.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIE46A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE46A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File created	C:\Windows\Installer\71e091.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI252A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBF6A.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E\1.3.51\F_CENTRAL_msvcr120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\Installer\{20235E2B-1E9F-473D-A215-B2467F1F06E3}\Installer.ico	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.ev1	DrvInst.exe
File opened for modification	C:\Windows\Installer\MSIA409.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA7D1.tmp	msiexec.exe
File created	C:\Windows\Installer\71e096.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBF6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6CF.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2A68.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBBEF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E\1.3.51	msiexec.exe
File opened for modification	C:\Windows\INF\setupapi.app.log	DXSETUP.exe
File opened for modification	C:\Windows\Installer\MSIA0FA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1F4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA214.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBA77.tmp-\CustomActionManaged.dll	rundll32.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E\1.3.51\F_CENTRAL_msvcp120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File created	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E\1.3.51\F_CENTRAL_vccorlib120_x86.194841A2_D0F2_3B96_9F71_05BA91BEA0FA	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA214.tmp-\CustomActionManaged.dll	rundll32.exe
File created	C:\Windows\Installer\71e094.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\{19695986-25CE-41AC-9C6F-54794653EDBA}\Installer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA214.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6CF.tmp-\CustomAction.config	rundll32.exe
File created	C:\Windows\Installer\{19695986-25CE-41AC-9C6F-54794653EDBA}\Installer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE341.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\{20235E2B-1E9F-473D-A215-B2467F1F06E3}\Installer.ico	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9AB2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\71e094.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA77.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1E64.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2A68.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\$PatchCache$\Managed\B2E53202F9E1D3742A512B64F7F1603E	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC66F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI1D5A.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI1D5A.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI252A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE46A.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI3950.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBBEF.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBC7C.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC41D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIC6CF.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSI2A68.tmp-\CustomActionManaged.dll	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIA409.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA409.tmp-\CustomAction.config	rundll32.exe
File opened for modification	C:\Windows\Installer\MSIBC7C.tmp-\Microsoft.Deployment.WindowsInstaller.dll	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

winrar-x64-620.exeWinRAR.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-620.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main	WinRAR.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	WinRAR.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	WinRAR.exe

Modifies data under HKEY_USERS 64 IoCs

Processes:

DrvInst.exeDXSETUP.exeEpicOnlineServicesUserHelper.exemsiexec.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Epic Games\Unreal Engine\Identifiers	EpicOnlineServicesUserHelper.exe
Key created	\REGISTRY\USER\.DEFAULT\Software	EpicOnlineServicesUserHelper.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Epic Games\Unreal Engine	EpicOnlineServicesUserHelper.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	DXSETUP.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DXSETUP.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Epic Games\Unreal Engine\Identifiers\MachineId = "BAA9D03A41BE91DACD4E04922FC713FA"	EpicOnlineServicesUserHelper.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Epic Games\Unreal Engine\Identifiers	EpicOnlineServicesUserHelper.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2E	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	DrvInst.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DXSETUP.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet = "0"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs	DXSETUP.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\AutoDetect = "1"	rundll32.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CTLs	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates	DrvInst.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs	DXSETUP.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	DrvInst.exe

Modifies registry class 64 IoCs

Processes:

msiexec.exeuninstall.exeEpicOnlineServicesUserHelper.exerundll32.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.epicgames.launcher\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B2E53202F9E1D3742A512B64F7F1603E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\Downloads\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r10	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68959691EC52CA14C9F645976435DEAB	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r01\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.epicgames.launcher\shell\open\command	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68959691EC52CA14C9F645976435DEAB\Assignment = "1"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\com.epicgames.eos\DefaultIcon	EpicOnlineServicesUserHelper.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r04	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r28	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r19\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r26\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68959691EC52CA14C9F645976435DEAB\ProductFeature	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r27\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.epicgames.launcher\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r17	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\B2E53202F9E1D3742A512B64F7F1603E\VCRedist	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\ShellEx\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\com.epicgames.launcher\DefaultIcon\ = "C:\\Program Files (x86)\\Epic Games\\Launcher\\Portal\\Binaries\\Win32\\EpicGamesLauncher.exe,0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09	uninstall.exe
Key created	\REGISTRY\MACHINE\Software\Classes\com.epicgames.launcher\DefaultIcon	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68959691EC52CA14C9F645976435DEAB\SourceList\Net\1 = "C:\\Program Files (x86)\\Epic Games\\Launcher\\Portal\\Extras\\EOS\\"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r18\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.gz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r16\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew\FileName = "C:\\Program Files\\WinRAR\\zipnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.lz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,1"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\B2E53202F9E1D3742A512B64F7F1603E\PackageCode = "16FEBE41519DB844C989654416C8A83E"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\68959691EC52CA14C9F645976435DEAB	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\USER\S-1-5-21-3845472200-3839195424-595303356-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\MuiCache	rundll32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz2	uninstall.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68959691EC52CA14C9F645976435DEAB\InstanceType = "0"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\68959691EC52CA14C9F645976435DEAB\SourceList\LastUsedSource = "n;1;C:\\Program Files (x86)\\Epic Games\\Launcher\\Portal\\Extras\\EOS\\"	msiexec.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

chrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exechrome.exeMsiExec.exemsiexec.exe

pid	process
1532	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
2884	chrome.exe
1528	chrome.exe
2340	chrome.exe
1644	chrome.exe
2680	chrome.exe
2652	chrome.exe
2824	chrome.exe
2856	MsiExec.exe
2856	MsiExec.exe
2856	MsiExec.exe
2324	msiexec.exe
2324	msiexec.exe
2324	msiexec.exe
2324	msiexec.exe
2324	msiexec.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

Processes:

rundll32.exeWinRAR.exeWinRAR.exe

pid process

1504 rundll32.exe
2056 WinRAR.exe
2496 WinRAR.exe

pid	process
1504	rundll32.exe
2056	WinRAR.exe
2496	WinRAR.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

AUDIODG.EXELoader v4.exeLoader v4.exeLoader v4.exeLoader v4.exeLoader v4.exemsiexec.exemsiexec.exe

description	pid	process
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: 33	2996	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2996	AUDIODG.EXE
Token: SeDebugPrivilege	2620	Loader v4.exe
Token: SeDebugPrivilege	1588	Loader v4.exe
Token: SeDebugPrivilege	640	Loader v4.exe
Token: SeDebugPrivilege	1356	Loader v4.exe
Token: SeDebugPrivilege	2796	Loader v4.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	2324	msiexec.exe
Token: SeTakeOwnershipPrivilege	2324	msiexec.exe
Token: SeSecurityPrivilege	2324	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe
Token: SeChangeNotifyPrivilege	1952	msiexec.exe
Token: SeRemoteShutdownPrivilege	1952	msiexec.exe
Token: SeUndockPrivilege	1952	msiexec.exe
Token: SeSyncAgentPrivilege	1952	msiexec.exe
Token: SeEnableDelegationPrivilege	1952	msiexec.exe
Token: SeManageVolumePrivilege	1952	msiexec.exe
Token: SeImpersonatePrivilege	1952	msiexec.exe
Token: SeCreateGlobalPrivilege	1952	msiexec.exe
Token: SeCreateTokenPrivilege	1952	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1952	msiexec.exe
Token: SeLockMemoryPrivilege	1952	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1952	msiexec.exe
Token: SeMachineAccountPrivilege	1952	msiexec.exe
Token: SeTcbPrivilege	1952	msiexec.exe
Token: SeSecurityPrivilege	1952	msiexec.exe
Token: SeTakeOwnershipPrivilege	1952	msiexec.exe
Token: SeLoadDriverPrivilege	1952	msiexec.exe
Token: SeSystemProfilePrivilege	1952	msiexec.exe
Token: SeSystemtimePrivilege	1952	msiexec.exe
Token: SeProfSingleProcessPrivilege	1952	msiexec.exe
Token: SeIncBasePriorityPrivilege	1952	msiexec.exe
Token: SeCreatePagefilePrivilege	1952	msiexec.exe
Token: SeCreatePermanentPrivilege	1952	msiexec.exe
Token: SeBackupPrivilege	1952	msiexec.exe
Token: SeRestorePrivilege	1952	msiexec.exe
Token: SeShutdownPrivilege	1952	msiexec.exe
Token: SeDebugPrivilege	1952	msiexec.exe
Token: SeAuditPrivilege	1952	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1952	msiexec.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

chrome.exeWinRAR.exe

pid	process
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe
2056	WinRAR.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

chrome.exe

pid	process
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe
828	chrome.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

winrar-x64-620.exeWinRAR.exe

pid process

1512 winrar-x64-620.exe
1512 winrar-x64-620.exe
2056 WinRAR.exe
2056 WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.exechrome.exe

description	pid	process	target process
PID 1624 wrote to memory of 1504	1624	cmd.exe	rundll32.exe
PID 1624 wrote to memory of 1504	1624	cmd.exe	rundll32.exe
PID 1624 wrote to memory of 1504	1624	cmd.exe	rundll32.exe
PID 828 wrote to memory of 1740	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1740	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1740	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 956	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1532	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1532	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1532	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe
PID 828 wrote to memory of 1984	828	chrome.exe	chrome.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Atlas-Fortnite-Spoofer-v3-updated-main\FTSpoofer v4.rar"
1⤵
- Suspicious use of WriteProcessMemory
PID:1624

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Atlas-Fortnite-Spoofer-v3-updated-main\FTSpoofer v4.rar
2⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:1504

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6184f50,0x7fef6184f60,0x7fef6184f70
2⤵
PID:1740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1144 /prefetch:2
2⤵
PID:956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1268 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1532

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1848 /prefetch:8
2⤵
PID:1984

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2160 /prefetch:1
2⤵
PID:1584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2044 /prefetch:1
2⤵
PID:1368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2732 /prefetch:8
2⤵
PID:980

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
2⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:1
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3508 /prefetch:8
2⤵
PID:2076

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3612 /prefetch:8
2⤵
PID:2084

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3820 /prefetch:8
2⤵
PID:2164

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3816 /prefetch:8
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3892 /prefetch:8
2⤵
PID:2180

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3988 /prefetch:8
2⤵
PID:2248

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4060 /prefetch:8
2⤵
PID:2312

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3908 /prefetch:8
2⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4008 /prefetch:8
2⤵
PID:2328

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4012 /prefetch:8
2⤵
PID:2336

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
2⤵
PID:2456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2248 /prefetch:1
2⤵
PID:2520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4044 /prefetch:1
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2140 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1568 /prefetch:1
2⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2204 /prefetch:1
2⤵
PID:2828

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4712 /prefetch:1
2⤵
PID:2896

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4688 /prefetch:1
2⤵
PID:2956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5360 /prefetch:8
2⤵
PID:3056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=776 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4336 /prefetch:1
2⤵
PID:2240

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1564 /prefetch:1
2⤵
PID:2172

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4648 /prefetch:8
2⤵
PID:2360

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5424 /prefetch:8
2⤵
PID:2368

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5520 /prefetch:1
2⤵
PID:2452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4852 /prefetch:1
2⤵
PID:628

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=916 /prefetch:1
2⤵
PID:2548

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2004 /prefetch:1
2⤵
PID:2544

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3680 /prefetch:8
2⤵
PID:2500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3004 /prefetch:8
2⤵
PID:1352

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=544 /prefetch:8
2⤵
PID:1824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3052 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2884

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3076 /prefetch:8
2⤵
- Loads dropped DLL
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3064 /prefetch:8
2⤵
- Loads dropped DLL
PID:2792

C:\Users\Admin\Downloads\winrar-x64-620.exe
"C:\Users\Admin\Downloads\winrar-x64-620.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1512

C:\Program Files\WinRAR\uninstall.exe
"C:\Program Files\WinRAR\uninstall.exe" /setup
3⤵
- Modifies system executable filetype association
- Executes dropped EXE
- Registers COM server for autorun
- Loads dropped DLL
- Modifies registry class
PID:1904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1076 /prefetch:1
2⤵
PID:2332

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4544 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2340

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Atlas-Fortnite-Spoofer-v3-updated-main.zip"
2⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2056

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rar$DIa2056.3069\FTSpoofer v4.rar"
3⤵
- Executes dropped EXE
PID:2884

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\Rar$DIa2056.3965\PASS - 2023YEAR.TXT
3⤵
PID:2656

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\AppData\Local\Temp\Rar$DIa2056.5825\FTSpoofer v4.rar"
3⤵
- Executes dropped EXE
- Suspicious behavior: GetForegroundWindowSpam
PID:2496

C:\Users\Admin\AppData\Local\Temp\Rar$EXb2496.6699\sambld\Loader v4.exe
"C:\Users\Admin\AppData\Local\Temp\Rar$EXb2496.6699\sambld\Loader v4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2620

C:\Users\Admin\AppData\Local\Temp\Rar$EXb2496.7875\sambld\Loader v4.exe
"C:\Users\Admin\AppData\Local\Temp\Rar$EXb2496.7875\sambld\Loader v4.exe"
4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1588

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4936 /prefetch:8
2⤵
PID:2136

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4672 /prefetch:8
2⤵
PID:2096

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4584 /prefetch:8
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:1644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4608 /prefetch:8
2⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4520 /prefetch:8
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5328 /prefetch:1
2⤵
PID:2036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3872 /prefetch:8
2⤵
PID:1596

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1672 /prefetch:1
2⤵
PID:1252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1724 /prefetch:1
2⤵
PID:904

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5332 /prefetch:8
2⤵
PID:892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3184 /prefetch:8
2⤵
PID:2608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3128 /prefetch:8
2⤵
PID:2612

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4376 /prefetch:8
2⤵
PID:1144

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4208 /prefetch:8
2⤵
PID:740

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3540 /prefetch:8
2⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3604 /prefetch:1
2⤵
PID:1700

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3968 /prefetch:1
2⤵
PID:1116

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3152 /prefetch:1
2⤵
PID:1520

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5456 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2168 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2652

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Users\Admin\Downloads\EpicInstaller-14.2.1.msi"
2⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:1952

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4124 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:2824

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3604 /prefetch:8
2⤵
PID:2616

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,4250614315539372212,2493928130429022083,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=628 /prefetch:8
2⤵
PID:2448

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x494
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2996

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\FTSpoofer v4.rar" "?\"
1⤵
- Executes dropped EXE
PID:2076

C:\Program Files\WinRAR\WinRAR.exe
"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Desktop\FTSpoofer v4.rar" C:\Users\Admin\Desktop\
1⤵
- Executes dropped EXE
PID:1236

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:640

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1356

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2796

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2324

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 29D99F8EBB1BD953565E15C0247D5F0F C
2⤵
- Loads dropped DLL
PID:772

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\MSIDD1B.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7462183 5 CustomActionManaged!CustomActionManaged.CustomActions.ValidatePathLength
3⤵
- Loads dropped DLL
PID:1636

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 46C900AA055E52A889A5510312F30E91
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2856

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIE46A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7464070 9 CustomActionManaged!CustomActionManaged.CustomActions.TelemetrySendStart
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
- Drops file in Windows directory
PID:2184

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA214.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7512602 36 CustomActionManaged!CustomActionManaged.CustomActions.SetStartupCmdlineArgs
3⤵
- Drops file in Windows directory
PID:2620

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIA409.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7513101 42 CustomActionManaged!CustomActionManaged.CustomActions.TelemetrySendEnd
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:2884

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBA77.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7518858 50 CustomActionManaged!CustomActionManaged.CustomActions.SetLauncherEpicGamesDirLoc
3⤵
- Drops file in Windows directory
PID:2596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBBEF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7519216 56 CustomActionManaged!CustomActionManaged.CustomActions.SetLauncherInstallDirLoc
3⤵
- Drops file in Windows directory
PID:2400

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBC7C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7519341 62 CustomActionManaged!CustomActionManaged.CustomActions.SetServiceWrapperDirLoc
3⤵
- Drops file in Windows directory
PID:1596

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIBF6A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7520106 68 CustomActionManaged!CustomActionManaged.TelemetryActions.TelemetrySendStart
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:628

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI2A68.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7547468 253 CustomActionManaged!CustomActionManaged.TelemetryActions.TelemetrySendEnd
3⤵
- Blocklisted process makes network request
- Drops file in Windows directory
PID:2876

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding F13ADFDCA0A431B5B1A733DB716E1817 M Global\MSI0000
2⤵
- Loads dropped DLL
PID:1528

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI3950.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7485848 17 CustomActionManaged!CustomActionManaged.CustomActions.MoveChainerToFolder
3⤵
- Loads dropped DLL
- Drops file in Windows directory
PID:2696

C:\Windows\syswow64\icacls.exe
"icacls.exe" "C:\Program Files (x86)\Epic Games\Launcher" /grant "BUILTIN\Users":(OI)(CI)F
3⤵
- Modifies file permissions
PID:1444

C:\Windows\syswow64\icacls.exe
"icacls.exe" "C:\ProgramData\Epic" /grant "BUILTIN\Users":(OI)(CI)F
3⤵
- Modifies file permissions
PID:3052

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSIC6CF.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7521978 90 CustomActionManaged!CustomActionManaged.CustomActions.RegisterProductID
3⤵
- Drops file in Windows directory
PID:2388

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI1CBD.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7543989 101 CustomActionManaged!CustomActionManaged.CustomActions.CopyServiceWrapper
3⤵
- Drops file in Windows directory
PID:2284

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI1D5A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7544145 109 CustomActionManaged!CustomActionManaged.CustomActions.CreateRegistryKeys
3⤵
- Drops file in Windows directory
PID:1504

C:\Program Files (x86)\Epic Games\Epic Online Services\EpicOnlineServices.exe
"C:\Program Files (x86)\Epic Games\Epic Online Services\EpicOnlineServices.exe" --runApplication=createConfig
3⤵
- Executes dropped EXE
PID:2344

C:\Program Files (x86)\Epic Games\Epic Online Services\service\EpicOnlineServicesHost.exe
"C:\Program Files (x86)\Epic Games\Epic Online Services\service\EpicOnlineServicesHost.exe" install
3⤵
- Executes dropped EXE
PID:2984

C:\Windows\SysWOW64\rundll32.exe
rundll32.exe "C:\Windows\Installer\MSI252A.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_7546142 246 CustomActionManaged!CustomActionManaged.CustomActions.ExecuteComponents
3⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2400

C:\Program Files (x86)\Epic Games\Epic Online Services\EpicOnlineServicesUserHelper.exe
"C:\Program Files (x86)\Epic Games\Epic Online Services\EpicOnlineServicesUserHelper.exe" --setup
4⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Modifies registry class
PID:2756

C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe
"C:\Program Files (x86)\Epic Games\DirectXRedist\DXSETUP.exe" /silent
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2380

C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\EOS\InstallChainer.exe
"C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\EOS\InstallChainer.exe" 30 "C:\Program Files (x86)\Epic Games\Launcher\Portal\Extras\EOS\EpicOnlineServices.msi" "EOSPRODUCTID=EpicGamesLauncher" "C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe"
2⤵
- Executes dropped EXE
PID:1900

C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe
"C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe"
3⤵
- Executes dropped EXE
- Checks computer location settings
PID:2388

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1180

C:\Windows\system32\DrvInst.exe
DrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000004C0" "00000000000003AC"
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2632

C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe
"C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe"
1⤵
- Executes dropped EXE
- Checks computer location settings
PID:2640

C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe
"C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe"
1⤵
- Executes dropped EXE
PID:2620

C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe
"C:\Program Files (x86)\Epic Games\Launcher\Portal\Binaries\Win32\EpicGamesLauncher.exe"
1⤵
- Executes dropped EXE
PID:2736

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
PID:2348

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
PID:2244

C:\Users\Admin\Desktop\sambld\Loader v4.exe
"C:\Users\Admin\Desktop\sambld\Loader v4.exe"
1⤵
- Executes dropped EXE
PID:1144

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2104

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\WinRAR\Rar.txt

Filesize
109KB

MD5
e8943094a7a6e3a6767e8d412fdbc8c3

SHA1
7e7eac16f0741a747639a131cf8e93e63c7e9d7c

SHA256
35c7deb1cf472f4d695ab0def305234629440236a8e9422fa8860c362ffe35bd

SHA512
dda86c6f7ad30bf7dfb7d2d8584f0956018b7425837129d6c9de3c126a9ec48bda8b761bd6084031f0daaa22393af901820a9f2cce1a049944db27705da1209b

Download Submit
C:\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
4b666387a3c9dcff1a35f928003906f8

SHA1
afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6

SHA256
882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92

SHA512
60c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e

Download Submit
C:\Program Files\WinRAR\WhatsNew.txt

Filesize
102KB

MD5
009a59803c14130cfb6ef5b1fc8b2bce

SHA1
1842d01ecd0bfaf5db6c89d17458ba9cac8d0cf1

SHA256
86491ffa4415b525dd4f51f3806b5217c5fdbaeee83ac313e28ed342bde83ff5

SHA512
a67aa1d6ccfce38314d488fa20469b05f84cf5cb5bdd089b7c28349b64bc359954fccfea7eb574eb3eeb7eec4b6d7f07f334c6be96d14ea301b7706d168ed3d3

Download Submit
C:\Program Files\WinRAR\WinRAR.chm

Filesize
317KB

MD5
79f52d2a3c76f7402de3e30b2dc9bc7e

SHA1
bb15a3289e308295891b3078190e8d797a52acf2

SHA256
4e4db98a555a3821e911bc35c301fd4dab8530cf9fede6f6c9439e212919abda

SHA512
73b09d5db6ca8587ec8f5b7a0bd711a9225561116d90ae7609442bd388110eebb075a5862bb1abae54f8c32cb880e27d741dbecdba2cb9b2c10c5ef7b1a2685b

Download Submit
C:\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
C:\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
C:\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\??\pipe\crashpad_828_HPQUMZWVFGRBTKSR

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
4b666387a3c9dcff1a35f928003906f8

SHA1
afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6

SHA256
882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92

SHA512
60c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
4b666387a3c9dcff1a35f928003906f8

SHA1
afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6

SHA256
882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92

SHA512
60c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e

Download Submit
\Program Files\WinRAR\Uninstall.exe

Filesize
437KB

MD5
4b666387a3c9dcff1a35f928003906f8

SHA1
afdcb15eb059fa09acc0f0ac7745a5c9b6325cf6

SHA256
882dc7d4df95d06de571b475f50472639d62298b7da2bb78cd35f462d815fe92

SHA512
60c26cea6eff640b116e98f8e8a6d6de00e6fe6cc379768574c5a8e1df95a6cf6bf37e2f56d040cca537a3406e2af05888a63c5b167ca25b16518808c3a5574e

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
\Program Files\WinRAR\WinRAR.exe

Filesize
2.4MB

MD5
f01b85893ccecbb9020d065e47e046aa

SHA1
237311f4c143f74758a8ef6aeeeff0b9dcfe1434

SHA256
821588b7db1e9a4ddcf4a53435334370e57cd4663a6f4f2aa570e5850432ca42

SHA512
5f821880075570b6f1fa5bdf231d46b4e64dd44e2b122cd7c6ef6ed007e9bf23e33e1abef6eef1ef3a9eb63940bc8eb63cc0daa5a2e85062dbb4f2292d59c835

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
\Users\Admin\Downloads\winrar-x64-620.exe

Filesize
3.4MB

MD5
73414a9b8498d43b9a195dac57871203

SHA1
3e59209a7855955c7ca7500adf43e9c17b9a4568

SHA256
4b153e952d823b2126d3efba4f8a1353642645e00be93ab49f603d9e924c800e

SHA512
cb7dbfef452ff3da6207afea59ba77f0790756ea87a690d08cad32f27feaa78aa47196eeb9e7ae78ac3690bdf2195fca06a5b96c4614ca350803d70e743e5017

Download Submit
memory/628-178-0x0000000000000000-mapping.dmp

Download
memory/640-132-0x0000000000B50000-0x0000000000C3E000-memory.dmp

Filesize
952KB

Download
memory/772-138-0x0000000000000000-mapping.dmp

Download
memory/772-139-0x0000000076041000-0x0000000076043000-memory.dmp

Filesize
8KB

Download
memory/1356-133-0x0000000000CE0000-0x0000000000DCE000-memory.dmp

Filesize
952KB

Download
memory/1444-158-0x0000000000000000-mapping.dmp

Download
memory/1504-187-0x0000000000000000-mapping.dmp

Download
memory/1504-76-0x0000000000000000-mapping.dmp

Download
memory/1512-88-0x0000000000000000-mapping.dmp

Download
memory/1528-150-0x0000000000000000-mapping.dmp

Download
memory/1588-128-0x0000000000000000-mapping.dmp

Download
memory/1588-129-0x0000000000E50000-0x0000000000F3E000-memory.dmp

Filesize
952KB

Download
memory/1596-176-0x0000000000000000-mapping.dmp

Download
memory/1624-54-0x000007FEFBB81000-0x000007FEFBB83000-memory.dmp

Filesize
8KB

Download
memory/1636-140-0x0000000000000000-mapping.dmp

Download
memory/1636-142-0x00000000009F0000-0x0000000000A1E000-memory.dmp

Filesize
184KB

Download
memory/1636-143-0x0000000000860000-0x000000000086E000-memory.dmp

Filesize
56KB

Download
memory/1900-166-0x0000000000000000-mapping.dmp

Download
memory/1900-168-0x0000000000210000-0x000000000023E000-memory.dmp

Filesize
184KB

Download
memory/1900-167-0x00000000001F0000-0x00000000001F8000-memory.dmp

Filesize
32KB

Download
memory/1904-103-0x0000000000000000-mapping.dmp

Download
memory/1952-135-0x0000000000000000-mapping.dmp

Download
memory/2056-117-0x0000000000000000-mapping.dmp

Download
memory/2184-146-0x0000000000000000-mapping.dmp

Download
memory/2184-148-0x0000000001CB0000-0x0000000001CDE000-memory.dmp

Filesize
184KB

Download
memory/2184-149-0x0000000001D30000-0x0000000001D3E000-memory.dmp

Filesize
56KB

Download
memory/2244-209-0x0000000000140000-0x000000000022E000-memory.dmp

Filesize
952KB

Download
memory/2284-186-0x0000000001D50000-0x0000000001D62000-memory.dmp

Filesize
72KB

Download
memory/2284-184-0x0000000000000000-mapping.dmp

Download
memory/2344-189-0x0000000000000000-mapping.dmp

Download
memory/2348-208-0x0000000000A10000-0x0000000000AFE000-memory.dmp

Filesize
952KB

Download
memory/2380-156-0x0000000000000000-mapping.dmp

Download
memory/2388-183-0x0000000000570000-0x0000000000582000-memory.dmp

Filesize
72KB

Download
memory/2388-199-0x0000000000000000-mapping.dmp

Download
memory/2388-201-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/2388-182-0x0000000000480000-0x00000000004AE000-memory.dmp

Filesize
184KB

Download
memory/2388-180-0x0000000000000000-mapping.dmp

Download
memory/2400-192-0x0000000000000000-mapping.dmp

Download
memory/2400-175-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2400-173-0x0000000000000000-mapping.dmp

Download
memory/2496-123-0x0000000000000000-mapping.dmp

Download
memory/2596-169-0x0000000000000000-mapping.dmp

Download
memory/2596-171-0x0000000000530000-0x000000000055E000-memory.dmp

Filesize
184KB

Download
memory/2596-172-0x00000000007F0000-0x0000000000802000-memory.dmp

Filesize
72KB

Download
memory/2620-126-0x0000000000900000-0x00000000009EE000-memory.dmp

Filesize
952KB

Download
memory/2620-160-0x0000000000000000-mapping.dmp

Download
memory/2620-125-0x0000000000000000-mapping.dmp

Download
memory/2620-127-0x00000000003C0000-0x00000000003CE000-memory.dmp

Filesize
56KB

Download
memory/2620-163-0x00000000003D0000-0x00000000003DE000-memory.dmp

Filesize
56KB

Download
memory/2620-162-0x0000000000680000-0x00000000006AE000-memory.dmp

Filesize
184KB

Download
memory/2656-121-0x0000000000000000-mapping.dmp

Download
memory/2696-152-0x0000000000000000-mapping.dmp

Download
memory/2696-155-0x0000000001CA0000-0x0000000001CAE000-memory.dmp

Filesize
56KB

Download
memory/2696-154-0x0000000001DF0000-0x0000000001E1E000-memory.dmp

Filesize
184KB

Download
memory/2756-194-0x0000000000000000-mapping.dmp

Download
memory/2796-134-0x0000000001170000-0x000000000125E000-memory.dmp

Filesize
952KB

Download
memory/2856-144-0x0000000000000000-mapping.dmp

Download
memory/2876-197-0x0000000000000000-mapping.dmp

Download
memory/2884-119-0x0000000000000000-mapping.dmp

Download
memory/2884-164-0x0000000000000000-mapping.dmp

Download
memory/2984-191-0x0000000001000000-0x00000000010E6000-memory.dmp

Filesize
920KB

Download
memory/2984-190-0x0000000000000000-mapping.dmp

Download
memory/3052-159-0x0000000000000000-mapping.dmp

Download