f271e9f48a94d007c970c5f7e78c87bc329aa0de73483a1f1b8e94a77d9c6110

Analysis

max time kernel
720s
max time network
754s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
13/02/2023, 11:15

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

Untitled Jam (6).pdf
Size

137KB
MD5

56d6acb0c2d633d15c85b6076a777f52
SHA1

9b374eabfe300fc1aba7c90ddd184bf49cc9c475
SHA256

f271e9f48a94d007c970c5f7e78c87bc329aa0de73483a1f1b8e94a77d9c6110
SHA512

6586abeadb0ddf7eb671acdb584b5a64f8a0ad8ad56d02738fdf72a9ae36e5d81e692929672ade5aa8adc57b1863b4b6502113d09c703b63a118e948a66668d9
SSDEEP

3072:fmTx/J9c78OMqR554hloPEv4FEQsfrOaXhTg0RQiG7AdLd:fmTx/J9IMqR5ihlou4+5/Tg0UAdLd

Score

10^/10

discovery persistence ransomware

Malware Config

Extracted

Path

C:\Program Files\WinRAR\Rar.txt

Ransom Note

User's Manual ~~~~~~~~~~~~~ RAR 6.20 console version ~~~~~~~~~~~~~~~~~~~~~~~~ =-=-=-=-=-=-=-=-=-=-=-=-=-=- Welcome to the RAR Archiver! -=-=-=-=-=-=-=-=-=-=-=-=-=-= Introduction ~~~~~~~~~~~~ RAR is a console application allowing to manage archive files in command line mode. RAR provides compression, encryption, data recovery and many other functions described in this manual. RAR supports only RAR format archives, which have .rar file name extension by default. ZIP and other formats are not supported. Even if you specify .zip extension when creating an archive, it will still be in RAR format. Windows users may install WinRAR, which supports more archive types including RAR and ZIP formats. WinRAR provides both graphical user interface and command line mode. While console RAR and GUI WinRAR have the similar command line syntax, some differences exist. So it is recommended to use this rar.txt manual for console RAR (rar.exe in case of Windows version) and winrar.chm WinRAR help file for GUI WinRAR (winrar.exe). Configuration file ~~~~~~~~~~~~~~~~~~ RAR and UnRAR for Unix read configuration information from .rarrc file in a user's home directory (stored in HOME environment variable) or in /etc directory. RAR and UnRAR for Windows read configuration information from rar.ini file, placed in the same directory as the rar.exe file. This file can contain the following string: switches=<any RAR switches separated by spaces> For example: switches=-m5 -s It is also possible to specify separate switch sets for individual RAR commands using the following syntax: switches_<command>=<any RAR switches separated by spaces> For example: switches_a=-m5 -s switches_x=-o+ Environment variable ~~~~~~~~~~~~~~~~~~~~ Default parameters may be added to the RAR command line by establishing an environment variable "RAR". For instance, in Unix following lines may be added to your profile: RAR='-s -md1024' export RAR RAR will use this string as default parameters in the command line and will create "solid" archives with 1024 MB sliding dictionary size. RAR handles options with priority as following: command line switches highest priority switches in the RAR variable lower priority switches saved in configuration file lowest priority Log file ~~~~~~~~ If switch -ilog is specified in the command line or configuration file, RAR will write informational messages about errors encountered while processing archives into a log file. Read the switch -ilog description for more details. The file order list for solid archiving - rarfiles.lst ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ rarfiles.lst contains a user-defined file list, which tells RAR the order in which to add files to a solid archive. It may contain file names, wildcards and special entry - $default. The default entry defines the place in order list for files not matched with other entries in this file. The comment character is ';'. In Windows this file should be placed in the same directory as RAR or in %APPDATA%\WinRAR directory, in Unix - to the user's home directory or in /etc. Tips to provide improved compression and speed of operation: - similar files should be grouped together in the archive; - frequently accessed files should be placed at the beginning. Normally masks placed nearer to the top of list have a higher priority, but there is an exception from this rule. If rarfiles.lst contains such two masks that all files matched by one mask are also matched by another, that mask which matches a smaller subset of file names will have higher priority regardless of its position in the list. For example, if you have *.cpp and f*.cpp masks, f*.cpp has a higher priority, so the position of 'filename.cpp' will be chosen according to 'f*.cpp', not '*.cpp'. RAR command line syntax ~~~~~~~~~~~~~~~~~~~~~~~ Syntax RAR <command> [ -<switches> ] <archive> [ <@listfiles...> ] [ <files...> ] [ <path_to_extract\> ] Description Command is a single character or string specifying an action to be performed by RAR. Switches are designed to modify the way RAR performs such action. Other parameters are archive name and files to be archived or extracted. Listfiles are plain text files containing names of files to process. File names must start at the first column. It is possible to put comments to the listfile after // characters. For example, you can create backup.lst containing the following strings: c:\work\doc\*.txt //backup text documents c:\work\image\*.bmp //backup pictures c:\work\misc and then run: rar a backup @backup.lst If you wish to read file names from stdin (standard input), specify the empty listfile name (just @). By default, console RAR uses the single byte encoding in list files, but it can be redefined with -sc<charset>l switch. You can specify both usual file names and list files in the same command line. If neither files nor listfiles are specified, then *.* is implied and RAR will process all files. path_to_extract includes the destination directory name followed by a path separator character. For example, it can be c:\dest\ in Windows or data/ in Unix. It specifies the directory to place extracted files in 'x' and 'e' commands. This directory is created by RAR if it does not exist yet. Alternatively it can be set with -op<path> switch. Many RAR commands, such as extraction, test or list, allow to use wildcards in archive name. If no extension is specified in archive mask, RAR assumes .rar, so * means all archives with .rar extension. If you need to process all archives without extension, use *. mask. *.* mask selects all files. Wildcards in archive name are not allowed when archiving and deleting. In Unix you need to enclose RAR command line parameters containing wildcards in single or double quotes to prevent their expansion by Unix shell. For example, this command will extract *.asm files from all *.rar archives in current directory: rar e '*.rar' '*.asm' Command could be any of the following: a Add files to archive. Examples: 1) add all *.hlp files from the current directory to the archive help.rar: rar a help *.hlp 2) archive all files from the current directory and subdirectories to 362000 bytes size solid, self-extracting volumes and add the recovery record to each volume: rar a -r -v362 -s -sfx -rr save Because no file names are specified, all files (*) are assumed. 3) as a special exception, if directory name is specified as an argument and if directory name does not include file masks and trailing path separator, the entire contents of the directory and all subdirectories will be added to the archive even if switch -r is not specified. The following command will add all files from the directory Bitmaps and its subdirectories to the RAR archive Pictures.rar: rar a Pictures.rar Bitmaps 4) if directory name includes the trailing path separator, normal rules apply and you need to specify switch -r to process its subdirectories. The following command will add all files from directory Bitmaps, but not from its subdirectories, because switch -r is not specified: rar a Pictures.rar Bitmaps\* c Add archive comment. Comments are displayed while the archive is being processed. Comment length is limited to 256 KB. Examples: rar c distrib.rar Also comments may be added from a file using -z[file] switch. The following command adds a comment from info.txt file: rar c -zinfo.txt dummy ch Change archive parameters. This command can be used with most of archive modification switches to modify archive parameters. It is especially convenient for switches like -cl, -cu, -tl, which do not have a dedicated command. It is not able to recompress, encrypt or decrypt archive data and it cannot merge or create volumes. If no switches are specified, 'ch' command just copies the archive data without modification. If used with -amr switch to restore the saved archive name and time, other archive modification switches are ignored. Example: Set archive time to latest file: rar ch -tl files.rar cw Write archive comment to specified file. Format of output file depends on -sc switch. If output file name is not specified, comment data will be sent to stdout. Examples: 1) rar cw arc comment.txt 2) rar cw -scuc arc unicode.txt 3) rar cw arc d Delete files from archive. If this command removes all files from archive, the empty archive is removed. e Extract files without archived paths. Extract files excluding their path component, so all files are created in the same destination directory. Use 'x' command if you wish to extract full pathnames. Example: rar e -or html.rar *.css css\ extract all *.css files from html.rar archive to 'css' directory excluding archived paths. Rename extracted files automatically in case several files have the same name. f Freshen files in archive. Updates archived files older than files to add. This command will not add new files to the archive. i[i|c|h|t]=<string> Find string in archives. Supports following optional parameters: i - case insensitive search (default); c - case sensitive search; h - hexadecimal search; t - use ANSI, UTF-8, UTF-16 and OEM (Windows only) character tables; If no parameters are specified, it is possible to use the simplified command syntax i<string> instead of i=<string> It is allowed to specify 't' modifier with other parameters, for example, ict=string performs case sensitive search using all mentioned above character tables. Examples: 1) rar "ic=first level" -r c:\*.rar *.txt Perform case sensitive search of "first level" string in *.txt files in *.rar archives on the disk c: 2) rar ih=f0e0aeaeab2d83e3a9 -r e:\texts\*.rar Search for hex string f0 e0 ae ae ab 2d 83 e3 a9 in rar archives in e:\texts directory. k Lock archive. RAR cannot modify locked archives, so locking important archives prevents their accidental modification by RAR. Such protection might be especially useful in case of RAR commands processing archives in groups. This command is not intended or able to prevent modification by other tools or willful third party. It implements a safety measure only for accidental data change by RAR. Example: rar k final.rar l[t[a],b] List archive contents [technical [all], bare]. 'l' command lists archived file attributes, size, date, time and name, one file per line. If file is encrypted, line starts from '*' character. 'lt' displays the detailed file information in multiline mode. This information includes file checksum value, host OS, compression options and other parameters. 'lta' provide the detailed information not only for files, but also for service headers like NTFS streams or file security data. 'lb' lists bare file names with path, one per line, without any additional information. You can use -v switch to list contents of all volumes in volume set: rar l -v vol.part1.rar Commands 'lt', 'lta' and 'lb' are equal to 'vt', 'vta' and 'vb' correspondingly. m[f] Move to archive [files only]. Moving files and directories results in the files and directories being erased upon successful completion of the packing operation. Directories will not be removed if 'f' modifier is used and/or '-ed' switch is applied. p Print file to stdout. Send unpacked file data to stdout. Informational messages are suppressed with this command, so they are not mixed with file data. r Repair archive. Archive repairing is performed in two stages. First, the damaged archive is searched for a recovery record (see 'rr' command). If archive contains the previously added recovery record and if damaged data area is continuous and smaller than error correction code size in recovery record, chance of successful archive reconstruction is high. When this stage has been completed, a new archive is created, named as fixed.arcname.rar, where 'arcname' is the original (damaged) archive name. If broken archive does not contain a recovery record or if archive is not completely recovered due to major damage, second stage is performed. During this stage only the archive structure is reconstructed and it is impossible to recover files which fail checksum validation, it is still possible, however, to recover undamaged files, which were inaccessible due to the broken archive structure. Mostly this is useful for non-solid archives. This stage is never efficient for archives with encrypted file headers, which can be repaired only if recovery record is present. When the second stage is completed, the reconstructed archive is saved as rebuilt.arcname.rar, where 'arcname' is the original archive name. By default, repaired archives are created in the current directory, but you can append an optional destpath\ parameter to specify another destination directory. Example: rar r buggy.rar c:\fixed\ repair buggy.rar and place the result to 'c:\fixed' directory. rc Reconstruct missing and damaged volumes using recovery volumes (.rev files). You need to specify any existing .rar or .rev volume as the archive name. Example: rar rc backup.part03.rar Read 'rv' command description for information about recovery volumes. rn Rename archived files. The command syntax is: rar rn <arcname> <srcname1> <destname1> ... <srcnameN> <destnameN> For example, the following command: rar rn data.rar readme.txt readme.bak info.txt info.bak will rename readme.txt to readme.bak and info.txt to info.bak in the

Extracted

Path

C:\Program Files\WinRAR\WhatsNew.txt

Ransom Note

WinRAR - What's new in the latest version Version 6.20 1. If "Autodetect passwords" option in "Organizer passwords" dialog is enabled and password matching a processing archive is present among saved passwords, it is applied automatically. This option is applicable only for archives in RAR 5.0 and ZIP formats, which allow to verify the password validity quickly. There is a minor chance of incorrect password detection for ZIP archives if stored passwords do not include a proper one. If encrypted ZIP archive extraction fails, you can try to disable this option, repeat extraction and enter a valid password manually. 2. If extraction command involves only a part of files in RAR archive, the additional archive analysis is performed when starting extraction. It helps to properly unpack file references even if reference source is not selected. It works for most of RAR archives except for volumes on multiple removable media and archives containing a very large number of references. Also in some cases such analysis may help to optimize the amount of processing data when extracting individual files from semi-solid archives created with -s<N> and -se switches. 3. "Save original archive name and time" option on "Options" page of archiving dialog allows to save the original archive name and creation time. If archive includes such saved name and time, they are displayed on "Info" page of "Show information" command and can be restored on "Options" page of same command. Restoring involves renaming an archive to original name and setting the saved time as the archive creation and modification time. Switch -ams or just -am together with archive modification commands can be used to save the archive name and time in the command line mode. These saved parameters are displayed in header of "l" and "v" commands output and can be restored with -amr switch combined with "ch" command, such as "rar ch -amr arc.rar". If -amr is specified, "ch" ignores other archive modification switches. 4. Faster RAR5 compression of poorly compressible data on modern CPUs with 8 or more execution threads. This applies to all methods except "Fastest", which performance remains the same. 5. "Repair" command efficiency is improved for shuffled data blocks in recovery record protected RAR5 archives. 6. If file size has grown after archiving when creating non-solid RAR volumes, such file is stored without compression regardless of volume number, provided that file isn't split between volumes. Previously it worked only for files in the first volume. 7. Added decompression of .zipx archives containing file references, provided that both reference source and target are selected and reference source precedes the target inside of archive. Typically, if .zipx archive includes file references, it is necessary to unpack the entire archive to extract references successfully. 8. Added decompression of .zst long range mode archives with dictionary exceeding 128 MB. Previously it was possible to decompress them only if dictionary was 128 MB or less. 9. If "Turn PC off", "Hibernate", "Sleep" or "Restart PC" archiving options are enabled in WinRAR, a prompt to confirm or cancel such power management action is displayed directly before starting it. If no selection was made by user for 30 seconds, the proposed action is confirmed and started automatically. This prompt is also displayed for -ioff switch in WinRAR command line, but not in console RAR command line. 10. Context menu in WinRAR file list provides "Open in internal viewer" command for archive files. It can be helpful if you wish to view the archive raw data in internal viewer. For example, to read an email archive with UUE attachments included. Usual "View" command always displays the archive contents. If file is recognized as UUE archive, "View" would show UUE attachments. 11. Recovery record size is displayed on "Archive" page of file properties invoked from Explorer context menu for archives in RAR5 format. Previously there was only "Present" instead of exact size for RAR5 archives. 12. When archiving from stdin with -si switch, RAR displays the current amount of read bytes as the progress indicator. 13. If wrong password is specified when adding files to encrypted solid RAR5 archive, a password will be requested again. Previous versions cancelled archiving in this case. 14. If both options "Test archived files" and "Clear attribute "Archive" after compressing" or their command line -t -ac equivalents are enabled when archiving, "Archive" attribute will be cleared only if test was completed successfully. Previously it was cleared even when test reported errors. 15. NoDrives value containing the bit mask to hide drives can be now read from "HKEY_CURRENT_USER\Software\WinRAR\Policy" Registry key, which allows to include it to winrar.ini if necessary. Its "Software\Microsoft\Windows\CurrentVersion\Policies" locations in HKEY_CURRENT_USER and HKEY_LOCAL_MACHINE are also supported. Previously only "Software\Microsoft\Windows\CurrentVersion\Policies" in HKEY_CURRENT_USER was recognized. 16. Bugs fixed: a) archive modification commands could fail for some ZIP archives with file comments; b) fixed a memory leak when reading contents of .tar.bz2 archives; c) if source and resulting archive format is the same, the archive conversion command didn't set the original archive time to a newly created archive even if "Original archive time" option was selected in archiving parameters; d) if "Merge volumes contents" option in "Settings/File list" was turned on, the folder packed size in WinRAR file list could be less than expected when browsing a multivolume archive contents. It didn't include the packed size of file parts continuing from previous volume into calculation; e) even if "Set file security" extraction option was turned off by default, extraction commands in Explorer context menu still attempted to restore NTFS file security data; f) WinRAR could read data beyond the end of buffer and crash when unpacking files from specially crafted ZIP archive. We are thankful to Bakker working with Trend Micro Zero Day Initiative for letting us know about this bug. Version 6.11 1. Added support for Gz archives with large archive comments. Previously the extraction command failed to unpack gz archives if comment size exceeded 16 KB. 2. Archive comments in gz archives are displayed in the comment window and recognized by "Show information" command. Large comments are shown partially. Previous versions didn't display Gzip comments. 3. Reserved device names followed by file extension, such as aux.txt, are extracted as is in Windows 11 even without "Allow potentially incompatible names" option or -oni command line switch. Unlike previous Windows versions, Windows 11 treats such names as usual files. Device names without extension, such as aux, still require these options to be unpacked as is regardless of Windows version. 4. Switch -mes can be also used to suppress the password prompt and abort when adding files to encrypted solid archive. 5. Additional measures to prevent extracting insecure links are implemented. 6. Bugs fixed: a) if password exceeding 127 characters was entered when unpacking an encrypted archive with console RAR, text after 127th character could be erroneously recognized as user's input by different prompts issued later; b) wrong archived file time could be displayed in overwrite prompt when extracting a file from ZIP archive. It happened if such archive included extended file times and was created in another time zone. It didn't affect the actual file time, which was set properly upon extraction. Version 6.10 1. WinRAR can unpack contents of .zst and .zipx archives utilizing Zstandard algorithm. 2. Added support of Windows 11 Explorer context menus. Beginning from Windows 11, an application can add only a single top level command or submenu to Explorer context menu. If "Cascaded context menus" in "Integration settings" dialog is on, this single item is a submenu storing all necessary WinRAR commands. If this option is off, only one extraction command for archives and one archiving command for usual files are available. You can select these commands with "Context menu items..." button in "Integration settings" dialog. 3. "Legacy context menus" option in "Settings/Integration" dialog can be used in Windows 11 if WinRAR commands are missing in "Show more options" Windows legacy context menu or in context menus of third party file managers. If WinRAR commands are already present here, keep "Legacy context menus" option turned off to prevent duplicating them. This option is not available in Windows 10 and older. 4. Windows XP is not supported anymore. Minimum required operating system version is Windows Vista. 5. "Close" item is added to "When done" list on "Advanced" page of archiving dialog. It closes WinRAR window, when archiving is done. 6. "When done" list is added to "Options" page of extraction dialog. It allows to select an action like turning a computer off or closing WinRAR after completing extraction. 7. Switch -si can be used when extracting or testing to read archive data from stdin, such as: type docs.rar | rar x -si -o+ -pmypwd dummy docs\ Even though the archive name is ignored with this switch, an arbitrary dummy archive name has to specified in the command line. Operations requiring backward seeks are unavailable in this mode. It includes displaying archive comments, testing the recovery record, utilizing the quick open information, processing multivolume archives. Prompts requiring user interaction are not allowed. Use -o[+|-|r], -p<pwd> or -mes switches to suppress such prompts. 8. New -ep4<path> switch excludes the path prefix when archiving or extracting if this path is found in the beginning of archived name. Path is compared with names already prepared to store in archive, without drive letters and leading path separators. For example: rar a -ep4texts\books archive c:\texts\books\technical removes "text\books" from archived names, so they start from 'technical'. 9. New -mes switch skips encrypted files when extracting or testing. It replaces the former -p- switch. 10. New -op<path> switch sets the destination folder for 'x' and 'e' extraction commands. Unlike <path_to_extract\> command line parameter, this switch also accepts paths without trailing path separator character. 11. If 'p' command is used to print a file to stdout, informational messages are suppressed automatically to prevent them mixing with file data. 12. "Generate archive name by mask" option and switch -ag treat only first two 'M' characters after 'H' as minutes. Previously any amount of such characters was considered as minutes. It makes possible to place the time field before the date, like -agHHMM-DDMMYY. Previous versions considered all 'M' in this string as minutes. 13. Maximum allowed size of RAR5 recovery record is increased to 1000% of protected data size. Maximum number of RAR5 recovery volumes can be 10 times larger than protected RAR volumes. Previous WinRAR versions are not able to use the recovery record to repair broken archives if recovery record size exceeds 99%. Similarly, previous versions cannot use recovery volumes if their number is equal or larger than number of RAR volumes. 14. Warning is issued if entered password exceeds the allowed limit of 127 characters and is truncated. Previously such passwords had been truncated silently. 15. If archive includes reserved device names, the underscore character is inserted in the beginning of such names when extracting. For example, aux.txt is converted to _aux.txt. It is done to prevent compatibility problems with software unable to process such names. You can use "Allow potentially incompatible names" option in "Advanced" part of extraction dialog or command line -oni switch to avoid this conversion. 16. WinRAR attempts to reset the file cache before testing an archive. It helps to verify actual data written to disk instead of reading a cached copy. 17. Multiple -v<size> switches specifying different sizes for different volumes are now allowed also for ZIP archives: WinRAR a -v100k -v200k -v300k arcname.zip Previously multiple -v<size> switches were supported only for RAR archives. 18. Switches -sl<size> and -sm<size> can be used in WinRAR.exe command line mode when extracting archives in any supported formats, provided that such archive includes unpacked file sizes. Previously these switches could filter files by size only in RAR and ZIP archives. 19. Newer folder selection dialog is invoked when pressing "Browse" button in WinRAR "Settings/Paths" page, "Repair" and "Convert" commands, also as in few other similar places. Previously a simpler XP style folder selection dialog was opened. 20. When restoring from tray after completing an operation, WinRAR window is positioned under other opened windows, to not interfere with current user activities. 21. "650 MB CD" is removed and "2 GB volumes" is added to the list of predefined volume sizes in "Define volume sizes" dialog invoked from WinRAR "Settings/Compression". 22. "Rename" command selects the file name part up to the final dot. Previously it selected the entire name. 23. If SFX archive size exceeds 4 GB, an error message is issued during compression, immediately after exceeding this threshold. Previously this error was reported only after completing compression. Executables of such size cannot be started by Windows. 24. Command line -en switch is not supported anymore. It created RAR4 archives without the end of archive record. End of archive record permits to gracefully skip external data like digital signatures. 25. Bugs fixed: a) when editing a file inside of .rar or .zip archive, WinRAR created a new SFX archive instead of updating an existing archive if "Create SFX archive" option was set in the default compression profile; b) the total progress could be displayed incorrectly when using -oi, -f, -u switches or appropriate GUI options; c) "Find files" command with "Use all tables" option and command line "it" commands failed to find strings in UTF-16 encoding. Version 6.02 1. ZIP SFX module refuses to process SFX commands stored in archive comment if such comment is resided after beginning of Authenticode digital signature. It is done to prevent possible attacks with inclusion of ZIP archive into the signature body. We already prohibited

URLs

https

http

http://weirdsgn.com

http://icondesignlab.com

https://rarlab.com/themes/WinRAR_Classic_48x36.theme.rar

Signatures

Modifies system executable filetype association 2 TTPs 8 IoCs

persistence

Modify Registry

T1112

Change Default File Association

T1042

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe

Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2980	ChromeRecovery.exe
3760	winrar-x64-620.exe
2084	uninstall.exe
4484	WinRAR.exe

Loads dropped DLL 20 IoCs

pid	Process
1076	chrome.exe
1716	chrome.exe
1716	chrome.exe
1708	chrome.exe
1708	chrome.exe
1248	Process not Found
3760	winrar-x64-620.exe
1248	Process not Found
2084	uninstall.exe
2084	uninstall.exe
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1248	Process not Found
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1248	Process not Found
1248	Process not Found

Registers COM server for autorun 1 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2932_1239638926\manifest.json	elevation_service.exe
File created	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\Rar.exe	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Mono.Security.dll	chrome.exe
File created	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Assembly-CSharp-firstpass.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\sharedassets0.assets	chrome.exe
File opened for modification	C:\Program Files\WinRAR\UnRAR.exe	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\7zxa.dll	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Assembly-UnityScript.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Boo.Lang.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\2.0\web.config	chrome.exe
File opened for modification	C:\Program Files\WinRAR\Order.htm	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\Default.SFX	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\WinRAR.chm	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Assembly-UnityScript-firstpass.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\mscorlib.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\UnityScript.Lang.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\2.0\Browsers\Compat.browser	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\2.0\machine.config	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Resources\unity default resources	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\ScreenSelector.bmp	chrome.exe
File created	C:\Program Files\WinRAR\Rar.txt	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\zipnew.dat	uninstall.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\browscap.ini	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\config	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\mono.dll	chrome.exe
File created	C:\Program Files\WinRAR\WinCon64.SFX	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\Zip.SFX	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_7447862	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\Order.htm	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.lst	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\RarExt32.dll	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\Resources.pri	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\WinCon.SFX	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\readme.txt	chrome.exe
File opened for modification	C:\Program Files\WinRAR\ReadMe.txt	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\License.txt	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\Uninstall.exe	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\RarExt.dll	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2932_1239638926\_metadata\verified_contents.json	elevation_service.exe
File created	C:\Program Files\WinRAR\Descript.ion	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\WhatsNew.txt	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png	winrar-x64-620.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\Assembly-CSharp.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Managed\UnityEngine.dll	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\Mono\etc\mono\2.0\DefaultWsdlHelpGenerator.aspx	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\output_log.txt	chrome.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\89.0.4389.114\Slender v0.9.5\Slender_Data\PlayerConnectionConfigFile	chrome.exe
File created	C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2932_1239638926\_metadata\verified_contents.json	elevation_service.exe
File opened for modification	C:\Program Files\WinRAR\RarFiles.lst	winrar-x64-620.exe
File created	C:\Program Files\WinRAR\RarExtInstaller.exe	winrar-x64-620.exe
File opened for modification	C:\Program Files\WinRAR\WinRAR.exe	winrar-x64-620.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	winrar-x64-620.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r02\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r13\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r24	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r00\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zip	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.z	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.lzh	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r05	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\DefaultIcon\ = "C:\\Program Files\\WinRAR\\WinRAR.exe,0"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r14\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tgz\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\DefaultIcon	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.z\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.taz	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.zipx	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.tzst	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\*\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.001\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.xxe	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r20\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.bz2	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r22	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r29	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r21	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.uu	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xz\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r03	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR"	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell\open\command	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.r15	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.cab\ = "WinRAR"	uninstall.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shell	uninstall.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ShellNew\FileName = "C:\\Program Files\\WinRAR\\rarnew.dat"	uninstall.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

pid	Process
1280	chrome.exe
1076	chrome.exe
1076	chrome.exe
2480	chrome.exe
2496	chrome.exe
2972	chrome.exe
1076	chrome.exe
1076	chrome.exe
3744	chrome.exe
3744	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4772	chrome.exe
4816	chrome.exe
4816	chrome.exe
4816	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
4628	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
1312	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
3200	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4640	chrome.exe
4204	chrome.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	1736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1736	AUDIODG.EXE
Token: 33	1736	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	1736	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
1652	AcroRd32.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe
1076	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
1652	AcroRd32.exe
3760	winrar-x64-620.exe
3760	winrar-x64-620.exe
4484	WinRAR.exe
4484	WinRAR.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1076 wrote to memory of 680	1076	chrome.exe	37
PID 1076 wrote to memory of 680	1076	chrome.exe	37
PID 1076 wrote to memory of 680	1076	chrome.exe	37
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 520	1076	chrome.exe	38
PID 1076 wrote to memory of 1280	1076	chrome.exe	39
PID 1076 wrote to memory of 1280	1076	chrome.exe	39
PID 1076 wrote to memory of 1280	1076	chrome.exe	39
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40
PID 1076 wrote to memory of 1308	1076	chrome.exe	40

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Untitled Jam (6).pdf"
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1652

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:1176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x568
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Loads dropped DLL
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=89.0.4389.114 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef49a4f50,0x7fef49a4f60,0x7fef49a4f70
  2⤵
  PID:680
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1136 /prefetch:2
  2⤵
  PID:520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1388 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1732 /prefetch:8
  2⤵
  PID:1308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2020 /prefetch:1
  2⤵
  PID:1528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2064 /prefetch:1
  2⤵
  PID:1148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3160 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=swiftshader-webgl --mojo-platform-channel-handle=3292 /prefetch:2
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3524 /prefetch:8
  2⤵
  PID:2224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3608 /prefetch:8
  2⤵
  PID:2232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  PID:2388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=952 /prefetch:8
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3672 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1856 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3660 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3624 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --extension-process --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:2820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3576 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3048 /prefetch:8
  2⤵
  PID:564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3176 /prefetch:8
  2⤵
  PID:3064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2820 /prefetch:8
  2⤵
  PID:2080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3972 /prefetch:8
  2⤵
  PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:2104
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3896 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1604 /prefetch:8
  2⤵
  PID:632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3852 /prefetch:8
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:1768
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2168 /prefetch:1
  2⤵
  PID:1700
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=33 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3708 /prefetch:1
  2⤵
  PID:2548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3384 /prefetch:1
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2412 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=48 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4516 /prefetch:1
  2⤵
  PID:3040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=47 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4508 /prefetch:1
  2⤵
  PID:2988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=46 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=45 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:2908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=44 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4484 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=43 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4476 /prefetch:1
  2⤵
  PID:2924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=42 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=41 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4460 /prefetch:1
  2⤵
  PID:2376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=40 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4264 /prefetch:1
  2⤵
  PID:2824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=39 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4256 /prefetch:1
  2⤵
  PID:2852
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3948 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3972 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3880 /prefetch:1
  2⤵
  PID:2372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=49 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=50 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4988 /prefetch:1
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=51 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4780 /prefetch:1
  2⤵
  PID:1824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=52 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4572 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=53 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1808 /prefetch:1
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=54 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:2144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=55 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:1
  2⤵
  PID:3240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3744
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=64 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6768 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=63 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6884 /prefetch:1
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=62 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6584 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=61 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6932 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=60 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7148 /prefetch:1
  2⤵
  PID:3900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=59 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7176 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=58 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7428 /prefetch:1
  2⤵
  PID:3884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=57 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7388 /prefetch:1
  2⤵
  PID:3876
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=70 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7948 /prefetch:1
  2⤵
  PID:4064
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=69 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7940 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=68 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4980 /prefetch:1
  2⤵
  PID:4048
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=67 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7224 /prefetch:1
  2⤵
  PID:4040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=66 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5452 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=65 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7316 /prefetch:1
  2⤵
  PID:4020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=73 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7968 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=72 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7984 /prefetch:1
  2⤵
  PID:4092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=71 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7956 /prefetch:1
  2⤵
  PID:4080
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=74 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8176 /prefetch:1
  2⤵
  PID:3476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=75 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8756 /prefetch:1
  2⤵
  PID:3800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=76 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8760 /prefetch:1
  2⤵
  PID:3788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=77 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9580 /prefetch:1
  2⤵
  PID:3840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=78 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9696 /prefetch:1
  2⤵
  PID:3816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=79 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9636 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=80 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9668 /prefetch:1
  2⤵
  PID:3828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=81 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7796 /prefetch:1
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=82 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=83 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8396 /prefetch:1
  2⤵
  PID:3932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=84 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=85 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7896 /prefetch:1
  2⤵
  PID:3796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=86 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6344 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=87 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5040 /prefetch:1
  2⤵
  PID:4192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=88 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8672 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=89 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9516 /prefetch:1
  2⤵
  PID:4260
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=90 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5024 /prefetch:1
  2⤵
  PID:4376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=91 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9368 /prefetch:1
  2⤵
  PID:4384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=92 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9760 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=93 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9192 /prefetch:1
  2⤵
  PID:4568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=94 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8876 /prefetch:1
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=95 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8832 /prefetch:1
  2⤵
  PID:4692
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=96 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10148 /prefetch:1
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=10256 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4772
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=98 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11296 /prefetch:1
  2⤵
  PID:4780
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=99 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=11440 /prefetch:1
  2⤵
  PID:4788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=100 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10796 /prefetch:1
  2⤵
  PID:4996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9056 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5940 /prefetch:8
  2⤵
  PID:4932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=7212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=9124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=106 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9420 /prefetch:1
  2⤵
  PID:4508
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=107 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9480 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=108 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=10252 /prefetch:1
  2⤵
  PID:4600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=109 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6180 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=110 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9776 /prefetch:1
  2⤵
  PID:3572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=111 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=9100 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=112 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7776 /prefetch:1
  2⤵
  PID:3664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=113 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7592 /prefetch:1
  2⤵
  PID:3812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=114 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7688 /prefetch:1
  2⤵
  PID:4272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3372 /prefetch:8
  2⤵
  PID:4984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5896 /prefetch:8
  2⤵
  PID:1684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8404 /prefetch:8
  2⤵
  PID:4232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=4144 /prefetch:8
  2⤵
  PID:2480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=3864 /prefetch:8
  2⤵
  PID:4564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8692 /prefetch:8
  2⤵
  PID:2732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=121 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=122 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7744 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2056 /prefetch:8
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9288 /prefetch:8
  2⤵
  PID:5116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6456 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7068 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1716
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=9312 /prefetch:8
  2⤵
  - Loads dropped DLL
  PID:1708
- C:\Users\Admin\Downloads\winrar-x64-620.exe
  "C:\Users\Admin\Downloads\winrar-x64-620.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:3760
- - C:\Program Files\WinRAR\uninstall.exe
    "C:\Program Files\WinRAR\uninstall.exe" /setup
    3⤵
    - Modifies system executable filetype association
    - Executes dropped EXE
    - Loads dropped DLL
    - Registers COM server for autorun
    - Drops file in Program Files directory
    - Modifies registry class
    PID:2084
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1876 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.FileUtilService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=6012 /prefetch:8
  2⤵
  - Drops file in Program Files directory
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6964 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4640
- C:\Program Files\WinRAR\WinRAR.exe
  "C:\Program Files\WinRAR\WinRAR.exe" "C:\Users\Admin\Downloads\Slender v0.9.5.rar"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:4484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7764 /prefetch:8
  2⤵
  PID:3892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5612 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4204
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=134 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=133 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=135 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4348 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=7896 /prefetch:8
  2⤵
  PID:3056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=9212 /prefetch:8
  2⤵
  PID:3784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:3688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --field-trial-handle=1132,15411422304271652091,4479279150386845025,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=8460 /prefetch:8
  2⤵
  PID:2880

C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\89.0.4389.114\elevation_service.exe"
1⤵
- Drops file in Program Files directory
PID:2932
- C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2932_1239638926\ChromeRecovery.exe
  "C:\Program Files\Google\Chrome\ChromeRecovery\scoped_dir2932_1239638926\ChromeRecovery.exe" --appguid={8A69D345-D564-463c-AFF1-A69D9E530F96} --browser-version=89.0.4389.114 --sessionid={bd639df8-05fe-443e-b322-4aee01fd71a4} --system
  2⤵
  - Executes dropped EXE
  PID:2980

C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe
"C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe"
1⤵
PID:3768

C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe
"C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe"
1⤵
PID:2180

C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe
"C:\Users\Admin\Desktop\Slender v0.9.2\Slender.exe"
1⤵
PID:3856

C:\Users\Admin\Desktop\Slender v0.9.5\Slender.exe
"C:\Users\Admin\Desktop\Slender v0.9.5\Slender.exe"
1⤵
PID:4764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Change Default File Association

T1042

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\AssertSend.vssm

Filesize
468KB

MD5
ce073d8d2f71b2ed66ccb9427d9df14e

SHA1
af24a1fdcfdaa1605104eb4d52b2e6c96b966990

SHA256
a64df1562aadede0ba9a59964e3f074a5e09746f2ee041283697e6a367d6fa59

SHA512
00f3ae59521ed1f54d6faad089496d4a82adbc20432be1bb3915702664e587e5e312ddba7cc0da63178047f020b128b9c03bfffc7d2cc9288ab28ef713c4d721

Download Submit
C:\Program Files\CheckpointClear.tif

Filesize
587KB

MD5
bf294c8f83eff3330a8d1a6886c90027

SHA1
0c3b766432c3bd82286cc9bf557553ccd33fe309

SHA256
1efcb6fb5b10ee59fe54dd5b34ab89552abb128733858f546d56282e0fb71729

SHA512
340a12add302d5e5c468640d8a5b724eee778e861be2b994c37802a7530e4d43ed3f8f74240d0a1f4ee9ea13396ced664bae5dd73144f0768ca5a3633e05ad69

Download Submit
C:\Program Files\CheckpointSelect.mp2v

Filesize
511KB

MD5
a2c5c18433521b84bdf2d49090bd39eb

SHA1
b0fbd9433b0cd8afba610fcb022f839cfc4fd7c9

SHA256
90730fa924c78d652e403ec3c1dad57a3a0af83d187576366fd465fb0a03bd76

SHA512
862accb1cd5edf17357c0812ce6ee6e9ea4e958456fbd225098c1a69bd7cf0ec26aedecaa01d15257e569b0060c94d4127228ffc9956a74d431f0fec85d743fa

Download Submit
C:\Program Files\CompareShow.pot

Filesize
242KB

MD5
57a815a024201b3ddee5d9fa68da7658

SHA1
04e1ac14c7e045f1342b3e4a8ba252e487d79f2b

SHA256
d53bcbc14ca262a29bcb68aa658e70552c20f70e16211bbe8c44106ed6318d97

SHA512
295313df1abc3857b1b4e4e545de17eaeb4ccf6518393b5539f33575d49866a73331f69e893f9b2c6b5a14ba3aac152923263747ec1cb42fd3016eb572cf54b0

Download Submit
C:\Program Files\ConfirmApprove.MTS

Filesize
608KB

MD5
eccc822e9753422c98269485f302b0b7

SHA1
f6f1e0a8d9257804e17d8b78b1781e14af71e05b

SHA256
b01763e1f9a0e2a00475dd0be361af20a3dcd45de190fbbda3b21d859f13b275

SHA512
b7116b5f43d5a32f5d2c030b0cb98e727cc633cd6c1f177d4a0df37639c740fa0ffef3ca2232f612e6887392379d97e447ff00334c73f0a722b93299e168b019

Download Submit
C:\Program Files\ConfirmWatch.dotx

Filesize
597KB

MD5
79e6fbe001301483ad288331893630f9

SHA1
3239c081faeaf6659b5fa58d0241f89cc4e88422

SHA256
972c252b19d601ec8afa78cc18e24c08a0eff8ac841527747034ac40991e49c6

SHA512
45ab1260a36c27e8ecd836765efac7311489cfb690787b8604065c8d39b527157bec06e8afbdccc768f5352ce8583ebcc78fb5eabb26b77f11e112ddefb8ae98

Download Submit
C:\Program Files\ConnectGroup.rtf

Filesize
543KB

MD5
dec0d784d7305d7b0bcd55781eec08cb

SHA1
bcef31f5c6ac1128506ed969c06efa1913e4cdc9

SHA256
49812752e12e6addb5da6c6ab13744850c96e24543ecd3182de2dbb45ffadbbe

SHA512
91bc59c76d775286d6b53104524d2aa4adb31f80c9a4a83baf27d27af83c7e0cc4ca4bba6347d9e34057c7f7c736b04915edb154a1f941a606bd76cd358cff4b

Download Submit
C:\Program Files\ConnectWrite.otf

Filesize
414KB

MD5
fe5218765ce8800f5362089fea2fd84e

SHA1
558595fbb7b9ee363e024c75f290500f52aabc6f

SHA256
64f885fec7da3052dd9685856b0df793b0bae5cb07f7585f2ef766d871106f3e

SHA512
ea502eef30d136703d51396c1936b693cd239027ae917d4b9c5aca5d12c80dce508cafa442857f3b147f0df11eb5ac04fc0bc459b11d5edea9160346267fc1cc

Download Submit
C:\Program Files\ConvertToSearch.asx

Filesize
220KB

MD5
a60e839a9ad79240096373af1ef1815d

SHA1
757e78c5439c5abb6775de8d323284f93357d2ad

SHA256
4034d0fb50596c1da34e9f82b478687fe972c2152d2b399e7f8c3e777f568c52

SHA512
1035aa5d5b89240bb5c5327b74146e238f9e6c75b38d62936a3fa701032ba7118efbda829ddb5952a6c1ef1ddc254ec7537f0cb53223910d0197b7fd32bf5bc2

Download Submit
C:\Program Files\DenyRemove.mov

Filesize
360KB

MD5
2009b9a15a35d4b4139ab1d7d9371b2b

SHA1
4272e0693a25c5170356a7ecb4e6d47e6eaad5ca

SHA256
ad843ce89ca99358c7835b03e0699e4a024d0e116ea1ca2e9ca94708cb235bb5

SHA512
5eeaedbe13d17bdec1e2321dab9aa68cc16eb54a73b373573be4f0373c2e06bd3a185b719216c51a2791a393ac23a1355087cf7910be604955f2712df0327733

Download Submit
C:\Program Files\DisableSplit.vbe

Filesize
554KB

MD5
adb6fb539bec37e943f2f2f81f3901d2

SHA1
4c7f55eb6c83da846e6b9ee0313f009bb3d843e0

SHA256
19d00a4a36c348383f70d42d231b319eef0bf1c4c7496e6904afcec253a61b12

SHA512
29cde92bcbced26ca66087c443bd9c818310ffee918e7a3fed3c1ddb344fd183d345e5b10470fa6ad1f8b510c6e776b049b8c98bbe6e354c5c6e173888446518

Download Submit
C:\Program Files\EditLimit.aiff

Filesize
490KB

MD5
b5920a17041be0cfc2e5d1fd384c5d09

SHA1
46a35a47cff585f7635510f794dc956a2b675be0

SHA256
6bb31ffe9722afaf1e68a73bd2839f0658db9ba4edcbe4584201758b1a3c59c3

SHA512
958cd6116b6994685d6438e56c49a4d9f9bd025dff536efc7ac9c123548fdffc9cfb09ff80ea61887ea9f6ad7a65ea121c19232ce92a28b0f238449b627b1c61

Download Submit
C:\Program Files\EditSet.xml

Filesize
425KB

MD5
bb7946d97eedc3bb0ae6a66a7d7cc893

SHA1
9e969a6012cd2fad2ff675fda90328c0155aecf4

SHA256
20f8f8ed7e8d106e0c54d36e8269f9fc0cda6500eb34b259e338298b6127bdc9

SHA512
9471bb786171218bfcc3117dfddb0766ca6ec2169845a5fa769116a07f9120fc5275b316f518dcd8af0fdc316778fa17337774422a7da875ebe054684ea7596e

Download Submit
C:\Program Files\EnableWait.vsdx

Filesize
576KB

MD5
e09a20a7913eeb30ac3a3bd192292302

SHA1
a05b7e8ec198979034c34eea8801af084b86aa4f

SHA256
4fa46d0a131b6e27fe819a1ac0cad383eb266653b91f696a7c6b9b5fcf803d80

SHA512
cc629d50aabc46f8d2499555204b29f79a755749bfd97652872da889adc1f044278018af9087daa0635543d27dae1ac52348ec372eebf347937d40161b4d36c1

Download Submit
C:\Program Files\GrantUninstall.asx

Filesize
565KB

MD5
ddc2703f69f18c099dceda8d659b23a3

SHA1
6a32760aa84bfda49c5ac5475bcf976bb8e3074e

SHA256
60036aae7b479aee03466d11636f6e373eeebb74d8ecf7ce711f2a4816ea9055

SHA512
ddaa46b17d99770934d9867e886e23275494f06d64fcb35846546790aed31cbc449ee276c716e3f47d94b7a53bb4b76c78bb378294763db7f9a3528836643d39

Download Submit
C:\Program Files\GroupExpand.vsd

Filesize
522KB

MD5
4f8bcd7652699fed9b68eca429e7da24

SHA1
0f0b077fd869857ce9eb83f4208fabe46fde8c3e

SHA256
8f5d09165d5cb380992b14392ba158784d0be25d451f4591e5d7e7b3e4b4197c

SHA512
92b572313aa58755c97c4ed1dca95ce02a85b2765451f8fbd6c19cce3a6c3659363b4732e980b027cc61b2d72598b91a05e09260f657234ec8bbe21e4250a6a8

Download Submit
C:\Program Files\InitializeLock.vsdx

Filesize
533KB

MD5
47c54e8c2109d82b3df19f96b76573a5

SHA1
d63f474a45c38698c4e9f926f2b257cddb10e1cf

SHA256
62aaaf22c4bfba1189efbeac3b61b3ee11aa9e357857f2f0dc701440ecbe1870

SHA512
c3e6f0aaff1faafadfa3a2aea2ee0a78702234917d7cdd9e2bb30f9bb39d6f63770cd5aca956cedace444495e63747a0da75cb18e3d6d051b8d2e94484112953

Download Submit
C:\Program Files\InstallExpand.bmp

Filesize
306KB

MD5
827d204703c80eac8c5ba65a6e1fea4a

SHA1
cc741c42a06bcba80bde92f484acf40dd11326fe

SHA256
29e3d8c4d7bfa6d1408a930c87ce81cc8324ccd8da8b57d8e3e8b292eaf38f2c

SHA512
7ab2962c1ed8a2fd98ef565b8c0b69d6f4825374549774e6b9496e33a8007cfdd1de65c5f8f170be222f1ae1aa8d53a649a054ffe5b0eda322050dc29d21aeba

Download Submit
C:\Program Files\JoinLimit.wps

Filesize
447KB

MD5
1b7b78b219ba750f7c556821e9440d7a

SHA1
ba40900589f8c84a4737b5bcd61d8b876c2cfa21

SHA256
9a9b6f208524a7f7f8fcdd73e80d21ac6171bbf072b01ae5df89e23ef3216927

SHA512
f19c87b021dffcb97eb6eb1ef897e5eb676a7ff14d848819078619511e1dffd12c001c4494b4f406a24810a26b8981f7f33d435a70abb5749dca79b82cefbff0

Download Submit
C:\Program Files\MountCopy.vdw

Filesize
231KB

MD5
eb259051f38e66cf5d36b4fc75f75d23

SHA1
84eaec0ab64a8d6cebfaf94e62902509c734d5eb

SHA256
24d8eb3a71970fb93b5bef258bb66b1fce238c9cb944a4d9c2e124646e61df20

SHA512
69b45f4bd4a7dabad7c623ebd36dd80c99289a8afe208018573b5a7f4fe6d5b30cd2967a61be4ca6fcd34fe97b6508cf914029d13a5322e6031196de814684fa

Download Submit
C:\Program Files\NewGroup.MTS

Filesize
457KB

MD5
d04dbabada31e09f6092ac9494c45d22

SHA1
00de5d80ad521fdf49af0192b1d534e3690844b0

SHA256
577449093aa0323a8ae5cd753c0a085b6af15978bfd983dd0b6e6d2720d475b3

SHA512
772819d68d7db227a85a9b278dae522c00d91667d069c058b93eb5318ddd9ec7884499380631b6969bcc8a69efd6693c54d0c2d21c0c03c2c99da269a0cc1bcd

Download Submit
C:\Program Files\NewUpdate.MTS

Filesize
393KB

MD5
05b83e9b7c09b4b327925866c16256b7

SHA1
8a3423cb7992d903fcc3a5cd586ce18baaa73f55

SHA256
cba759836ea0cc573752f662d1eb017e0ec2ac541a9b5f1113a202efc7e646a8

SHA512
8af5cb2f45586c167db594cd2db1caf2c2eda4766bdde905b24dfa7665e253ce99b6b67231f887fe0e0a046c6837c110d5ee563fb82c56bdde57435cbde79bde

Download Submit
C:\Program Files\PingComplete.xla

Filesize
500KB

MD5
9337e795418e7d95f239e2c5ea64c188

SHA1
0ac2b2eee037af69f7ac4d4666d436b3aa8245ee

SHA256
ae0a779b3e9e1c5c936c82f0c096f7f4cd802d981c28c044288033a87194c8f7

SHA512
f70c5277cd68f80ed0abe1ad02b5c1013feb385b080f74da9a15f89e6a1e5ce8b3de166058b23b254bf72237d86acf695c07321be502149dd602632bb3cd7cac

Download Submit
C:\Program Files\PublishOut.7z

Filesize
339KB

MD5
97482b19d9aaaeb478553484d8eba1d3

SHA1
508564b3f1e5bc1c60b2c0bc92a7069a38eee20d

SHA256
471f30ae4a9fade942703432242080fb7ddc685d827fd340e6b31b8c4bc8872d

SHA512
97a12b21ee457759774db0c6f171ea25edc8ee88fb088c79e7bec8d10107892b1d2e19715d1854571724005ca938dfc1ada933487b7996f6383e26b90c864982

Download Submit
C:\Program Files\RegisterEnter.MTS

Filesize
403KB

MD5
d02385ef1961cb320ff06891d366f898

SHA1
8f7825dc30403de3992c63fdc88d90a8d6b996a6

SHA256
67ecfe218d4ad32db3ec56be103e63f6cdf0299738454c1d1ef7096b60b6bded

SHA512
719ec01b7654670d80c1e9e4f6756ba7691df88402e895d15ffefb1686a66911c290904c1b0f2c13d0612c2db74880a614f69ec18df5ac66325b1ae50877dacb

Download Submit
C:\Program Files\RenameWait.iso

Filesize
350KB

MD5
f3c7be1a769cede96091aa79f655723b

SHA1
a63d29b90c57a80125d42527578ebfa1011dab8c

SHA256
b55214d37b18a6b2c644d24301c679f6d42e68aaf87efb2d717775d66660cb54

SHA512
fd5eb56dc5e41757be4950131f262482ce548754ab0e869ec459e54afe2880508dc33434a3f4bb97eb32771a1b20d1053bc8afd45d95e7e6f479b38eed6c191d

Download Submit
C:\Program Files\ResetProtect.xps

Filesize
285KB

MD5
f995978c998bb90dd1ded10060a8bb30

SHA1
c4d6ed437efbb1c23521b2fd41926b64097eec66

SHA256
1c3ef0ff8cd07b27ec2bf267ddb5e9487fdc127004d87bc36f583757aab51c75

SHA512
c2d8565b51e6acc9f1a9a407fd2503c0fc4c35a622c4c75067486215479e041cb35d7a79f7fac779c167e35124a51be543f29520a9fd7f9800cef5c3333c8c70

Download Submit
C:\Program Files\RestartSplit.jtx

Filesize
210KB

MD5
38ebcee3a59c56a29a2e4b71cdfba26d

SHA1
891b320c91b7e8049ca5f8765bba5ab1f707c143

SHA256
f0401d9c3cc05455f14aa7601a1758bce905ad73a284096a3bc154cf1f8e7d10

SHA512
dab739ea583db65c2589c1cd9b5711f88316c334a9e4c2af8418cf2f9eba6fa7258faf2439e2c8eef8493ef02eebe9dc2f0826ea875aae809859b0e45eed1f16

Download Submit
C:\Program Files\RevokeFormat.midi

Filesize
274KB

MD5
331af5c318f33e0f8939c180234b853b

SHA1
00b4c62f9a2fd20634a6af848eb2508d05b4c18e

SHA256
e9514ddd9b8c38d7958c316c546be05e2c955ffd3a3461cba2ef16454a372158

SHA512
85fc951a84597eb468d5e8196b052907c8f67c9a709bc7ddbd501e14fb0df35f483899fb3da28d08c911e99ed3ca883e4d7a0d67cf632710f1357195474c2540

Download Submit
C:\Program Files\RevokePop.bat

Filesize
317KB

MD5
3f496090b922051c8c3089f06980ff45

SHA1
8a7eb3e08c8988d1eb8f93979899b97af1edea4a

SHA256
1ebc0e4d40f0338ef25cbe6780e3e2bc89e0e3916dcbee0c87ce0eeb23460852

SHA512
c73450e01578a6b6ce5b0095dec9947e851fd1cbb73b8a91a55e2ab19940dcf19e40859fc94c829ce5a2ed8292a0c1920a4958b7331da9c1054fadd4e0ab5418

Download Submit
C:\Program Files\RevokePublish.emf

Filesize
829KB

MD5
84edaf2a2e63e7c2c75f438e76300195

SHA1
b4706b013ad414ec05d615b924535c5aae4b7709

SHA256
f19ce3d660c752479762ebe4b5d83397af192ae5c4369f6485dbe521bdcc0265

SHA512
0923c4d68e572186a0d0fcc25297fc88ed62a8a8c1c96118dbade94d04cb368f4eb788162bbeaf3d70ea02612a38160320b02d951ac57798ac78fa71c6a4a9eb

Download Submit
C:\Program Files\SelectUninstall.midi

Filesize
296KB

MD5
0bf91662d5a6cc457549c221049302a4

SHA1
dfdff23dfdde48d689a1bf6d6febf282585b6f00

SHA256
620ba5aacf1580791d1c80a614a406cd0c4a3b1f024427aca7189c1c94906642

SHA512
576bac74ae1b1148d33bd6fcb6d40d5caa6ea25a679be664391eb82c3fc2fd48a20ac79205087cdbe0613d74c4497d824f9f869efbe19af4d38feee09cd46619

Download Submit
C:\Program Files\SplitSearch.css

Filesize
382KB

MD5
7d5c04c6e5c12d4513a51591c25f5502

SHA1
cab90897e40b7e1a5524152fcb82f03be88597bb

SHA256
623092ff0e5636e738a0180e673081c5fcca6804c191b1958035a0fb5cdb302e

SHA512
1c75828b1591cc408fffe6685a2058b085e1bcc5b104ea62a6dd6ee62b48bcb38921cf8ff26084a513e9dbe039b498b1bea3a058f31ce34cc0488d4594d41e98

Download Submit
C:\Program Files\StepUnlock.hta

Filesize
479KB

MD5
d73441ef2e417c26b03e1f1af9516932

SHA1
8c41275bb41d5abbe6b9bbdd45f8f7c4cb3ce0e6

SHA256
4080a34762fbfb9c22a8ba3849f7adeb041edb9fb032c1dbe30cb383936286a0

SHA512
4b1ff309fb02e08b86604fbf92d31184c7f7f9717ce1663aab86ae6540e619a39a31500249354519a0417d9fa55395c789b2ce2a8b7b243e8a72c349d7cfb643

Download Submit
C:\Program Files\StopExport.sys

Filesize
253KB

MD5
3d53bea91ec7cd896bd59263ce775fae

SHA1
f7cc897beabef3e7de2e89d2e565d9a709ea7e53

SHA256
2dbc2b109027d7e4ad1de8ee62ee4de417fc00ce8cd0f495f182a50e127907ec

SHA512
cd4199bd6d1d6ddd9ca5327172d79d3717ad18dc6653f3285bfe1a876a2962fdacf6891b8ac051021a5608da6cf3aa980be203fa35ff4e831de1ca4810e57595

Download Submit
C:\vcredist2010_x64.log-MSI_vc_red.msi.txt

Filesize
364KB

MD5
732ba7ebee71f2d468cdec2fd709f908

SHA1
1be3c78f5bc74966248cb31e84a5467cdd923f6d

SHA256
bfb5ef0e11fc670be825b48b8184bb80de42720701b0d02b7454b0b06c345edb

SHA512
ac27f8668c406985062f01f2c891eddf6c74c0b349550aba44d450b948d01ab36f61d6557beecc687435e83fec2e02e01c90a3a869078dd4b9bb86f10f747de1

Download Submit
C:\vcredist2010_x64.log.html

Filesize
87KB

MD5
466858a8f000d013f4b3fd4797ba53e6

SHA1
8779e60c30e4a99a1ba53809878d530b7a4060e6

SHA256
23396194577a12c5de5b329aba5b3997a4432a604ad76bcb0111d006c5844436

SHA512
f76fa415775216c0413f3ecb5bd5495b06c8f9b23c618c37e18986f00284d9813c50c88cea41f3a7bfecf2ec0b3d48912d7138eebcb77638312c9dac9d315806

Download Submit
C:\vcredist2010_x86.log-MSI_vc_red.msi.txt

Filesize
379KB

MD5
573486875ea0f524759ca938b769a516

SHA1
03eb148e0af2fb3259f2b0e004cbfb0bcb6c1525

SHA256
586e41b02917b0379d8dd6776fbe1e032ccf8f4af673a7c1c20cefc314bb2040

SHA512
8e3e161d212fa5ed75879fc15f4d0108728876bab1e8ff94837eb08b3ffa4c3e5cc1724c162bdd095dcd19cacd7f05ccd2d32a43a9c8a0fbe9a8f1efe1576652

Download Submit
C:\vcredist2010_x86.log.html

Filesize
82KB

MD5
0b403b6cd709604eeb0e11298b099b62

SHA1
fd863400f6ff2655e1cd882aeb42fae496062f08

SHA256
0a7a458a234d14da8eea27e3a4b43401f61f9575a2af0268fa3ff62f5362c7e8

SHA512
b2606fe39251a5de68f4b05bd208c4ed7ba1519314a49cff79fce7fdfc87f2686a64445a325ed55651022f7d6cda2a09fbf814a363fff4bef14ec03512862489

Download Submit
C:\vcredist2012_x64_0_vcRuntimeMinimum_x64.log

Filesize
165KB

MD5
b448f25a3b7dab01e4ebe7974eaa3dbb

SHA1
741483d89145697e7640ad0243db11f1f89b8c49

SHA256
33fa0503d0f8d060934f5b971cda6817929fd2784dbd8a7ec192da0e64cfe5a4

SHA512
66669f4df87b28271e780c5263c78fab53827b39f3022c477add047c7da2b64c0d4f91218b4aafc967044d0f787aceaa8eaebeb965378a93b7b2f34729a783a2

Download Submit
C:\vcredist2012_x64_1_vcRuntimeAdditional_x64.log

Filesize
193KB

MD5
1a834643f97a77a241ba1d8a5619bcb5

SHA1
2f8c7f7b46390544ba8f5a9e00e95cdec4d076b0

SHA256
a258f3cd60f3dec8aa77781f099cf4435687182d102a69778bfd93f89d32998e

SHA512
4b44fbe136d85cdbd642d83591a14df92c85f9cd7bdad94e9ab37e026a60af706f1c5532514df0a28bb123bf5d4ec5277987e9554192c99aad314617c574176a

Download Submit
C:\vcredist2012_x86_0_vcRuntimeMinimum_x86.log

Filesize
168KB

MD5
2e87869d7d8e2b5d8aabd2ff34f0bc91

SHA1
6fb9ef11e1f1be7f2ca259ffd0f89c86d046fd62

SHA256
7bc18be6cdb28f793810463818e19495b61c60ed7e8131be85d4b640d1052dc3

SHA512
da4ab313155b026b24fa7c7ff953c7f067bf7b6ebaf83fbb9a21737a66ff8eeaf9169d0f06fe3c94fced5970accc4b86f83f07b546c57fb65c7520c7e44a61b9

Download Submit
C:\vcredist2012_x86_1_vcRuntimeAdditional_x86.log

Filesize
206KB

MD5
6a098d52a3faed94b459e0af64db03e3

SHA1
ee2159a76c93084db64893f57eb58f151f8bd861

SHA256
177353ef6745ff9cec08161b72380fa702ec4ddc2c0887e178abd720a5a04095

SHA512
b1e84661389a9b24d3b55a4a85911e80a7620712941851be002cadcd7d5826da61644b37749790a24d590ee1535cee7cd914c748eca71dd62fac76415f2bae0a

Download Submit
C:\vcredist2013_x64_000_vcRuntimeMinimum_x64.log

Filesize
167KB

MD5
30da16fa61b70f2f40ca1ad0500d3048

SHA1
48462d4990e73ff491d7665c853bcf66a762c580

SHA256
62adcfef25318c6aef04867b7be1dfd1e6db0bc980acbbc2b85121a7815390a8

SHA512
55ed148546f02f9b5261a60822b39d4982a4aa4ae673cb5747bb7791d34dcb3dbf5dfaf6661b6b817bebfd5e81eed83f1703f4b4d3d25c1f905e39615e0499ea

Download Submit
C:\vcredist2013_x64_001_vcRuntimeAdditional_x64.log

Filesize
188KB

MD5
49763cad00009f8f5db9d9c34f4d668e

SHA1
2cd4c14ba946fb7c49052a1643d3ebecb8f7d158

SHA256
24d846f2d31ff41c8946e591c3c91f4027837796e83606737fe1ec7b25d06c6e

SHA512
99fb923cb7a4ed12364cee1b968df7a5b51fb662f9fffa6ec16b49e0a0356a9a847d506fb967ff288150e7181e20713686d6eac5ee561d2f2e3a08c6100db095

Download Submit
C:\vcredist2013_x86_000_vcRuntimeMinimum_x86.log

Filesize
168KB

MD5
a18b1487453a9abba6dda86f208152c1

SHA1
26d700acbc8a424bcc4137059bd256bd30991d88

SHA256
06e128fd2234a07d6ec58a1d3e079bc7acbc73b40a764b76de1f1d41dae7af2d

SHA512
ea9a136d98a0b935a44998726c8bc6fbfa99dfb47f4c25d021c812abd576867826200b0a624f42d422015f1f9b0886d3c223ec4769073e81f14401c2813e5b2b

Download Submit
C:\vcredist2013_x86_001_vcRuntimeAdditional_x86.log

Filesize
196KB

MD5
bc8688b52bd25358b5f9f55afd3f47cb

SHA1
e576e967212fad7feb9552c364fae27fdc0ec869

SHA256
b3a54aa5d01702ba9b8ee40e7b1fdbfedff94ca91cf061690ae2b5d85fc04ee9

SHA512
7012bb6b82ba4c3a693539db8536827d067c9bdf9314507a9835674483e0c89a538c403adf3f9f64dc6aef250357f7d58a39f4a34bdcd78776e143925001d4fd

Download Submit
C:\vcredist2022_x64_000_vcRuntimeMinimum_x64.log

Filesize
121KB

MD5
268ac32463af3a35176eaaace74e69ce

SHA1
70985b98d290eb559bfb00e1d3c88db93602a209

SHA256
2712c73f2ee0a15d86f8f06cf882ae700f732fba9481f5777ef75e50ed4fe156

SHA512
599687b9d90b86b6ed6d41386b3d1dc6615032ec1eb5955ce1287d0ddd235f42bc9c6af91dd6d96dcb49773f7ab94714b058c1ef80555e7f658c0efda3598591

Download Submit
C:\vcredist2022_x64_001_vcRuntimeAdditional_x64.log

Filesize
127KB

MD5
f688b4b14a3e554e90137dad8544d755

SHA1
ea2bb4be323aa0f8c3a3fe382c099cf97628fcea

SHA256
e6c43a43c9ddc2aad3fbacdadfe985f1ea5ac83c0903796c0bda1d5409de9c5b

SHA512
c868cd3013fd541929fe1e0ed8159bdbb76408adc986a61aa2bc3d8a67a1bff2a25ca5bb0408c3c290ca68ddb4bf06c34e19b65d4e550049f2f798090d827bd8

Download Submit
C:\vcredist2022_x86_001_vcRuntimeMinimum_x86.log

Filesize
121KB

MD5
b98117e22802d6744b889795415d2da4

SHA1
7653cce2e8a42e12def70e43dbdb66ae9551f1b4

SHA256
ca64350e8ede31e1379869501e77dc396111a6332bc03620fa97f5afe69bc1eb

SHA512
63c27fe627787e6cec204615d505f4446e088e7c733022a086f69326071def02c47d11a05733071a2c0e801d03ed9c41da9c2ceebf6d96a5b2cd30675eae612f

Download Submit
C:\vcredist2022_x86_002_vcRuntimeAdditional_x86.log

Filesize
133KB

MD5
49189a0d9f9dd3d60cfa5b70d082520a

SHA1
3fb66cc6b7b04eb747e0e9f7b6875b9c3efa5459

SHA256
f516c6b37ca83c3676dc028f6e5eb79fd4b2c53dc300b6674856e0d39f882437

SHA512
faf7a7f07f69346f2cfa000cd72b31b5ad1774ffe7338e242d0c618480fe02743b3862c2578be91a2a80af04688d130cf07aae772c8b93f213a32f1037d6bf70

Download Submit
memory/1176-55-0x000007FEFBB11000-0x000007FEFBB13000-memory.dmp

Filesize
8KB

Download
memory/1652-54-0x0000000074FD1000-0x0000000074FD3000-memory.dmp

Filesize
8KB

Download
memory/2180-126-0x0000000006CC0000-0x0000000006DC0000-memory.dmp

Filesize
1024KB

Download
memory/2180-127-0x0000000007130000-0x0000000007230000-memory.dmp

Filesize
1024KB

Download
memory/3768-123-0x0000000006C20000-0x0000000006D20000-memory.dmp

Filesize
1024KB

Download
memory/3768-124-0x0000000007150000-0x0000000007250000-memory.dmp

Filesize
1024KB

Download
memory/3856-130-0x00000000070F0000-0x00000000071F0000-memory.dmp

Filesize
1024KB

Download
memory/3856-129-0x00000000027A0000-0x00000000028A0000-memory.dmp

Filesize
1024KB

Download
memory/4764-138-0x00000000028B0000-0x00000000029B0000-memory.dmp

Filesize
1024KB

Download
memory/4764-139-0x0000000007150000-0x0000000007250000-memory.dmp

Filesize
1024KB

Download